@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-46d4fc5 → 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-9ad5fa5

package/dist/authorization-service.d.ts

@@ -30,14 +30,6 @@ export declare class AuthorizationService {
     static canActionInScope(accountId: number, userId: number, action: string, scope: ScopeOptions): Promise<ScopedActionPermit>;
     private static getProfile;
     static canActionInScopeMultiple(accountId: number, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
-    private static buildScopedActionsPayload;
-    private static scopeToResource;
-    private static buildGraphRequestBody;
-    private static fetchGraphIsAllowed;
-    private static mapGraphResponse;
-    private static fetchPlatformCanActions;
-    private static toCamelCase;
-    private static mapPlatformResponse;
     private static isAuthorizedSingular;
     private static isAuthorizedMultiple;
 }

package/dist/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAO7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAc1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAsCD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAyCxC,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAMxC,OAAO,CAAC,MAAM,CAAC,eAAe;IAmB9B,OAAO,CAAC,MAAM,CAAC,qBAAqB;mBAyBf,mBAAmB;IAwCxC,OAAO,CAAC,MAAM,CAAC,gBAAgB;mBAoBV,uBAAuB;IA2C5C,OAAO,CAAC,MAAM,CAAC,WAAW;IAI1B,OAAO,CAAC,MAAM,CAAC,mBAAmB;mBAiBb,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA+DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}

package/dist/authorization-service.js

@@ -1,26 +1,18 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 const perf_hooks = require('perf_hooks');
-const snakeCase = require('lodash/snakeCase.js');
-const camelCase = require('lodash/camelCase.js');
-const mapKeys = require('lodash/mapKeys.js');
 const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
 const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const igniteSdk = require('@mondaydotcomorg/ignite-sdk');
 const prometheusService = require('./prometheus-service.js');
 const authorizationInternalService = require('./authorization-internal-service.js');
 const attributionsService = require('./attributions-service.js');
-
-const _interopDefault = e => e && e.__esModule ? e : { default: e };
-
-const snakeCase__default = /*#__PURE__*/_interopDefault(snakeCase);
-const camelCase__default = /*#__PURE__*/_interopDefault(camelCase);
-const mapKeys__default = /*#__PURE__*/_interopDefault(mapKeys);
+const clients_graphApi_client = require('./clients/graph-api.client.js');
+const clients_platformApi_client = require('./clients/platform-api.client.js');
+const utils_authorization_utils = require('./utils/authorization.utils.js');
 
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
 const PLATFORM_AUTHORIZE_PATH = '/internal_ms/authorization/authorize';
-const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
-const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
 const ALLOWED_SDK_PLATFORM_PROFILES_KEY = 'allowed-sdk-platform-profiles';
 const IN_RELEASE_SDK_PLATFORM_PROFILES_KEY = 'in-release-sdk-platform-profile';
 const PLATFORM_PROFILE_RELEASE_FF = 'sdk-platform-profiles';
@@ -101,167 +93,44 @@ class AuthorizationService {
         const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
         const startTime = perf_hooks.performance.now();
         let scopedActionResponseObjects;
+        let usedGraphApi = false;
         if (shouldNavigateToGraph) {
-            const response = await this.fetchGraphIsAllowed(internalAuthToken, scopedActions);
-            scopedActionResponseObjects = this.mapGraphResponse(scopedActions, userId, response);
+            try {
+                scopedActionResponseObjects = await clients_graphApi_client.GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
+                usedGraphApi = true;
+            }
+            catch (error) {
+                // Fallback to Platform API if Graph API fails
+                authorizationInternalService.logger.warn({
+                    tag: 'authorization-service',
+                    error: error instanceof Error ? error.message : String(error),
+                    accountId,
+                    userId,
+                }, 'Graph API authorization failed, falling back to Platform API');
+                const profile = this.getProfile(accountId, userId);
+                scopedActionResponseObjects = await clients_platformApi_client.PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
+                usedGraphApi = false;
+            }
         }
         else {
             const profile = this.getProfile(accountId, userId);
-            const scopedActionsPayload = this.buildScopedActionsPayload(scopedActions);
-            const platformResponse = await this.fetchPlatformCanActions(profile, internalAuthToken, userId, scopedActionsPayload);
-            scopedActionResponseObjects = this.mapPlatformResponse(platformResponse);
+            scopedActionResponseObjects = await clients_platformApi_client.PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
+            usedGraphApi = false;
         }
         const endTime = perf_hooks.performance.now();
         const time = endTime - startTime;
-        const apiType = shouldNavigateToGraph ? 'graph' : 'platform';
+        const apiType = usedGraphApi ? 'graph' : 'platform';
+        // Record metrics for each authorization check
         for (const obj of scopedActionResponseObjects) {
-            const { action } = obj.scopedAction;
-            const resource_type = this.scopeToResource(obj.scopedAction.scope).resourceType;
+            const { action, scope } = obj.scopedAction;
+            const { resourceType } = utils_authorization_utils.scopeToResource(scope);
             const isAuthorized = obj.permit.can;
-            prometheusService.sendAuthorizationCheckResponseTimeMetric(resource_type, action, isAuthorized, 200, time, apiType);
-            if (obj.permit.can) ;
-        }
-        return scopedActionResponseObjects;
-    }
-    static buildScopedActionsPayload(scopedActions) {
-        return scopedActions.map(scopedAction => {
-            return { ...scopedAction, scope: mapKeys__default.default(scopedAction.scope, (_, key) => snakeCase__default.default(key)) };
-        });
-    }
-    static scopeToResource(scope) {
-        if ('workspaceId' in scope) {
-            return { resourceType: 'workspace', resourceId: scope.workspaceId };
-        }
-        if ('boardId' in scope) {
-            return { resourceType: 'board', resourceId: scope.boardId };
-        }
-        if ('pulseId' in scope) {
-            return { resourceType: 'pulse', resourceId: scope.pulseId };
-        }
-        if ('accountProductId' in scope) {
-            return { resourceType: 'account_product', resourceId: scope.accountProductId };
-        }
-        if ('accountId' in scope) {
-            return { resourceType: 'account', resourceId: scope.accountId };
-        }
-        throw new Error('Unsupported scope provided');
-    }
-    static buildGraphRequestBody(scopedActions) {
-        const resourcesAccumulator = {};
-        for (const { action, scope } of scopedActions) {
-            const { resourceType, resourceId } = this.scopeToResource(scope);
-            if (!resourcesAccumulator[resourceType]) {
-                resourcesAccumulator[resourceType] = {};
-            }
-            if (!resourcesAccumulator[resourceType][resourceId]) {
-                resourcesAccumulator[resourceType][resourceId] = new Set();
-            }
-            resourcesAccumulator[resourceType][resourceId].add(action);
-        }
-        const resourcesPayload = {};
-        for (const [resourceType, idMap] of Object.entries(resourcesAccumulator)) {
-            resourcesPayload[resourceType] = {};
-            for (const [idStr, actionsSet] of Object.entries(idMap)) {
-                const idNum = Number(idStr);
-                resourcesPayload[resourceType][idNum] = Array.from(actionsSet);
-            }
-        }
-        return resourcesPayload;
-    }
-    static async fetchGraphIsAllowed(internalAuthToken, scopedActions) {
-        const httpClient = tridentBackendApi.Api.getPart('httpClient');
-        const attributionHeaders = attributionsService.getAttributionsFromApi();
-        const bodyPayload = this.buildGraphRequestBody(scopedActions);
-        try {
-            const response = await httpClient.fetch({
-                url: {
-                    appName: 'authorization-graph',
-                    path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
-                },
-                method: 'POST',
-                headers: {
-                    Authorization: internalAuthToken,
-                    'Content-Type': 'application/json',
-                    ...attributionHeaders,
-                },
-                body: JSON.stringify(bodyPayload),
-            }, {
-                timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
-                retryPolicy: authorizationInternalService.AuthorizationInternalService.getRetriesPolicy(),
-            });
-            prometheusService.setGraphAvailability(true);
-            return response;
-        }
-        catch (err) {
-            if (err instanceof mondayFetchApi.HttpFetcherError) {
-                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                prometheusService.incrementAuthorizationError(this.scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status);
+            prometheusService.sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
+            if (obj.permit.can) {
+                prometheusService.incrementAuthorizationSuccess(resourceType, action);
             }
-            throw err;
         }
-    }
-    static mapGraphResponse(scopedActions, userId, graphResponse) {
-        const resources = graphResponse ?? {};
-        return scopedActions.map(scopedAction => {
-            const { action, scope } = scopedAction;
-            const { resourceType, resourceId } = this.scopeToResource(scope);
-            const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
-            const permit = {
-                can: permissionResult?.can ?? false,
-                reason: { key: permissionResult?.reason ?? 'unknown' },
-                technicalReason: 0,
-            };
-            return { scopedAction, permit };
-        });
-    }
-    static async fetchPlatformCanActions(profile, internalAuthToken, userId, scopedActionsPayload) {
-        const attributionHeaders = attributionsService.getAttributionsFromApi();
-        const httpClient = tridentBackendApi.Api.getPart('httpClient');
-        try {
-            const response = await httpClient.fetch({
-                url: {
-                    appName: 'platform',
-                    path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
-                    profile,
-                },
-                method: 'POST',
-                headers: {
-                    Authorization: internalAuthToken,
-                    'Content-Type': 'application/json',
-                    ...attributionHeaders,
-                },
-                body: JSON.stringify({ user_id: userId, scoped_actions: scopedActionsPayload }),
-            }, {
-                timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
-                retryPolicy: authorizationInternalService.AuthorizationInternalService.getRetriesPolicy(),
-            });
-            return response;
-        }
-        catch (err) {
-            if (err instanceof mondayFetchApi.HttpFetcherError) {
-                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                prometheusService.incrementAuthorizationError(this.scopeToResource(this.toCamelCase(scopedActionsPayload[0].scope)).resourceType, scopedActionsPayload[0].action, err.status);
-            }
-            throw err;
-        }
-    }
-    static toCamelCase(obj) {
-        return mapKeys__default.default(obj, (_, key) => camelCase__default.default(key));
-    }
-    static mapPlatformResponse(response) {
-        if (!response) {
-            authorizationInternalService.logger.error({ tag: 'authorization-service', response }, 'AuthorizationService: missing response');
-            throw new Error('AuthorizationService: missing response');
-        }
-        return response.result.map(responseObject => {
-            const { scopedAction, permit } = responseObject;
-            const { scope } = scopedAction;
-            return {
-                ...responseObject,
-                scopedAction: { ...scopedAction, scope: this.toCamelCase(scope) },
-                permit: this.toCamelCase(permit),
-            };
-        });
+        return scopedActionResponseObjects;
     }
     static async isAuthorizedSingular(accountId, userId, resources, action) {
         const { authorizationObjects } = createAuthorizationParams(resources, action);

package/dist/clients/graph-api.client.d.ts

@@ -0,0 +1,24 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { GraphIsAllowedDto, GraphIsAllowedResponse } from '../types/graph-api.types';
+/**
+ * Client for handling Graph API authorization operations
+ */
+export declare class GraphApiClient {
+    /**
+     * Builds the request body for Graph API calls
+     */
+    static buildRequestBody(scopedActions: ScopedAction[]): GraphIsAllowedDto;
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    static fetchPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse>;
+    /**
+     * Maps Graph API response to the expected format
+     */
+    static mapResponse(scopedActions: ScopedAction[], graphResponse: GraphIsAllowedResponse): ScopedActionResponseObject[];
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    static checkPermissions(internalAuthToken: string, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+//# sourceMappingURL=graph-api.client.d.ts.map

package/dist/clients/graph-api.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.client.d.ts","sourceRoot":"","sources":["../../src/clients/graph-api.client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAsB,MAAM,mCAAmC,CAAC;AAGjH,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EAIvB,MAAM,0BAA0B,CAAC;AAMlC;;GAEG;AACH,qBAAa,cAAc;IACzB;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,YAAY,EAAE,GAAG,iBAAiB;IAyBzE;;OAEG;WACU,gBAAgB,CAC3B,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,sBAAsB,CAAC;IAyClC;;OAEG;IACH,MAAM,CAAC,WAAW,CAChB,aAAa,EAAE,YAAY,EAAE,EAC7B,aAAa,EAAE,sBAAsB,GACpC,0BAA0B,EAAE;IAkB/B;;OAEG;WACU,gBAAgB,CAC3B,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAIzC"}

package/dist/clients/graph-api.client.js

@@ -0,0 +1,102 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
+const authorizationInternalService = require('../authorization-internal-service.js');
+const attributionsService = require('../attributions-service.js');
+const utils_authorization_utils = require('../utils/authorization.utils.js');
+const prometheusService = require('../prometheus-service.js');
+
+const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
+/**
+ * Client for handling Graph API authorization operations
+ */
+class GraphApiClient {
+    /**
+     * Builds the request body for Graph API calls
+     */
+    static buildRequestBody(scopedActions) {
+        const resourcesAccumulator = {};
+        for (const { action, scope } of scopedActions) {
+            const { resourceType, resourceId } = utils_authorization_utils.scopeToResource(scope);
+            if (!resourcesAccumulator[resourceType]) {
+                resourcesAccumulator[resourceType] = {};
+            }
+            if (!resourcesAccumulator[resourceType][resourceId]) {
+                resourcesAccumulator[resourceType][resourceId] = new Set();
+            }
+            resourcesAccumulator[resourceType][resourceId].add(action);
+        }
+        const resourcesPayload = {};
+        for (const [resourceType, idMap] of Object.entries(resourcesAccumulator)) {
+            resourcesPayload[resourceType] = {};
+            for (const [idStr, actionsSet] of Object.entries(idMap)) {
+                const idNum = Number(idStr);
+                resourcesPayload[resourceType][idNum] = Array.from(actionsSet);
+            }
+        }
+        return resourcesPayload;
+    }
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    static async fetchPermissions(internalAuthToken, scopedActions) {
+        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const bodyPayload = this.buildRequestBody(scopedActions);
+        try {
+            const response = await httpClient.fetch({
+                url: {
+                    appName: 'authorization-graph',
+                    path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
+                },
+                method: 'POST',
+                headers: {
+                    Authorization: internalAuthToken,
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify(bodyPayload),
+            }, {
+                timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+                retryPolicy: authorizationInternalService.AuthorizationInternalService.getRetriesPolicy(),
+            });
+            prometheusService.setGraphAvailability(true);
+            return response;
+        }
+        catch (err) {
+            prometheusService.setGraphAvailability(false);
+            if (err instanceof mondayFetchApi.HttpFetcherError) {
+                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+                prometheusService.incrementAuthorizationError(utils_authorization_utils.scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status);
+            }
+            throw err;
+        }
+    }
+    /**
+     * Maps Graph API response to the expected format
+     */
+    static mapResponse(scopedActions, graphResponse) {
+        const resources = graphResponse ?? {};
+        return scopedActions.map(scopedAction => {
+            const { action, scope } = scopedAction;
+            const { resourceType, resourceId } = utils_authorization_utils.scopeToResource(scope);
+            const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
+            const permit = {
+                can: permissionResult?.can ?? false,
+                reason: { key: permissionResult?.reason ?? 'unknown' },
+                technicalReason: 0,
+            };
+            return { scopedAction, permit };
+        });
+    }
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    static async checkPermissions(internalAuthToken, scopedActions) {
+        const response = await this.fetchPermissions(internalAuthToken, scopedActions);
+        return this.mapResponse(scopedActions, response);
+    }
+}
+
+exports.GraphApiClient = GraphApiClient;

package/dist/clients/platform-api.client.d.ts

@@ -0,0 +1,31 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { PlatformProfile } from '../attributions-service';
+type ScopedActionPlatformPayload = Omit<ScopedAction, 'scope'> & {
+    scope: Record<string, number>;
+};
+interface CanActionsInScopesResponse {
+    result: ScopedActionResponseObject[];
+}
+/**
+ * Client for handling Platform API authorization operations
+ */
+export declare class PlatformApiClient {
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    static buildRequestPayload(scopedActions: ScopedAction[]): ScopedActionPlatformPayload[];
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    static fetchPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActionsPayload: ScopedActionPlatformPayload[]): Promise<CanActionsInScopesResponse>;
+    /**
+     * Maps Platform API response to the expected format
+     */
+    static mapResponse(response: CanActionsInScopesResponse): ScopedActionResponseObject[];
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    static checkPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+export {};
+//# sourceMappingURL=platform-api.client.d.ts.map

package/dist/clients/platform-api.client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-api.client.d.ts","sourceRoot":"","sources":["../../src/clients/platform-api.client.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAOlF,KAAK,2BAA2B,GAAG,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,GAAG;IAC/D,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC/B,CAAC;AAEF,UAAU,0BAA0B;IAClC,MAAM,EAAE,0BAA0B,EAAE,CAAC;CACtC;AAED;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;OAEG;IACH,MAAM,CAAC,mBAAmB,CAAC,aAAa,EAAE,YAAY,EAAE,GAAG,2BAA2B,EAAE;IAOxF;;OAEG;WACU,gBAAgB,CAC3B,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,oBAAoB,EAAE,2BAA2B,EAAE,GAClD,OAAO,CAAC,0BAA0B,CAAC;IAuCtC;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,QAAQ,EAAE,0BAA0B,GAAG,0BAA0B,EAAE;IAkBtF;;OAEG;WACU,gBAAgB,CAC3B,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}

package/dist/clients/platform-api.client.js

@@ -0,0 +1,86 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
+const authorizationInternalService = require('../authorization-internal-service.js');
+const attributionsService = require('../attributions-service.js');
+const utils_authorization_utils = require('../utils/authorization.utils.js');
+const prometheusService = require('../prometheus-service.js');
+
+const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
+/**
+ * Client for handling Platform API authorization operations
+ */
+class PlatformApiClient {
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    static buildRequestPayload(scopedActions) {
+        return scopedActions.map(scopedAction => ({
+            ...scopedAction,
+            scope: utils_authorization_utils.toSnakeCase(scopedAction.scope),
+        }));
+    }
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    static async fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload) {
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+        try {
+            const response = await httpClient.fetch({
+                url: {
+                    appName: 'platform',
+                    path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
+                    profile,
+                },
+                method: 'POST',
+                headers: {
+                    Authorization: internalAuthToken,
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ user_id: userId, scoped_actions: scopedActionsPayload }),
+            }, {
+                timeout: authorizationInternalService.AuthorizationInternalService.getRequestTimeout(),
+                retryPolicy: authorizationInternalService.AuthorizationInternalService.getRetriesPolicy(),
+            });
+            return response;
+        }
+        catch (err) {
+            if (err instanceof mondayFetchApi.HttpFetcherError) {
+                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
+                prometheusService.incrementAuthorizationError(utils_authorization_utils.scopeToResource(utils_authorization_utils.toCamelCase(scopedActionsPayload[0].scope)).resourceType, scopedActionsPayload[0].action, err.status);
+            }
+            throw err;
+        }
+    }
+    /**
+     * Maps Platform API response to the expected format
+     */
+    static mapResponse(response) {
+        if (!response) {
+            authorizationInternalService.logger.error({ tag: 'platform-api-client', response }, 'PlatformApiClient: missing response');
+            throw new Error('PlatformApiClient: missing response');
+        }
+        return response.result.map(responseObject => {
+            const { scopedAction, permit } = responseObject;
+            const { scope } = scopedAction;
+            return {
+                ...responseObject,
+                scopedAction: { ...scopedAction, scope: utils_authorization_utils.toCamelCase(scope) },
+                permit: utils_authorization_utils.toCamelCase(permit),
+            };
+        });
+    }
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    static async checkPermissions(profile, internalAuthToken, userId, scopedActions) {
+        const scopedActionsPayload = this.buildRequestPayload(scopedActions);
+        const platformResponse = await this.fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload);
+        return this.mapResponse(platformResponse);
+    }
+}
+
+exports.PlatformApiClient = PlatformApiClient;

package/dist/esm/authorization-service.d.ts

@@ -30,14 +30,6 @@ export declare class AuthorizationService {
     static canActionInScope(accountId: number, userId: number, action: string, scope: ScopeOptions): Promise<ScopedActionPermit>;
     private static getProfile;
     static canActionInScopeMultiple(accountId: number, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
-    private static buildScopedActionsPayload;
-    private static scopeToResource;
-    private static buildGraphRequestBody;
-    private static fetchGraphIsAllowed;
-    private static mapGraphResponse;
-    private static fetchPlatformCanActions;
-    private static toCamelCase;
-    private static mapPlatformResponse;
     private static isAuthorizedSingular;
     private static isAuthorizedMultiple;
 }

package/dist/esm/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAO7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAc1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAsCD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAyCxC,OAAO,CAAC,MAAM,CAAC,yBAAyB;IAMxC,OAAO,CAAC,MAAM,CAAC,eAAe;IAmB9B,OAAO,CAAC,MAAM,CAAC,qBAAqB;mBAyBf,mBAAmB;IAwCxC,OAAO,CAAC,MAAM,CAAC,gBAAgB;mBAoBV,uBAAuB;IA2C5C,OAAO,CAAC,MAAM,CAAC,WAAW;IAI1B,OAAO,CAAC,MAAM,CAAC,mBAAmB;mBAiBb,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA+DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}