@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-63c65ad → 3.3.1-feature-bashanye-add-membership-create-delete-api-d00c165

package/README.md

@@ -25,8 +25,11 @@ import * as MondayAuthorization from '@mondaydotcomorg/monday-authorization';
 
 ...
 
-MondayAuthorization.init({
+await MondayAuthorization.init({
   prometheus: getPrometheus(),
+  metrics: {
+    serviceName: process.env.APP_NAME,
+  },
   redisClient: redisClient,
   grantedFeatureRedisExpirationInSeconds: 10 * 60
 });
@@ -36,6 +39,16 @@ startServer(...)
 **Recommended** - optionally init authorization with redisClient so the granted feature results will be cached and reduce http calls.
 
 - grantedFeatureRedisExpirationInSeconds - (optional), redis TTL for cached granted features, default set to 5 minutes
+- metrics - (optional), configure internal DataDog/observability integration. Defaults to `process.env.APP_NAME` as the service name, uses the standard StatsD endpoint (`localhost:8125`) when host/port are not provided, and disables emission automatically in test/development environments (override with `disabled`).
+
+### Metrics & Observability
+
+- `prometheus` (optional) enables the legacy Prometheus summary `authorization_check_response_time` with labels `resourceType`, `action`, `isAuthorized`, and `responseStatus`.
+- `metrics` (optional) enables StatsD emission through `@mondaydotcomorg/monday-observability-kit` with:
+  - `authorization.authorizationCheck.platform.duration` / `.graph.duration` (distributions per API path)
+  - `authorization.authorizationCheck.platform.error` / `.graph.error` counters (with `statusCode` tag)
+- When `metrics.disabled` is omitted, the SDK automatically disables StatsD in `test`/`development` environments.
+- StatsD requires `DOGSTATSD_HOST` / `DOGSTATSD_PORT` (or the defaults `localhost:8125`). Errors are logged and skipped if the client is unavailable.
 
 ## Usage
 
@@ -137,17 +150,13 @@ const canActionInScopeMultipleResponse: ScopedActionResponseObject[] =
  * /
 ```
 
-**Graph API Routing (v3.3.0+):**
-
-Starting from version 3.3.0, `canActionInScope` and `canActionInScopeMultiple` can route authorization checks to the Graph API (`authorization-graph` service) instead of the Platform API. This routing is controlled by the Ignite feature flag `navigate-can-action-in-scope-to-graph`.
-
-- **Feature Flag**: `navigate-can-action-in-scope-to-graph`
-- **Default Behavior**: When the feature flag is disabled (default), the SDK routes to Platform API (backward compatible)
-- **Graph Routing**: When enabled, authorization checks are routed to the Graph API endpoint `/permissions/is-allowed`
-- **Automatic Fallback**: The SDK automatically falls back to Platform API if the feature flag is disabled
-- **No Code Changes Required**: The routing is transparent - your code doesn't need to change. Simply upgrade to v3.3.0+ and the feature flag controls the routing behavior
+**Graph API Routing (v3.3.0+)**
 
-The Graph API provides the same authorization results with improved performance and scalability. The feature flag allows for gradual rollout and easy rollback if needed.
+- **Feature Flag**: `navigate-can-action-in-scope-to-graph` must be enabled in Ignite for the specific account/user.
+- **Environment Variable**: `APP_NAME` must be defined (Graph API uses it to sign JWTs). Missing `APP_NAME` throws `GraphApi: APP_NAME environment variable is required for Graph API authentication`.
+- **Routing Logic**: when the flag is released, `canActionInScope` / `canActionInScopeMultiple` call `authorization-graph` (`/permissions/is-allowed`). Otherwise they continue to call Platform API.
+- **Fallback**: If Graph responses are missing permissions, the SDK defaults to `can=false` with `reason.key = 'unknown'`. HTTP errors propagate and are counted in the StatsD error metric.
+- **Migration**: upgrade to v3.3.0+, set `APP_NAME`, and roll out the feature flag gradually—no code changes required for consumers.
 
 ### Authorization Attributes API
 
@@ -256,6 +265,7 @@ const rolesResponse = await rolesService.getRoles(accountId, resourceTypes, styl
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `resourceTypes` - Array of resource types to filter roles by (e.g., ['account', 'workspace'])
 - `style` - Deprecated, don't use it. the style of the roles to return, either 'A' or 'B' (default is 'A'). Note that basic role IDs are returned in A style and not B style.
@@ -285,6 +295,7 @@ const rolesResponse = await rolesService.createCustomRole(accountId, customRoles
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `roles` - Array of `RoleCreateRequest` objects (cannot be empty)
 
@@ -310,6 +321,7 @@ const rolesResponse = await rolesService.updateCustomRole(accountId, updateReque
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `updateRequests` - Array of `RoleUpdateRequest` objects
 
@@ -328,6 +340,7 @@ const rolesResponse = await rolesService.deleteCustomRole(accountId, roleIds);
 ```
 
 **Parameters:**
+
 - `accountId` - The account ID
 - `roleIds` - Array of custom role IDs to delete
 
@@ -388,3 +401,139 @@ interface RolesResponse {
   basicRoles?: BasicRole[];
 }
 ```
+
+### Memberships API
+
+The Memberships API allows you to manage memberships (role assignments) for entities on resources. Use `MembershipsService` to create/update and delete memberships synchronously.
+
+Important note: there is no validations for the user that create/delete memberships on authorization side.
+It's on the caller responsibility to validate the user have the right permission to change these memberships.
+
+#### Create/Update Memberships
+
+Use `MembershipsService.upsertMemberships` to create or update memberships synchronously:
+
+```ts
+import { MembershipsService, MembershipForCreate } from '@mondaydotcomorg/monday-authorization';
+
+const membershipsService = new MembershipsService();
+const accountId = 739630;
+const memberships: MembershipForCreate[] = [
+  {
+    entityId: 123,
+    entityType: 'user',
+    resourceId: 456,
+    resourceType: 'workspace',
+    roleId: 5,
+    roleType: 'basic',
+    addedById: 789,
+  },
+];
+
+const response = await membershipsService.upsertMemberships(accountId, memberships);
+// Returns: { memberships: Membership[] }
+```
+
+**Parameters:**
+
+- `accountId` - The account ID
+- `memberships` - Array of `MembershipForCreate` objects
+
+#### Delete Memberships
+
+Use `MembershipsService.deleteMemberships` to delete memberships synchronously:
+
+```ts
+import { MembershipsService, MembershipForDelete } from '@mondaydotcomorg/monday-authorization';
+
+const membershipsService = new MembershipsService();
+const accountId = 739630;
+const memberships: MembershipForDelete[] = [
+  {
+    entityId: 123,
+    entityType: 'user',
+    resourceId: 456,
+    resourceType: 'workspace',
+  },
+];
+
+const response = await membershipsService.deleteMemberships(accountId, memberships);
+// Returns: { memberships: Membership[] }
+```
+
+**Parameters:**
+
+- `accountId` - The account ID
+- `memberships` - Array of `MembershipForDelete` objects
+
+#### Types
+
+The following types are available for working with memberships:
+
+```ts
+import {
+  MembershipForCreate,
+  MembershipForDelete,
+  Membership,
+  MembershipCreateResponse,
+  MembershipDeleteResponse,
+} from '@mondaydotcomorg/monday-authorization';
+
+// MembershipForCreate interface
+interface MembershipForCreate {
+  entityId: number;
+  entityType: string;
+  resourceId: number;
+  resourceType: string;
+  roleId: number;
+  roleType?: string;
+  addedById: number;
+}
+
+// MembershipForDelete interface
+interface MembershipForDelete {
+  entityId?: number;
+  entityType: string;
+  resourceId?: number;
+  resourceType: string;
+}
+
+// Membership interface
+interface Membership {
+  id: number;
+  entityId: number;
+  entityType: string;
+  resourceId: number;
+  resourceType: string;
+  roleId: number;
+  roleType: string;
+  addedById: null | number | undefined;
+  hops: number;
+  isNewRecord: boolean;
+  previousValues: Partial<Membership>;
+  walVersion: number | null | undefined;
+}
+
+// MembershipCreateResponse interface
+interface MembershipCreateResponse {
+  memberships: Membership[];
+}
+
+// MembershipDeleteResponse interface
+interface MembershipDeleteResponse {
+  memberships: Membership[];
+}
+```
+
+## Development
+
+### Local Development and Testing
+
+This package includes an `ignite-local-overrides.json` file for local development and testing only. It does **not** affect consumers of this package - they use their own Ignite configuration.
+
+The file enables feature flags for testing:
+
+- `sdk-platform-profiles`: Platform profile routing
+- `navigate-can-action-in-scope-to-graph`: Graph API routing for `canActionInScope` methods
+
+Modify this file for different local test scenarios, but remember changes only affect this package's development/testing.

package/dist/attributions-service.d.ts

@@ -2,9 +2,10 @@ import { Context, ExecutionContext } from '@mondaydotcomorg/trident-backend-api'
 export declare enum PlatformProfile {
     API_INTERNAL = "api-internal",
     SLOW = "slow",
-    INTERNAL = "internal"
+    INTERNAL = "internal",
+    APP = "app"
 }
-export declare function getProfile(): PlatformProfile;
+export declare function getProfile(): PlatformProfile.API_INTERNAL | PlatformProfile.SLOW | PlatformProfile.INTERNAL;
 export declare function getExecutionContext(context: Context): ExecutionContext;
 export declare function getAttributionsFromApi(): {
     [key: string]: string;

package/dist/attributions-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attributions-service.d.ts","sourceRoot":"","sources":["../src/attributions-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAO,OAAO,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAStF,oBAAY,eAAe;IACzB,YAAY,iBAAiB;IAC7B,IAAI,SAAS;IACb,QAAQ,aAAa;CACtB;AAED,wBAAgB,UAAU,oBAiBzB;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,gBAAgB,CAEtE;AAED,wBAAgB,sBAAsB,IAAI;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAqClE"}
+{"version":3,"file":"attributions-service.d.ts","sourceRoot":"","sources":["../src/attributions-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAO,OAAO,EAAE,gBAAgB,EAAE,MAAM,sCAAsC,CAAC;AAStF,oBAAY,eAAe;IACzB,YAAY,iBAAiB;IAC7B,IAAI,SAAS;IACb,QAAQ,aAAa;IACrB,GAAG,QAAQ;CACZ;AAED,wBAAgB,UAAU,mFAiBzB;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,OAAO,GAAG,gBAAgB,CAEtE;AAED,wBAAgB,sBAAsB,IAAI;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAA;CAAE,CAqClE"}

package/dist/attributions-service.js

@@ -12,6 +12,7 @@ exports.PlatformProfile = void 0;
     PlatformProfile["API_INTERNAL"] = "api-internal";
     PlatformProfile["SLOW"] = "slow";
     PlatformProfile["INTERNAL"] = "internal";
+    PlatformProfile["APP"] = "app";
 })(exports.PlatformProfile || (exports.PlatformProfile = {}));
 function getProfile() {
     const tridentContext = tridentBackendApi.Api.getPart('context');

package/dist/authorization-internal-service.d.ts

@@ -10,7 +10,7 @@ export declare class AuthorizationInternalService {
     static markAuthorized(request: BaseRequest): void;
     static failIfNotCoveredByAuthorization(request: BaseRequest): void;
     static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void;
-    static throwOnHttpError(status: number, placement: string): void;
+    static throwOnHttpError(status: number, placement: string): never;
     static generateInternalAuthToken(accountId: number, userId: number): string;
     static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
     static getRequestFetchOptions(): MondayFetchOptions;

package/dist/authorization-internal-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-internal-service.d.ts","sourceRoot":"","sources":["../src/authorization-internal-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,EAAyB,eAAe,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AACxG,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK9C,eAAO,MAAM,MAAM,kBAA2B,CAAC;AAO/C,eAAO,MAAM,eAAe,EAAE,eAM7B,CAAC;AAYF,qBAAa,4BAA4B;IACvC,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACnC,MAAM,CAAC,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIpD,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIjD,MAAM,CAAC,+BAA+B,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAMlE,MAAM,CAAC,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAcrG,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM;IAQzD,MAAM,CAAC,yBAAyB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAIlE,MAAM,CAAC,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB;IAO1E,MAAM,CAAC,sBAAsB,IAAI,kBAAkB;IAInD,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,YAAY;IAI3C,MAAM,CAAC,iBAAiB;IA2BxB,MAAM,CAAC,gBAAgB,IAAI,WAAW;CASvC"}
+{"version":3,"file":"authorization-internal-service.d.ts","sourceRoot":"","sources":["../src/authorization-internal-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAE1E,OAAO,EAAyB,eAAe,EAAE,WAAW,EAAE,MAAM,mCAAmC,CAAC;AACxG,OAAO,EAAE,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAK9C,eAAO,MAAM,MAAM,kBAA2B,CAAC;AAO/C,eAAO,MAAM,eAAe,EAAE,eAM7B,CAAC;AAYF,qBAAa,4BAA4B;IACvC,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACnC,MAAM,CAAC,iBAAiB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIpD,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAIjD,MAAM,CAAC,+BAA+B,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI;IAMlE,MAAM,CAAC,wBAAwB,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI;IAcrG,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,KAAK;IAQjE,MAAM,CAAC,yBAAyB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAIlE,MAAM,CAAC,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB;IAO1E,MAAM,CAAC,sBAAsB,IAAI,kBAAkB;IAInD,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,YAAY;IAI3C,MAAM,CAAC,iBAAiB;IA2BxB,MAAM,CAAC,gBAAgB,IAAI,WAAW;CASvC"}

package/dist/authorization-service.d.ts

@@ -9,6 +9,11 @@ export interface AuthorizeResponse {
 }
 export declare function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions): void;
 export declare class AuthorizationService {
+    private static get graphApi();
+    private static _graphApi?;
+    private static get platformApi();
+    private static _platformApi?;
+    static resetApiClients(): void;
     static redisClient?: any;
     static grantedFeatureRedisExpirationInSeconds?: number;
     static igniteClient?: IgniteClient;

package/dist/authorization-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAE7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA6DnB,oBAAoB;mBAUpB,oBAAoB;CAoF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}
+{"version":3,"file":"authorization-service.d.ts","sourceRoot":"","sources":["../src/authorization-service.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAGnE,OAAO,EAAmB,YAAY,EAAE,MAAM,6BAA6B,CAAC;AAC5E,OAAO,EAAE,MAAM,EAAE,mBAAmB,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAG7F,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,0BAA0B,EAC1B,YAAY,EACb,MAAM,kCAAkC,CAAC;AAe1C,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,OAAO,CAAC;IACtB,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,mBAAmB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC7C;AAED,wBAAgB,sBAAsB,CAAC,wBAAwB,EAAE,kBAAkB,QAElF;AAMD,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,MAAM,KAAK,QAAQ,GAK1B;IACD,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAW;IAEpC,OAAO,CAAC,MAAM,KAAK,WAAW,GAK7B;IACD,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAc;IAE1C,MAAM,CAAC,eAAe,IAAI,IAAI;IAK9B,MAAM,CAAC,WAAW,CAAC,MAAC;IACpB,MAAM,CAAC,sCAAsC,CAAC,EAAE,MAAM,CAAC;IACvD,MAAM,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IAEnC;;;OAGG;WACU,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,QAAQ,EAAE,EACrB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,iBAAiB,CAAC;WAEhB,YAAY,CACvB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,2BAA2B,EAAE,mBAAmB,EAAE,GACjD,OAAO,CAAC,iBAAiB,CAAC;IAY7B;;;OAGG;WACU,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE;QAAE,eAAe,CAAC,EAAE,OAAO,CAAA;KAAO,GAC1C,OAAO,CAAC,OAAO,CAAC;mBAkBE,6BAA6B;IAclD,OAAO,CAAC,MAAM,CAAC,gBAAgB;WAIlB,gBAAgB,CAC3B,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,YAAY,GAClB,OAAO,CAAC,kBAAkB,CAAC;IAM9B,OAAO,CAAC,MAAM,CAAC,UAAU;WAsBZ,wBAAwB,CACnC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;mBA4CnB,oBAAoB;mBAUpB,oBAAoB;CAmF1C;AAED,wBAAgB,cAAc,CAC5B,MAAM,KAAA,EACN,sCAAsC,GAAE,MAAiD,QAY1F;AAED,wBAAsB,eAAe,kBAMpC;AAED,wBAAgB,yBAAyB,CAAC,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,EAAE,MAAM,GAAG,mBAAmB,CAepG"}

package/dist/authorization-service.js

@@ -5,10 +5,11 @@ const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
 const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const igniteSdk = require('@mondaydotcomorg/ignite-sdk');
 const prometheusService = require('./prometheus-service.js');
+const metricsService = require('./metrics-service.js');
 const authorizationInternalService = require('./authorization-internal-service.js');
 const attributionsService = require('./attributions-service.js');
-const clients_graphApi_client = require('./clients/graph-api.client.js');
-const clients_platformApi_client = require('./clients/platform-api.client.js');
+const clients_graphApi = require('./clients/graph-api.js');
+const clients_platformApi = require('./clients/platform-api.js');
 const utils_authorization_utils = require('./utils/authorization.utils.js');
 
 const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
@@ -21,6 +22,24 @@ function setRequestFetchOptions(customMondayFetchOptions) {
     authorizationInternalService.AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
 }
 class AuthorizationService {
+    static get graphApi() {
+        if (!this._graphApi) {
+            this._graphApi = new clients_graphApi.GraphApi();
+        }
+        return this._graphApi;
+    }
+    static _graphApi;
+    static get platformApi() {
+        if (!this._platformApi) {
+            this._platformApi = new clients_platformApi.PlatformApi();
+        }
+        return this._platformApi;
+    }
+    static _platformApi;
+    static resetApiClients() {
+        this._graphApi = undefined;
+        this._platformApi = undefined;
+    }
     static redisClient;
     static grantedFeatureRedisExpirationInSeconds;
     static igniteClient;
@@ -86,38 +105,25 @@ class AuthorizationService {
             this.igniteClient.isReleased(PLATFORM_PROFILE_RELEASE_FF, { accountId, userId })) {
             return attributionsService.getProfile();
         }
-        return attributionsService.PlatformProfile.INTERNAL;
+        return attributionsService.PlatformProfile.APP;
     }
     static async canActionInScopeMultiple(accountId, userId, scopedActions) {
         if (scopedActions.length === 0) {
             return [];
         }
         const shouldNavigateToGraph = Boolean(this.igniteClient?.isReleased(NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF, { accountId, userId }));
-        const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
         const startTime = perf_hooks.performance.now();
         let scopedActionResponseObjects;
         let apiType;
         if (shouldNavigateToGraph) {
-            try {
-                scopedActionResponseObjects = await clients_graphApi_client.GraphApiClient.checkPermissions(internalAuthToken, scopedActions);
-                apiType = 'graph';
-            }
-            catch (error) {
-                const status = error instanceof mondayFetchApi.HttpFetcherError ? error.status : undefined;
-                authorizationInternalService.logger.warn({
-                    tag: 'authorization-service',
-                    error: error instanceof Error ? error.message : String(error),
-                    accountId,
-                    userId,
-                    status,
-                }, 'Graph API authorization failed');
-                throw error;
-            }
+            apiType = 'graph';
+            scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
         }
         else {
-            const profile = this.getProfile(accountId, userId);
-            scopedActionResponseObjects = await clients_platformApi_client.PlatformApiClient.checkPermissions(profile, internalAuthToken, userId, scopedActions);
             apiType = 'platform';
+            const profile = this.getProfile(accountId, userId);
+            const internalAuthToken = authorizationInternalService.AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+            scopedActionResponseObjects = await this.platformApi.checkPermissions(profile, internalAuthToken, userId, scopedActions);
         }
         const endTime = perf_hooks.performance.now();
         const time = endTime - startTime;
@@ -126,10 +132,8 @@ class AuthorizationService {
             const { action, scope } = obj.scopedAction;
             const { resourceType } = utils_authorization_utils.scopeToResource(scope);
             const isAuthorized = obj.permit.can;
-            prometheusService.sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time, apiType);
-            if (obj.permit.can) {
-                prometheusService.incrementAuthorizationSuccess(resourceType, action, apiType);
-            }
+            prometheusService.sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time);
+            metricsService.recordAuthorizationTiming(apiType, time, 'canActionInScopeMultiple');
         }
         return scopedActionResponseObjects;
     }
@@ -186,7 +190,7 @@ class AuthorizationService {
             if (!isAuthorized) {
                 unauthorizedObjects.push(authorizationObject);
             }
-            prometheusService.sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time, 'platform');
+            prometheusService.sendAuthorizationCheckResponseTimeMetric(authorizationObject.resource_type, authorizationObject.action, isAuthorized, 200, time);
         });
         if (unauthorizedObjects.length > 0) {
             authorizationInternalService.logger.info({

package/dist/clients/graph-api.d.ts

@@ -0,0 +1,28 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { GraphIsAllowedResponse } from '../types/graph-api.types';
+/**
+ * Client for handling Graph API authorization operations
+ */
+export declare class GraphApi {
+    private readonly httpClient;
+    private readonly consumerAppName;
+    constructor();
+    /**
+     * Builds the request body for Graph API calls
+     */
+    private static buildRequestBody;
+    /**
+     * Fetches authorization data from the Graph API
+     */
+    fetchPermissions(authToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse>;
+    /**
+     * Maps Graph API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Graph API
+     */
+    checkPermissions(accountId: number, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+    private static ensureGraphReason;
+}
+//# sourceMappingURL=graph-api.d.ts.map

package/dist/clients/graph-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph-api.d.ts","sourceRoot":"","sources":["../../src/clients/graph-api.ts"],"names":[],"mappings":"AACA,OAAO,EACL,YAAY,EACZ,0BAA0B,EAG3B,MAAM,mCAAmC,CAAC;AAG3C,OAAO,EAEL,sBAAsB,EAMvB,MAAM,0BAA0B,CAAC;AASlC;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;IACxC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAS;;IAezC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAyB/B;;OAEG;IACG,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,GAAG,OAAO,CAAC,sBAAsB,CAAC;IAgCzG;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAiC1B;;OAEG;IACG,gBAAgB,CACpB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;IAMxC,OAAO,CAAC,MAAM,CAAC,iBAAiB;CAWjC"}

package/dist/clients/{graph-api.client.js → graph-api.js}

@@ -1,18 +1,34 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
-const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
 const types_scopedActionsContracts = require('../types/scoped-actions-contracts.js');
 const authorizationInternalService = require('../authorization-internal-service.js');
 const attributionsService = require('../attributions-service.js');
 const utils_authorization_utils = require('../utils/authorization.utils.js');
-const prometheusService = require('../prometheus-service.js');
+const mondayJwt = require('@mondaydotcomorg/monday-jwt');
+const constants = require('../constants.js');
+const utils_apiErrorHandler = require('../utils/api-error-handler.js');
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
+const APP_NAME_REQUIRED_ERROR = 'GraphApi: APP_NAME environment variable is required for Graph API authentication';
 /**
  * Client for handling Graph API authorization operations
  */
-class GraphApiClient {
+class GraphApi {
+    httpClient;
+    consumerAppName;
+    constructor() {
+        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+        if (!httpClient) {
+            throw new Error('GraphApi: http client is not initialized');
+        }
+        const consumerAppName = process.env.APP_NAME?.trim();
+        if (!consumerAppName) {
+            throw new Error(APP_NAME_REQUIRED_ERROR);
+        }
+        this.httpClient = httpClient;
+        this.consumerAppName = consumerAppName;
+    }
     /**
      * Builds the request body for Graph API calls
      */
@@ -41,19 +57,18 @@ class GraphApiClient {
     /**
      * Fetches authorization data from the Graph API
      */
-    static async fetchPermissions(internalAuthToken, scopedActions) {
-        const httpClient = tridentBackendApi.Api.getPart('httpClient');
+    async fetchPermissions(authToken, scopedActions) {
         const attributionHeaders = attributionsService.getAttributionsFromApi();
-        const bodyPayload = this.buildRequestBody(scopedActions);
+        const bodyPayload = GraphApi.buildRequestBody(scopedActions);
         try {
-            const response = await httpClient.fetch({
+            const response = await this.httpClient.fetch({
                 url: {
-                    appName: 'authorization-graph',
+                    appName: constants.GRAPH_APP_NAME,
                     path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
                 },
                 method: 'POST',
                 headers: {
-                    Authorization: internalAuthToken,
+                    Authorization: authToken,
                     'Content-Type': 'application/json',
                     ...attributionHeaders,
                 },
@@ -65,13 +80,8 @@ class GraphApiClient {
             return response;
         }
         catch (err) {
-            if (err instanceof mondayFetchApi.HttpFetcherError) {
-                authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, 'canActionInScopeMultiple');
-                if (scopedActions.length > 0) {
-                    prometheusService.incrementAuthorizationError(utils_authorization_utils.scopeToResource(scopedActions[0].scope).resourceType, scopedActions[0].action, err.status, 'graph');
-                }
-            }
-            throw err;
+            // handleApiError never returns (throws)
+            return utils_apiErrorHandler.handleApiError(err, 'graph', 'canActionInScopeMultiple');
         }
     }
     /**
@@ -83,41 +93,39 @@ class GraphApiClient {
             const { action, scope } = scopedAction;
             const { resourceType, resourceId } = utils_authorization_utils.scopeToResource(scope);
             const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
-            const graphReason = permissionResult?.reason;
-            let reasonKey;
-            let additionalOptions = {};
-            let technicalReason = types_scopedActionsContracts.PermitTechnicalReason.NO_REASON;
-            if (typeof graphReason === 'string') {
-                reasonKey = graphReason;
-            }
-            else if (graphReason && typeof graphReason === 'object') {
-                reasonKey = graphReason.key ?? 'unknown';
-                additionalOptions = graphReason.additionalOptions ?? {};
-                if (graphReason.technicalReason !== undefined) {
-                    technicalReason = (graphReason.technicalReason ?? types_scopedActionsContracts.PermitTechnicalReason.NO_REASON);
-                }
-            }
-            else {
-                reasonKey = 'unknown';
-            }
             const permit = {
                 can: permissionResult?.can ?? false,
                 reason: {
-                    key: reasonKey,
-                    ...additionalOptions,
+                    key: 'unknown',
                 },
-                technicalReason,
+                technicalReason: types_scopedActionsContracts.PermitTechnicalReason.NO_REASON,
             };
+            if (permissionResult) {
+                const graphReason = GraphApi.ensureGraphReason(permissionResult.reason, { resourceType, resourceId, action });
+                permit.reason = {
+                    key: graphReason.key,
+                    ...(graphReason.additionalOptions ?? {}),
+                };
+                permit.technicalReason = (graphReason.technicalReason ??
+                    types_scopedActionsContracts.PermitTechnicalReason.NO_REASON);
+            }
             return { scopedAction, permit };
         });
     }
     /**
      * Performs a complete authorization check using the Graph API
      */
-    static async checkPermissions(internalAuthToken, scopedActions) {
-        const response = await this.fetchPermissions(internalAuthToken, scopedActions);
-        return this.mapResponse(scopedActions, response);
+    async checkPermissions(accountId, userId, scopedActions) {
+        const authToken = mondayJwt.signAuthorizationHeader({ appName: this.consumerAppName, accountId, userId });
+        const response = await this.fetchPermissions(authToken, scopedActions);
+        return GraphApi.mapResponse(scopedActions, response);
+    }
+    static ensureGraphReason(reason, context) {
+        if (!reason || typeof reason !== 'object' || typeof reason.key !== 'string') {
+            throw new Error(`GraphApi: unexpected reason format for ${context.resourceType}/${context.resourceId}/${context.action}`);
+        }
+        return reason;
     }
 }
 
-exports.GraphApiClient = GraphApiClient;
+exports.GraphApi = GraphApi;

package/dist/clients/platform-api.d.ts

@@ -0,0 +1,26 @@
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { PlatformProfile } from '../attributions-service';
+/**
+ * Client for handling Platform API authorization operations
+ */
+export declare class PlatformApi {
+    private readonly httpClient;
+    constructor();
+    /**
+     * Builds the request payload for Platform API calls
+     */
+    private static buildRequestPayload;
+    /**
+     * Fetches authorization data from the Platform API
+     */
+    private fetchPermissions;
+    /**
+     * Maps Platform API response to the expected format
+     */
+    private static mapResponse;
+    /**
+     * Performs a complete authorization check using the Platform API
+     */
+    checkPermissions(profile: PlatformProfile, internalAuthToken: string, userId: number, scopedActions: ScopedAction[]): Promise<ScopedActionResponseObject[]>;
+}
+//# sourceMappingURL=platform-api.d.ts.map

package/dist/clients/platform-api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"platform-api.d.ts","sourceRoot":"","sources":["../../src/clients/platform-api.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,0BAA0B,EAAE,MAAM,mCAAmC,CAAC;AAE7F,OAAO,EAA0B,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAelF;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAa;;IAUxC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;YACW,gBAAgB;IAqC9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAkB1B;;OAEG;IACG,gBAAgB,CACpB,OAAO,EAAE,eAAe,EACxB,iBAAiB,EAAE,MAAM,EACzB,MAAM,EAAE,MAAM,EACd,aAAa,EAAE,YAAY,EAAE,GAC5B,OAAO,CAAC,0BAA0B,EAAE,CAAC;CAKzC"}