@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-2d70b30 → 3.3.1-fix-use-standard-env-var-for-metric-server-host-7ed2241

package/dist/esm/authorization-service.mjs

@@ -2,11 +2,12 @@ import { performance } from 'perf_hooks';
 import { Api } from '@mondaydotcomorg/trident-backend-api';
 import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { getIgniteClient } from '@mondaydotcomorg/ignite-sdk';
-import { sendAuthorizationCheckResponseTimeMetric, incrementAuthorizationSuccess } from './prometheus-service.mjs';
+import { sendAuthorizationCheckResponseTimeMetric } from './prometheus-service.mjs';
+import { recordAuthorizationTiming } from './metrics-service.mjs';
 import { AuthorizationInternalService, logger } from './authorization-internal-service.mjs';
 import { getProfile, PlatformProfile, getAttributionsFromApi } from './attributions-service.mjs';
-import { GraphApiClient } from './clients/graph-api.client.mjs';
-import { PlatformApiClient } from './clients/platform-api.client.mjs';
+import { GraphApi } from './clients/graph-api.mjs';
+import { PlatformApi } from './clients/platform-api.mjs';
 import { scopeToResource } from './utils/authorization.utils.mjs';
 
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
@@ -19,6 +20,24 @@ function setRequestFetchOptions(customMondayFetchOptions) {
     AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
 }
 class AuthorizationService {
+    static get graphApi() {
+        if (!this._graphApi) {
+            this._graphApi = new GraphApi();
+        }
+        return this._graphApi;
+    }
+    static _graphApi;
+    static get platformApi() {
+        if (!this._platformApi) {
+            this._platformApi = new PlatformApi();
+        }
+        return this._platformApi;
+    }
+    static _platformApi;
+    static resetApiClients() {
+        this._graphApi = undefined;
+        this._platformApi = undefined;
+    }
     static redisClient;
     static grantedFeatureRedisExpirationInSeconds;
     static igniteClient;
@@ -84,38 +103,25 @@ class AuthorizationService {
             this.igniteClient.isReleased(PLATFORM_PROFILE_RELEASE_FF, { accountId, userId })) {
             return getProfile();
         }
-        return PlatformProfile.INTERNAL;
+        return PlatformProfile.APP;
     }
     static async canActionInScopeMultiple(accountId, userId, scopedActions) {
         if (scopedActions.length === 0) {
             return [];
         }
         const shouldNavigateToGraph = Boolean(this.igniteClient?.isReleased(NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF, { accountId, userId }));
-        const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
         const startTime = performance.now();
         let scopedActionResponseObjects;
         let apiType;
         if (shouldNavigateToGraph) {
-            try {
-                scopedActionResponseObjects = await GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
-                apiType = 'graph';
-            }
-            catch (error) {
-                const status = error instanceof HttpFetcherError ? error.status : undefined;
-                logger.warn({
-                    tag: 'authorization-service',
-                    error: error instanceof Error ? error.message : String(error),
-                    accountId,
-                    userId,
-                    status,
-                }, 'Graph API authorization failed');
-                throw error;
-            }
+            apiType = 'graph';
+            scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
         }
         else {
-            const profile = this.getProfile(accountId, userId);
-            scopedActionResponseObjects = await PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
             apiType = 'platform';
+            const profile = this.getProfile(accountId, userId);
+            const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            scopedActionResponseObjects = await this.platformApi.checkPermissions(profile, internalAuthToken, userId, scopedActions);
         }
         const endTime = performance.now();
         const time = endTime - startTime;
@@ -124,10 +130,8 @@ class AuthorizationService {
             const { action, scope } = obj.scopedAction;
             const { resourceType } = scopeToResource(scope);
             const isAuthorized = obj.permit.can;
-            sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
-            if (obj.permit.can) {
-                incrementAuthorizationSuccess(resourceType, action, apiType);
-            }
+            sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time);
+            recordAuthorizationTiming(apiType, time);
         }
         return scopedActionResponseObjects;
     }
@@ -184,7 +188,7 @@ class AuthorizationService {
             if (!isAuthorized) {
                 unauthorizedObjects.push(authorizationObject);
             }
-            sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time, 'platform');
+            sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time);
         });
         if (unauthorizedObjects.length > 0) {
             logger.info({

package/dist/esm/clients/graph-api.d.ts

@@ -0,0 +1,28 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { GraphIsAllowedResponse } from '../types/graph-api.types';
+/**
+ * Client for handling Graph API authorization operations
+ */
+export declare class GraphApi {
+    private readonly httpClient;
+    private readonly consumerAppName;
+    constructor();
+    /**
+     * Builds the request body for Graph API calls
+     */
+    private static buildRequestBody;
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    fetchPermissions(authToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse>;
+    /**
+     * Maps Graph API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    checkPermissions(accountId: number, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+    private static ensureGraphReason;
+}
+//# sourceMappingURL=graph-api.d.ts.map

package/dist/esm/clients/graph-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../../src/clients/graph-api.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AASlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;;IAezC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAgCzG;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAMxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}

package/dist/esm/clients/{graph-api.client.mjs → graph-api.mjs}

@@ -1,16 +1,32 @@
 import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { PermitTechnicalReason } from '../types/scoped-actions-contracts.mjs';
 import { AuthorizationInternalService } from '../authorization-internal-service.mjs';
 import { getAttributionsFromApi } from '../attributions-service.mjs';
 import { scopeToResource } from '../utils/authorization.utils.mjs';
-import { incrementAuthorizationError } from '../prometheus-service.mjs';
+import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
+import { GRAPH_APP_NAME } from '../constants.mjs';
+import { handleApiError } from '../utils/api-error-handler.mjs';
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
+const APP_NAME_REQUIRED_ERROR = 'GraphApi: APP_NAME environment variable is required for Graph API authentication';
 /**
  * Client for handling Graph API authorization operations
  */
-class GraphApiClient {
+class GraphApi {
+    httpClient;
+    consumerAppName;
+    constructor() {
+        const httpClient = Api.getPart('httpClient');
+        if (!httpClient) {
+            throw new Error('GraphApi: http client is not initialized');
+        }
+        const consumerAppName = process.env.APP_NAME?.trim();
+        if (!consumerAppName) {
+            throw new Error(APP_NAME_REQUIRED_ERROR);
+        }
+        this.httpClient = httpClient;
+        this.consumerAppName = consumerAppName;
+    }
     /**
      * Builds the request body for Graph API calls
      */
@@ -39,19 +55,18 @@ class GraphApiClient {
     /**
      * Fetches authorization data from the Graph API
      */
-    static async fetchPermissions(internalAuthToken, scopedActions) {
-        const httpClient = Api.getPart('httpClient');
+    async fetchPermissions(authToken, scopedActions) {
         const attributionHeaders = getAttributionsFromApi();
-        const bodyPayload = this.buildRequestBody(scopedActions);
+        const bodyPayload = GraphApi.buildRequestBody(scopedActions);
         try {
-            const response = await httpClient.fetch({
+            const response = await this.httpClient.fetch({
                 url: {
-                    appName: 'authorization-graph',
+                    appName: GRAPH_APP_NAME,
                     path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
                 },
                 method: 'POST',
                 headers: {
-                    Authorization: internalAuthToken,
+                    Authorization: authToken,
                     'Content-Type': 'application/json',
                     ...attributionHeaders,
                 },
@@ -63,13 +78,8 @@ class GraphApiClient {
             return response;
         }
         catch (err) {
-            if (err instanceof HttpFetcherError) {
-                AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                if (scopedActions.length > 0) {
-                    incrementAuthorizationError(scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status, 'graph');
-                }
-            }
-            throw err;
+            // handleApiError never returns (throws)
+            return handleApiError(err, 'graph', 'canActionInScopeMultiple');
         }
     }
     /**
@@ -81,41 +91,39 @@ class GraphApiClient {
             const { action, scope } = scopedAction;
             const { resourceType, resourceId } = scopeToResource(scope);
             const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
-            const graphReason = permissionResult?.reason;
-            let reasonKey;
-            let additionalOptions = {};
-            let technicalReason = PermitTechnicalReason.NO_REASON;
-            if (typeof graphReason === 'string') {
-                reasonKey = graphReason;
-            }
-            else if (graphReason && typeof graphReason === 'object') {
-                reasonKey = graphReason.key ?? 'unknown';
-                additionalOptions = graphReason.additionalOptions ?? {};
-                if (graphReason.technicalReason !== undefined) {
-                    technicalReason = (graphReason.technicalReason ?? PermitTechnicalReason.NO_REASON);
-                }
-            }
-            else {
-                reasonKey = 'unknown';
-            }
             const permit = {
                 can: permissionResult?.can ?? false,
                 reason: {
-                    key: reasonKey,
-                    ...additionalOptions,
+                    key: 'unknown',
                 },
-                technicalReason,
+                technicalReason: PermitTechnicalReason.NO_REASON,
             };
+            if (permissionResult) {
+                const graphReason = GraphApi.ensureGraphReason(permissionResult.reason, { resourceType, resourceId, action });
+                permit.reason = {
+                    key: graphReason.key,
+                    ...(graphReason.additionalOptions ?? {}),
+                };
+                permit.technicalReason = (graphReason.technicalReason ??
+                    PermitTechnicalReason.NO_REASON);
+            }
             return { scopedAction, permit };
         });
     }
     /**
      * Performs a complete authorization check using the Graph API
      */
-    static async checkPermissions(internalAuthToken, scopedActions) {
-        const response = await this.fetchPermissions(internalAuthToken, scopedActions);
-        return this.mapResponse(scopedActions, response);
+    async checkPermissions(accountId, userId, scopedActions) {
+        const authToken = signAuthorizationHeader({ appName: this.consumerAppName, accountId, userId });
+        const response = await this.fetchPermissions(authToken, scopedActions);
+        return GraphApi.mapResponse(scopedActions, response);
+    }
+    static ensureGraphReason(reason, context) {
+        if (!reason || typeof reason !== 'object' || typeof reason.key !== 'string') {
+            throw new Error(`GraphApi: unexpected reason format for ${context.resourceType}/${context.resourceId}/${context.action}`);
+        }
+        return reason;
     }
 }
 
-export { GraphApiClient };
+export { GraphApi };

package/dist/esm/clients/platform-api.d.ts

@@ -0,0 +1,26 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { PlatformProfile } from '../attributions-service';
+/**
+ * Client for handling Platform API authorization operations
+ */
+export declare class PlatformApi {
+    private readonly httpClient;
+    constructor();
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    private static buildRequestPayload;
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    private fetchPermissions;
+    /**
+     * Maps Platform API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    checkPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+//# sourceMappingURL=platform-api.d.ts.map

package/dist/esm/clients/platform-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../../src/clients/platform-api.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IAqC9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}

package/dist/esm/clients/{platform-api.client.mjs → platform-api.mjs}

@@ -1,15 +1,22 @@
 import { Api } from '@mondaydotcomorg/trident-backend-api';
-import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { AuthorizationInternalService, logger } from '../authorization-internal-service.mjs';
 import { getAttributionsFromApi } from '../attributions-service.mjs';
-import { toSnakeCase, scopeToResource, toCamelCase } from '../utils/authorization.utils.mjs';
-import { incrementAuthorizationError } from '../prometheus-service.mjs';
+import { toSnakeCase, toCamelCase } from '../utils/authorization.utils.mjs';
+import { handleApiError } from '../utils/api-error-handler.mjs';
 
 const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
 /**
  * Client for handling Platform API authorization operations
  */
-class PlatformApiClient {
+class PlatformApi {
+    httpClient;
+    constructor() {
+        const httpClient = Api.getPart('httpClient');
+        if (!httpClient) {
+            throw new Error('PlatformApi: http client is not initialized');
+        }
+        this.httpClient = httpClient;
+    }
     /**
      * Builds the request payload for Platform API calls
      */
@@ -22,11 +29,10 @@ class PlatformApiClient {
     /**
      * Fetches authorization data from the Platform API
      */
-    static async fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload) {
+    async fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload) {
         const attributionHeaders = getAttributionsFromApi();
-        const httpClient = Api.getPart('httpClient');
         try {
-            const response = await httpClient.fetch({
+            const response = await this.httpClient.fetch({
                 url: {
                     appName: 'platform',
                     path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
@@ -46,14 +52,8 @@ class PlatformApiClient {
             return response;
         }
         catch (err) {
-            if (err instanceof HttpFetcherError) {
-                AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                if (scopedActionsPayload.length > 0) {
-                    const { resourceType } = scopeToResource(toCamelCase(scopedActionsPayload[0].scope));
-                    incrementAuthorizationError(resourceType, scopedActionsPayload[0].action, err.status, 'platform');
-                }
-            }
-            throw err;
+            // handleApiError never returns (throws)
+            return handleApiError(err, 'platform', 'canActionInScopeMultiple');
         }
     }
     /**
@@ -61,8 +61,8 @@ class PlatformApiClient {
      */
     static mapResponse(response) {
         if (!response) {
-            logger.error({ tag: 'platform-api-client', response }, 'PlatformApiClient: missing response');
-            throw new Error('PlatformApiClient: missing response');
+            logger.error({ tag: 'platform-api', response }, 'PlatformApi: missing response');
+            throw new Error('PlatformApi: missing response');
         }
         return response.result.map(responseObject => {
             const { scopedAction, permit } = responseObject;
@@ -77,11 +77,11 @@ class PlatformApiClient {
     /**
      * Performs a complete authorization check using the Platform API
      */
-    static async checkPermissions(profile, internalAuthToken, userId, scopedActions) {
-        const scopedActionsPayload = this.buildRequestPayload(scopedActions);
+    async checkPermissions(profile, internalAuthToken, userId, scopedActions) {
+        const scopedActionsPayload = PlatformApi.buildRequestPayload(scopedActions);
         const platformResponse = await this.fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload);
-        return this.mapResponse(platformResponse);
+        return PlatformApi.mapResponse(platformResponse);
     }
 }
 
-export { PlatformApiClient };
+export { PlatformApi };

package/dist/esm/constants.d.ts

@@ -1,6 +1,7 @@
 import { RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
 import { FetcherConfig } from '@mondaydotcomorg/trident-backend-api';
 export declare const APP_NAME = "authorization";
+export declare const GRAPH_APP_NAME = "authorization-graph";
 export declare const ERROR_MESSAGES: {
     readonly HTTP_CLIENT_NOT_INITIALIZED: "MondayAuthorization: HTTP client is not initialized";
     readonly REQUEST_FAILED: (method: string, status: number, reason: string) => string;

package/dist/esm/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAErE,eAAO,MAAM,QAAQ,kBAAkB,CAAC;AAExC,eAAO,MAAM,cAAc;;sCAEA,MAAM,UAAU,MAAM,UAAU,MAAM;CAEvD,CAAC;AAEX,eAAO,MAAM,qBAAqB,EAAE,gBAAgB,CAAC,aAAa,CAUjE,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/constants.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,mCAAmC,CAAC;AACrE,OAAO,EAAE,aAAa,EAAE,MAAM,sCAAsC,CAAC;AAErE,eAAO,MAAM,QAAQ,kBAAkB,CAAC;AACxC,eAAO,MAAM,cAAc,wBAAwB,CAAC;AAEpD,eAAO,MAAM,cAAc;;sCAEA,MAAM,UAAU,MAAM,UAAU,MAAM;CAEvD,CAAC;AAEX,eAAO,MAAM,qBAAqB,EAAE,gBAAgB,CAAC,aAAa,CAUjE,CAAC"}

package/dist/esm/constants.mjs

@@ -1,4 +1,5 @@
 const APP_NAME = 'authorization';
+const GRAPH_APP_NAME = 'authorization-graph';
 const ERROR_MESSAGES = {
     HTTP_CLIENT_NOT_INITIALIZED: 'MondayAuthorization: HTTP client is not initialized',
     REQUEST_FAILED: (method, status, reason) => `MondayAuthorization: [${method}] request failed with status ${status} with reason: ${reason}`,
@@ -15,4 +16,4 @@ const DEFAULT_FETCH_OPTIONS = {
     },
 };
 
-export { APP_NAME, DEFAULT_FETCH_OPTIONS, ERROR_MESSAGES };
+export { APP_NAME, DEFAULT_FETCH_OPTIONS, ERROR_MESSAGES, GRAPH_APP_NAME };

package/dist/esm/index.d.ts

@@ -5,6 +5,12 @@ export interface InitOptions {
     mondayFetchOptions?: MondayFetchOptions;
     redisClient?: any;
     grantedFeatureRedisExpirationInSeconds?: number;
+    metrics?: {
+        serviceName?: string;
+        host?: string;
+        port?: number;
+        disabled?: boolean;
+    };
 }
 export declare function init(options?: InitOptions): Promise<void>;
 export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware, } from './authorization-middleware';

package/dist/esm/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,KAAK,OAAO,MAAM,WAAW,CAAC;AAErC,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,GAAG,CAAC;IACjB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,WAAW,CAAC,EAAE,GAAG,CAAC;IAClB,sCAAsC,CAAC,EAAE,MAAM,CAAC;CACjD;AAED,wBAAsB,IAAI,CAAC,OAAO,GAAE,WAAgB,iBAcnD;AAED,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,8BAA8B,EAAE,MAAM,oCAAoC,CAAC;AACpF,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5G,OAAO,EACL,WAAW,EACX,YAAY,EACZ,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAErH,OAAO,EAAE,OAAO,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAInE,OAAO,KAAK,OAAO,MAAM,WAAW,CAAC;AAErC,MAAM,WAAW,WAAW;IAC1B,UAAU,CAAC,EAAE,GAAG,CAAC;IACjB,kBAAkB,CAAC,EAAE,kBAAkB,CAAC;IACxC,WAAW,CAAC,EAAE,GAAG,CAAC;IAClB,sCAAsC,CAAC,EAAE,MAAM,CAAC;IAChD,OAAO,CAAC,EAAE;QACR,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,QAAQ,CAAC,EAAE,OAAO,CAAC;KACpB,CAAC;CACH;AAED,wBAAsB,IAAI,CAAC,OAAO,GAAE,WAAgB,iBAuBnD;AAED,OAAO,EACL,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,GAC5B,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAClF,OAAO,EAAE,8BAA8B,EAAE,MAAM,oCAAoC,CAAC;AACpF,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,WAAW,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC5G,OAAO,EACL,WAAW,EACX,YAAY,EACZ,0BAA0B,EAC1B,kBAAkB,GACnB,MAAM,kCAAkC,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAErH,OAAO,EAAE,OAAO,EAAE,CAAC"}

package/dist/esm/index.mjs

@@ -1,6 +1,7 @@
 import { setPrometheus } from './prometheus-service.mjs';
 import { setRequestFetchOptions, setRedisClient, setIgniteClient } from './authorization-service.mjs';
 export { AuthorizationService } from './authorization-service.mjs';
+import { initializeMetrics } from './metrics-service.mjs';
 import * as testKit_index from './testKit/index.mjs';
 export { testKit_index as TestKit };
 export { authorizationCheckMiddleware, getAuthorizationMiddleware, skipAuthorizationMiddleware } from './authorization-middleware.mjs';
@@ -12,6 +13,13 @@ async function init(options = {}) {
     if (options.prometheus) {
         setPrometheus(options.prometheus);
     }
+    const resolvedDisabled = options.metrics?.disabled ?? ['test', 'development'].includes((process.env.NODE_ENV ?? '').toLowerCase());
+    initializeMetrics({
+        serviceName: options.metrics?.serviceName ?? process.env.APP_NAME ?? 'authorization-sdk',
+        host: options.metrics?.host,
+        port: options.metrics?.port,
+        disabled: resolvedDisabled,
+    });
     if (options.mondayFetchOptions) {
         setRequestFetchOptions(options.mondayFetchOptions);
     }

package/dist/esm/metrics-service.d.ts

@@ -0,0 +1,12 @@
+type ApiType = 'platform' | 'graph';
+interface InitializeMetricsOptions {
+    serviceName: string;
+    host?: string;
+    port?: number;
+    disabled?: boolean;
+}
+export declare function initializeMetrics(options: InitializeMetricsOptions): void;
+export declare function recordAuthorizationTiming(apiType: ApiType, duration: number): void;
+export declare function recordAuthorizationError(apiType: ApiType, statusCode: number): void;
+export {};
+//# sourceMappingURL=metrics-service.d.ts.map

package/dist/esm/metrics-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics-service.d.ts","sourceRoot":"","sources":["../../src/metrics-service.ts"],"names":[],"mappings":"AAGA,KAAK,OAAO,GAAG,UAAU,GAAG,OAAO,CAAC;AAEpC,UAAU,wBAAwB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAID,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,wBAAwB,GAAG,IAAI,CA4BzE;AAED,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,CAUlF;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAUnF"}

package/dist/esm/metrics-service.mjs

@@ -0,0 +1,54 @@
+import { Metric } from '@mondaydotcomorg/monday-observability-kit';
+import { logger } from './authorization-internal-service.mjs';
+
+let initialized = false;
+function initializeMetrics(options) {
+    if (initialized) {
+        return;
+    }
+    const { serviceName } = options;
+    if (!serviceName) {
+        logger.warn({ tag: 'metrics-service' }, 'Metrics initialization skipped: serviceName is missing');
+        return;
+    }
+    const resolvedHost = options.host ?? process.env.HOST_IP ?? 'localhost';
+    const envPort = process.env.DOGSTATSD_PORT ? Number(process.env.DOGSTATSD_PORT) : undefined;
+    const resolvedPort = options.port ?? (Number.isFinite(envPort ?? NaN) ? envPort : undefined) ?? 8125;
+    const resolvedDisabled = options.disabled ?? ['test', 'development'].includes((process.env.NODE_ENV ?? '').toLowerCase());
+    try {
+        Metric.initialize({
+            serviceName,
+            host: resolvedHost,
+            port: resolvedPort,
+            disabled: resolvedDisabled,
+        });
+        initialized = true;
+    }
+    catch (error) {
+        logger.warn({ tag: 'metrics-service', error }, 'Failed to initialize metrics');
+    }
+}
+function recordAuthorizationTiming(apiType, duration) {
+    if (!initialized) {
+        return;
+    }
+    try {
+        Metric.distribution(`authorization.authorizationCheck.${apiType}.duration`, duration);
+    }
+    catch {
+        // ignore metric emission failures
+    }
+}
+function recordAuthorizationError(apiType, statusCode) {
+    if (!initialized) {
+        return;
+    }
+    try {
+        Metric.increment(`authorization.authorizationCheck.${apiType}.error`, { statusCode: String(statusCode) }, 1);
+    }
+    catch {
+        // ignore metric emission failures
+    }
+}
+
+export { initializeMetrics, recordAuthorizationError, recordAuthorizationTiming };

package/dist/esm/prometheus-service.d.ts

@@ -6,7 +6,5 @@ export declare const METRICS: {
 };
 export declare function setPrometheus(customPrometheus: any): void;
 export declare function getMetricsManager(): any;
-export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number, apiType?: 'platform' | 'graph'): void;
-export declare function incrementAuthorizationSuccess(resourceType: string, action: Action, apiType: 'platform' | 'graph'): void;
-export declare function incrementAuthorizationError(resourceType: string, action: Action, statusCode: number, apiType: 'platform' | 'graph'): void;
+export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number): void;
 //# sourceMappingURL=prometheus-service.d.ts.map

package/dist/esm/prometheus-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAOzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAqB7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,UAAU,GAAG,OAAoB,QAW3C;AAcD,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,QAQhH;AAED,wBAAgB,2BAA2B,CACzC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,UAAU,GAAG,OAAO,QAS9B"}
+{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAKzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAa7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,QASb"}

package/dist/esm/prometheus-service.mjs

@@ -1,7 +1,5 @@
 let prometheus = null;
 let authorizationCheckResponseTimeMetric = null;
-let authorizationSuccessMetric = null;
-let authorizationErrorMetric = null;
 const METRICS = {
     AUTHORIZATION_CHECK: 'authorization_check',
     AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
@@ -9,80 +7,29 @@ const METRICS = {
 };
 const authorizationCheckResponseTimeMetricConfig = {
     name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
-    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus', 'apiType'],
+    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
     description: 'Authorization check response time summary',
 };
 function setPrometheus(customPrometheus) {
     prometheus = customPrometheus;
     if (!prometheus) {
-        authorizationCheckResponseTimeMetric = null;
-        authorizationSuccessMetric = null;
-        authorizationErrorMetric = null;
         return;
     }
     const { METRICS_TYPES } = prometheus;
-    const metricsManager = getMetricsManager();
-    if (metricsManager) {
-        authorizationCheckResponseTimeMetric = metricsManager.addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
-        initializeAdditionalMetrics();
-    }
+    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
 }
 function getMetricsManager() {
     return prometheus?.metricsManager;
 }
-function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time, apiType = 'platform') {
+function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
     try {
         if (authorizationCheckResponseTimeMetric) {
-            authorizationCheckResponseTimeMetric
-                .labels(resourceType, action, isAuthorized, responseStatus, apiType)
-                .observe(time);
-        }
-    }
-    catch (e) {
-        // ignore
-    }
-}
-const authorizationSuccessMetricConfig = {
-    name: 'authorization_success_total',
-    labels: ['resourceType', 'action', 'apiType'],
-    description: 'Total number of successful authorization checks',
-};
-const authorizationErrorMetricConfig = {
-    name: 'authorization_error_total',
-    labels: ['resourceType', 'action', 'statusCode', 'apiType'],
-    description: 'Total number of authorization errors',
-};
-function incrementAuthorizationSuccess(resourceType, action, apiType) {
-    try {
-        if (authorizationSuccessMetric) {
-            authorizationSuccessMetric.labels(resourceType, action, apiType).inc();
+            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
         }
     }
     catch (e) {
         // ignore
     }
 }
-function incrementAuthorizationError(resourceType, action, statusCode, apiType) {
-    try {
-        if (authorizationErrorMetric) {
-            authorizationErrorMetric.labels(resourceType, action, statusCode, apiType).inc();
-        }
-    }
-    catch (e) {
-        // ignore
-    }
-}
-// Initialize additional metrics when prometheus is set
-function initializeAdditionalMetrics() {
-    if (!prometheus) {
-        return;
-    }
-    const { METRICS_TYPES } = prometheus;
-    const metricsManager = getMetricsManager();
-    if (metricsManager) {
-        authorizationSuccessMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationSuccessMetricConfig.name, authorizationSuccessMetricConfig.labels, authorizationSuccessMetricConfig.description);
-        authorizationErrorMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationErrorMetricConfig.name, authorizationErrorMetricConfig.labels, authorizationErrorMetricConfig.description);
-    }
-}
 
-export { METRICS, getMetricsManager, incrementAuthorizationError, incrementAuthorizationSuccess, sendAuthorizationCheckResponseTimeMetric, setPrometheus };
+export { METRICS, getMetricsManager, sendAuthorizationCheckResponseTimeMetric, setPrometheus };