@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-63c65ad → 3.3.1-feature-bashanye-add-membership-create-delete-api-d00c165

package/dist/memberships.js

@@ -0,0 +1,100 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const tridentBackendApi = require('@mondaydotcomorg/trident-backend-api');
+const attributionsService = require('./attributions-service.js');
+const constants = require('./constants.js');
+const utils_apiErrorHandler = require('./utils/api-error-handler.js');
+
+class MembershipsService {
+    static API_PATHS = {
+        UPSERT_RESOURCE_ATTRIBUTES: '/memberships/{accountId}',
+        DELETE_RESOURCE_ATTRIBUTES: '/memberships/{accountId}',
+    };
+    httpClient;
+    fetchOptions;
+    /**
+     * Public constructor to create the AuthorizationAttributesService instance.
+     * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
+     * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
+     */
+    constructor(httpClient, fetchOptions) {
+        if (!httpClient) {
+            httpClient = tridentBackendApi.Api.getPart('httpClient');
+            if (!httpClient) {
+                throw new Error(constants.ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+            }
+        }
+        if (!fetchOptions) {
+            fetchOptions = constants.DEFAULT_FETCH_OPTIONS;
+        }
+        else {
+            fetchOptions = {
+                ...constants.DEFAULT_FETCH_OPTIONS,
+                ...fetchOptions,
+            };
+        }
+        this.httpClient = httpClient;
+        this.fetchOptions = fetchOptions;
+    }
+    /**
+     * Upsert memberships synchronously, performing http call to the authorization MS to assign the given memberships.
+     * @param accountId
+     * @param memberships - Array of memberships to upsert
+     * @returns MembershipCreateResponse - The affected (created and updated) memberships.
+     */
+    async upsertMemberships(accountId, memberships) {
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        try {
+            return await this.httpClient.fetch({
+                url: {
+                    appName: constants.APP_NAME,
+                    path: MembershipsService.API_PATHS.UPSERT_RESOURCE_ATTRIBUTES.replace('{accountId}', accountId.toString()),
+                },
+                method: 'PUT',
+                query: {
+                    useAStyleRoleId: 'true',
+                },
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ memberships }),
+            }, this.fetchOptions);
+        }
+        catch (err) {
+            return utils_apiErrorHandler.handleApiError(err, 'authorization', 'upsertMemberships');
+        }
+    }
+    /**
+     * Delete memberships synchronously, performing http call to the authorization MS to delete the given memberships.
+     * @param accountId
+     * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
+     * @param attributeKeys - Array of attribute keys to delete for the resource.
+     * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
+     */
+    async deleteMemberships(accountId, memberships) {
+        const attributionHeaders = attributionsService.getAttributionsFromApi();
+        try {
+            return await this.httpClient.fetch({
+                url: {
+                    appName: constants.APP_NAME,
+                    path: MembershipsService.API_PATHS.DELETE_RESOURCE_ATTRIBUTES.replace('{accountId}', accountId.toString()),
+                },
+                method: 'DELETE',
+                query: {
+                    useAStyleRoleId: 'true',
+                },
+                headers: {
+                    'Content-Type': 'application/json',
+                    ...attributionHeaders,
+                },
+                body: JSON.stringify({ memberships }),
+            }, this.fetchOptions);
+        }
+        catch (err) {
+            return utils_apiErrorHandler.handleApiError(err, 'authorization', 'deleteMemberships');
+        }
+    }
+}
+
+exports.MembershipsService = MembershipsService;

package/dist/metrics-service.d.ts

@@ -0,0 +1,12 @@
+type ApiType = 'platform' | 'graph' | 'authorization';
+interface InitializeMetricsOptions {
+    serviceName: string;
+    host?: string;
+    port?: number;
+    disabled?: boolean;
+}
+export declare function initializeMetrics(options: InitializeMetricsOptions): void;
+export declare function recordAuthorizationTiming(apiType: ApiType, duration: number, placement: string): void;
+export declare function recordAuthorizationError(apiType: ApiType, statusCode: number, placement: string): void;
+export {};
+//# sourceMappingURL=metrics-service.d.ts.map

package/dist/metrics-service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"metrics-service.d.ts","sourceRoot":"","sources":["../src/metrics-service.ts"],"names":[],"mappings":"AAGA,KAAK,OAAO,GAAG,UAAU,GAAG,OAAO,GAAG,eAAe,CAAC;AAEtD,UAAU,wBAAwB;IAChC,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,QAAQ,CAAC,EAAE,OAAO,CAAC;CACpB;AAID,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,wBAAwB,GAAG,IAAI,CA4BzE;AAED,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CAUrG;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,IAAI,CActG"}

package/dist/metrics-service.js

@@ -0,0 +1,58 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const mondayObservabilityKit = require('@mondaydotcomorg/monday-observability-kit');
+const authorizationInternalService = require('./authorization-internal-service.js');
+
+let initialized = false;
+function initializeMetrics(options) {
+    if (initialized) {
+        return;
+    }
+    const { serviceName } = options;
+    if (!serviceName) {
+        authorizationInternalService.logger.warn({ tag: 'metrics-service' }, 'Metrics initialization skipped: serviceName is missing');
+        return;
+    }
+    const resolvedHost = options.host ?? process.env.DOGSTATSD_HOST ?? 'localhost';
+    const envPort = process.env.DOGSTATSD_PORT ? Number(process.env.DOGSTATSD_PORT) : undefined;
+    const resolvedPort = options.port ?? (Number.isFinite(envPort ?? NaN) ? envPort : undefined) ?? 8125;
+    const resolvedDisabled = options.disabled ?? ['test', 'development'].includes((process.env.NODE_ENV ?? '').toLowerCase());
+    try {
+        mondayObservabilityKit.Metric.initialize({
+            serviceName,
+            host: resolvedHost,
+            port: resolvedPort,
+            disabled: resolvedDisabled,
+        });
+        initialized = true;
+    }
+    catch (error) {
+        authorizationInternalService.logger.warn({ tag: 'metrics-service', error }, 'Failed to initialize metrics');
+    }
+}
+function recordAuthorizationTiming(apiType, duration, placement) {
+    if (!initialized) {
+        return;
+    }
+    try {
+        mondayObservabilityKit.Metric.distribution(`authorization.authorizationCheck.${apiType}.${placement}.duration`, duration);
+    }
+    catch {
+        // ignore metric emission failures
+    }
+}
+function recordAuthorizationError(apiType, statusCode, placement) {
+    if (!initialized) {
+        return;
+    }
+    try {
+        mondayObservabilityKit.Metric.increment(`authorization.authorizationCheck.${apiType}.${placement}.error`, { statusCode: String(statusCode) }, 1);
+    }
+    catch {
+        // ignore metric emission failures
+    }
+}
+
+exports.initializeMetrics = initializeMetrics;
+exports.recordAuthorizationError = recordAuthorizationError;
+exports.recordAuthorizationTiming = recordAuthorizationTiming;

package/dist/prometheus-service.d.ts

@@ -6,7 +6,5 @@ export declare const METRICS: {
 };
 export declare function setPrometheus(customPrometheus: any): void;
 export declare function getMetricsManager(): any;
-export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number, apiType?: 'platform' | 'graph'): void;
-export declare function incrementAuthorizationSuccess(resourceType: string, action: Action, apiType: 'platform' | 'graph'): void;
-export declare function incrementAuthorizationError(resourceType: string, action: Action, statusCode: number, apiType: 'platform' | 'graph'): void;
+export declare function sendAuthorizationCheckResponseTimeMetric(resourceType: string, action: Action, isAuthorized: boolean, responseStatus: number, time: number): void;
 //# sourceMappingURL=prometheus-service.d.ts.map

package/dist/prometheus-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAOzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAqB7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE,UAAU,GAAG,OAAoB,QAW3C;AAcD,wBAAgB,6BAA6B,CAAC,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,GAAG,OAAO,QAQhH;AAED,wBAAgB,2BAA2B,CACzC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAClB,OAAO,EAAE,UAAU,GAAG,OAAO,QAS9B"}
+{"version":3,"file":"prometheus-service.d.ts","sourceRoot":"","sources":["../src/prometheus-service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAKzC,eAAO,MAAM,OAAO;;;;CAInB,CAAC;AAQF,wBAAgB,aAAa,CAAC,gBAAgB,KAAA,QAa7C;AAED,wBAAgB,iBAAiB,QAEhC;AAED,wBAAgB,wCAAwC,CACtD,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,OAAO,EACrB,cAAc,EAAE,MAAM,EACtB,IAAI,EAAE,MAAM,QASb"}

package/dist/prometheus-service.js

@@ -2,8 +2,6 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 
 let prometheus = null;
 let authorizationCheckResponseTimeMetric = null;
-let authorizationSuccessMetric = null;
-let authorizationErrorMetric = null;
 const METRICS = {
     AUTHORIZATION_CHECK: 'authorization_check',
     AUTHORIZATION_CHECKS_PER_REQUEST: 'authorization_checks_per_request',
@@ -11,85 +9,32 @@ const METRICS = {
 };
 const authorizationCheckResponseTimeMetricConfig = {
     name: METRICS.AUTHORIZATION_CHECK_RESPONSE_TIME,
-    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus', 'apiType'],
+    labels: ['resourceType', 'action', 'isAuthorized', 'responseStatus'],
     description: 'Authorization check response time summary',
 };
 function setPrometheus(customPrometheus) {
     prometheus = customPrometheus;
     if (!prometheus) {
-        authorizationCheckResponseTimeMetric = null;
-        authorizationSuccessMetric = null;
-        authorizationErrorMetric = null;
         return;
     }
     const { METRICS_TYPES } = prometheus;
-    const metricsManager = getMetricsManager();
-    if (metricsManager) {
-        authorizationCheckResponseTimeMetric = metricsManager.addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
-        initializeAdditionalMetrics();
-    }
+    authorizationCheckResponseTimeMetric = getMetricsManager().addMetric(METRICS_TYPES.SUMMARY, authorizationCheckResponseTimeMetricConfig.name, authorizationCheckResponseTimeMetricConfig.labels, authorizationCheckResponseTimeMetricConfig.description);
 }
 function getMetricsManager() {
     return prometheus?.metricsManager;
 }
-function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time, apiType = 'platform') {
+function sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, responseStatus, time) {
     try {
         if (authorizationCheckResponseTimeMetric) {
-            authorizationCheckResponseTimeMetric
-                .labels(resourceType, action, isAuthorized, responseStatus, apiType)
-                .observe(time);
-        }
-    }
-    catch (e) {
-        // ignore
-    }
-}
-const authorizationSuccessMetricConfig = {
-    name: 'authorization_success_total',
-    labels: ['resourceType', 'action', 'apiType'],
-    description: 'Total number of successful authorization checks',
-};
-const authorizationErrorMetricConfig = {
-    name: 'authorization_error_total',
-    labels: ['resourceType', 'action', 'statusCode', 'apiType'],
-    description: 'Total number of authorization errors',
-};
-function incrementAuthorizationSuccess(resourceType, action, apiType) {
-    try {
-        if (authorizationSuccessMetric) {
-            authorizationSuccessMetric.labels(resourceType, action, apiType).inc();
+            authorizationCheckResponseTimeMetric.labels(resourceType, action, isAuthorized, responseStatus).observe(time);
         }
     }
     catch (e) {
         // ignore
     }
 }
-function incrementAuthorizationError(resourceType, action, statusCode, apiType) {
-    try {
-        if (authorizationErrorMetric) {
-            authorizationErrorMetric.labels(resourceType, action, statusCode, apiType).inc();
-        }
-    }
-    catch (e) {
-        // ignore
-    }
-}
-// Initialize additional metrics when prometheus is set
-function initializeAdditionalMetrics() {
-    if (!prometheus) {
-        return;
-    }
-    const { METRICS_TYPES } = prometheus;
-    const metricsManager = getMetricsManager();
-    if (metricsManager) {
-        authorizationSuccessMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationSuccessMetricConfig.name, authorizationSuccessMetricConfig.labels, authorizationSuccessMetricConfig.description);
-        authorizationErrorMetric = metricsManager.addMetric(METRICS_TYPES.COUNTER, authorizationErrorMetricConfig.name, authorizationErrorMetricConfig.labels, authorizationErrorMetricConfig.description);
-    }
-}
 
 exports.METRICS = METRICS;
 exports.getMetricsManager = getMetricsManager;
-exports.incrementAuthorizationError = incrementAuthorizationError;
-exports.incrementAuthorizationSuccess = incrementAuthorizationSuccess;
 exports.sendAuthorizationCheckResponseTimeMetric = sendAuthorizationCheckResponseTimeMetric;
 exports.setPrometheus = setPrometheus;

package/dist/types/graph-api.types.d.ts

@@ -2,14 +2,15 @@ export type ResourceType = string;
 export type ResourceId = number;
 export type ActionName = string;
 export type GraphIsAllowedDto = Record<ResourceType, Record<ResourceId, ActionName[]>>;
-export type GraphPermissionResult = {
+export interface GraphPermissionReason {
+    key: string;
+    additionalOptions?: Record<string, string>;
+    technicalReason?: number;
+}
+export interface GraphPermissionResult {
     can: boolean;
-    reason: string | {
-        key: string;
-        additionalOptions?: Record<string, string>;
-        technicalReason?: number;
-    };
-};
+    reason?: GraphPermissionReason;
+}
 export type GraphPermissionResults = Record<ActionName, GraphPermissionResult>;
 export type GraphIsAllowedResponse = Record<ResourceType, Record<string, GraphPermissionResults>>;
 //# sourceMappingURL=graph-api.types.d.ts.map

package/dist/types/graph-api.types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graph-api.types.d.ts","sourceRoot":"","sources":["../../src/types/graph-api.types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC;AAClC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAChC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAEhC,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;AAEvF,MAAM,MAAM,qBAAqB,GAAG;IAClC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EACF,MAAM,GACN;QACE,GAAG,EAAE,MAAM,CAAC;QACZ,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3C,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B,CAAC;CACP,CAAC;AAGF,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;AAI/E,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC"}
+{"version":3,"file":"graph-api.types.d.ts","sourceRoot":"","sources":["../../src/types/graph-api.types.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC;AAClC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAChC,MAAM,MAAM,UAAU,GAAG,MAAM,CAAC;AAEhC,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;AAEvF,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,iBAAiB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,qBAAqB,CAAC;CAChC;AAGD,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,UAAU,EAAE,qBAAqB,CAAC,CAAC;AAI/E,MAAM,MAAM,sBAAsB,GAAG,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC,CAAC"}

package/dist/types/memberships.d.ts

@@ -0,0 +1,42 @@
+export interface MembershipCreateRequest {
+    memberships: MembershipForCreate[];
+}
+export interface MembershipDeleteRequest {
+    memberships: MembershipForDelete[];
+}
+export interface MembershipForCreate {
+    entityId: number;
+    entityType: string;
+    resourceId: number;
+    resourceType: string;
+    roleId: number;
+    roleType?: string;
+    addedById: number;
+}
+export interface MembershipForDelete {
+    entityId?: number;
+    entityType: string;
+    resourceId?: number;
+    resourceType: string;
+}
+export interface MembershipCreateResponse {
+    memberships: Membership[];
+}
+export interface MembershipDeleteResponse {
+    memberships: Membership[];
+}
+export interface Membership {
+    id: number;
+    entityId: number;
+    entityType: string;
+    resourceId: number;
+    resourceType: string;
+    roleId: number;
+    roleType: string;
+    addedById: null | number | undefined;
+    hops: number;
+    isNewRecord: boolean;
+    previousValues: Partial<Membership>;
+    walVersion: number | null | undefined;
+}
+//# sourceMappingURL=memberships.d.ts.map

package/dist/types/memberships.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"memberships.d.ts","sourceRoot":"","sources":["../../src/types/memberships.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,mBAAmB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,mBAAmB,EAAE,CAAC;CACpC;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,wBAAwB;IACvC,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,wBAAwB;IACvC,WAAW,EAAE,UAAU,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,IAAI,GAAG,MAAM,GAAG,SAAS,CAAC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,OAAO,CAAC;IACrB,cAAc,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACpC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;CACvC"}

package/dist/types/memberships.js

@@ -0,0 +1 @@
+

package/dist/types/scoped-actions-contracts.d.ts

@@ -21,7 +21,16 @@ export interface Translation {
 export declare enum PermitTechnicalReason {
     NO_REASON = 0,
     NOT_ELIGIBLE = 1,
-    BY_ROLE_IN_SCOPE = 2
+    BY_ROLE_IN_SCOPE = 2,
+    /**
+     * NOT_APPLICABLE indicates that the permit was requested as part of the `permissions` parameter to the `getPermits`
+     * method, but would not otherwise be returned. This is done so that a cache in the monolith can serve
+     * two purposes: to mean both that a permit was requested and that it was received; at least: in the
+     * case of where a `permissions` parameter is passed to the `getPermits` method.
+     */
+    NOT_APPLICABLE = 3,
+    BY_POLICY = 4,
+    BY_OVERRIDE = 5
 }
 export interface ScopedActionPermit {
     can: boolean;

package/dist/types/scoped-actions-contracts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"scoped-actions-contracts.d.ts","sourceRoot":"","sources":["../../src/types/scoped-actions-contracts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,YAAY,GAAG,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,mBAAmB,GAAG,YAAY,CAAC;AAEzG,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CAC1B;AAED,oBAAY,qBAAqB;IAC/B,SAAS,IAAI;IACb,YAAY,IAAI;IAChB,gBAAgB,IAAI;CACrB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,qBAAqB,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;CAC5B"}
+{"version":3,"file":"scoped-actions-contracts.d.ts","sourceRoot":"","sources":["../../src/types/scoped-actions-contracts.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,cAAc;IAC7B,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,YAAY,GAAG,cAAc,GAAG,UAAU,GAAG,UAAU,GAAG,mBAAmB,GAAG,YAAY,CAAC;AAEzG,MAAM,WAAW,WAAW;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC;CAC1B;AAED,oBAAY,qBAAqB;IAC/B,SAAS,IAAI;IACb,YAAY,IAAI;IAChB,gBAAgB,IAAI;IACpB;;;;;OAKG;IACH,cAAc,IAAI;IAClB,SAAS,IAAI;IACb,WAAW,IAAI;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,OAAO,CAAC;IACb,MAAM,EAAE,WAAW,CAAC;IACpB,eAAe,EAAE,qBAAqB,CAAC;CACxC;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,YAAY,CAAC;CACrB;AAED,MAAM,WAAW,0BAA0B;IACzC,YAAY,EAAE,YAAY,CAAC;IAC3B,MAAM,EAAE,kBAAkB,CAAC;CAC5B"}

package/dist/types/scoped-actions-contracts.js

@@ -5,4 +5,13 @@ exports.PermitTechnicalReason = void 0;
     PermitTechnicalReason[PermitTechnicalReason["NO_REASON"] = 0] = "NO_REASON";
     PermitTechnicalReason[PermitTechnicalReason["NOT_ELIGIBLE"] = 1] = "NOT_ELIGIBLE";
     PermitTechnicalReason[PermitTechnicalReason["BY_ROLE_IN_SCOPE"] = 2] = "BY_ROLE_IN_SCOPE";
+    /**
+     * NOT_APPLICABLE indicates that the permit was requested as part of the `permissions` parameter to the `getPermits`
+     * method, but would not otherwise be returned. This is done so that a cache in the monolith can serve
+     * two purposes: to mean both that a permit was requested and that it was received; at least: in the
+     * case of where a `permissions` parameter is passed to the `getPermits` method.
+     */
+    PermitTechnicalReason[PermitTechnicalReason["NOT_APPLICABLE"] = 3] = "NOT_APPLICABLE";
+    PermitTechnicalReason[PermitTechnicalReason["BY_POLICY"] = 4] = "BY_POLICY";
+    PermitTechnicalReason[PermitTechnicalReason["BY_OVERRIDE"] = 5] = "BY_OVERRIDE";
 })(exports.PermitTechnicalReason || (exports.PermitTechnicalReason = {}));

package/dist/utils/api-error-handler.d.ts

@@ -0,0 +1,2 @@
+export declare function handleApiError(err: unknown, apiType: 'platform' | 'graph' | 'authorization', placement: string): never;
+//# sourceMappingURL=api-error-handler.d.ts.map

package/dist/utils/api-error-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-error-handler.d.ts","sourceRoot":"","sources":["../../src/utils/api-error-handler.ts"],"names":[],"mappings":"AAIA,wBAAgB,cAAc,CAC5B,GAAG,EAAE,OAAO,EACZ,OAAO,EAAE,UAAU,GAAG,OAAO,GAAG,eAAe,EAC/C,SAAS,EAAE,MAAM,GAChB,KAAK,CAgBP"}

package/dist/utils/api-error-handler.js

@@ -0,0 +1,20 @@
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+const mondayFetchApi = require('@mondaydotcomorg/monday-fetch-api');
+const authorizationInternalService = require('../authorization-internal-service.js');
+const metricsService = require('../metrics-service.js');
+
+function handleApiError(err, apiType, placement) {
+    if (err instanceof mondayFetchApi.HttpFetcherError) {
+        authorizationInternalService.logger.error({ tag: `${apiType}-api`, status: err.status, error: err.message }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API ${placement} request failed`);
+        metricsService.recordAuthorizationError(apiType, err.status, placement);
+        authorizationInternalService.AuthorizationInternalService.throwOnHttpError(err.status, placement);
+    }
+    else {
+        authorizationInternalService.logger.error({ tag: `${apiType}-api`, error: err instanceof Error ? err.message : String(err) }, `${apiType.charAt(0).toUpperCase() + apiType.slice(1)} API ${placement} request failed`);
+        metricsService.recordAuthorizationError(apiType, 500, placement);
+        throw err;
+    }
+}
+
+exports.handleApiError = handleApiError;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mondaydotcomorg/monday-authorization",
-  "version": "3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-63c65ad",
+  "version": "3.3.1-feature-bashanye-add-membership-create-delete-api-d00c165",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "license": "BSD-3-Clause",
@@ -25,6 +25,7 @@
     "@mondaydotcomorg/monday-fetch-api": "^1.0.2",
     "@mondaydotcomorg/monday-jwt": "^3.0.14",
     "@mondaydotcomorg/monday-logger": "^4.0.11",
+    "@mondaydotcomorg/monday-observability-kit": "^1.5.3",
     "@mondaydotcomorg/monday-sns": "^1.2.1",
     "@mondaydotcomorg/trident-backend-api": "^0.24.3",
     "lodash": "^4.17.21",
@@ -46,7 +47,9 @@
     "typescript": "^5.2.2"
   },
   "files": [
-    "dist/"
+    "dist/",
+    "src/",
+    "dist/node_modules/lodash-cjs/"
   ],
   "eslintConfig": {
     "extends": "@mondaydotcomorg/trident-library",

package/src/attributions-service.ts

@@ -0,0 +1,93 @@
+import { Api, Context, ExecutionContext } from '@mondaydotcomorg/trident-backend-api';
+import { logger } from './authorization-internal-service';
+
+const APP_NAME_VARIABLE_KEY = 'APP_NAME';
+const APP_NAME_HEADER_NAME = 'x-caller-app-name-from-sdk';
+const FROM_SDK_HEADER_SUFFIX = `-from-sdk`;
+
+let didSendFailureLogOnce = false;
+
+export enum PlatformProfile {
+  API_INTERNAL = 'api-internal',
+  SLOW = 'slow',
+  INTERNAL = 'internal',
+  APP = 'app',
+}
+
+export function getProfile() {
+  const tridentContext = Api.getPart('context');
+  if (!tridentContext) {
+    return PlatformProfile.INTERNAL;
+  }
+  const { mondayRequestSource } = getExecutionContext(tridentContext);
+
+  switch (mondayRequestSource) {
+    case 'api': {
+      return PlatformProfile.API_INTERNAL;
+    }
+    case 'slow': {
+      return PlatformProfile.SLOW;
+    }
+    default:
+      return PlatformProfile.INTERNAL;
+  }
+}
+
+export function getExecutionContext(context: Context): ExecutionContext {
+  return context.execution.get();
+}
+
+export function getAttributionsFromApi(): { [key: string]: string } {
+  const callerAppNameFromSdk = {
+    [APP_NAME_HEADER_NAME]: tryJsonParse(getEnvVariable(APP_NAME_VARIABLE_KEY)),
+  };
+
+  try {
+    const tridentContext = Api.getPart('context');
+
+    if (!tridentContext) {
+      return callerAppNameFromSdk;
+    }
+
+    const { runtimeAttributions } = tridentContext;
+    const runtimeAttributionsOutgoingHeaders = runtimeAttributions?.buildOutgoingHeaders('HTTP_INTERNAL');
+
+    if (!runtimeAttributionsOutgoingHeaders) {
+      return callerAppNameFromSdk;
+    }
+
+    const attributionsHeaders = Object.fromEntries(runtimeAttributionsOutgoingHeaders);
+
+    const attributionHeadersFromSdk = {};
+    Object.keys(attributionsHeaders).forEach(function (key) {
+      attributionHeadersFromSdk[`${key}${FROM_SDK_HEADER_SUFFIX}`] = attributionsHeaders[key];
+    });
+
+    return attributionHeadersFromSdk;
+  } catch (error) {
+    if (!didSendFailureLogOnce) {
+      logger.warn(
+        { tag: 'authorization-service', error },
+        'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.'
+      );
+      didSendFailureLogOnce = true;
+    }
+    return callerAppNameFromSdk;
+  }
+}
+
+function getEnvVariable(key: string) {
+  const envVar = process.env[key] || process.env[key.toUpperCase()] || process.env[key.toLowerCase()];
+  return envVar;
+}
+
+function tryJsonParse(value: string | undefined) {
+  if (!value) {
+    return value;
+  }
+  try {
+    return JSON.parse(value);
+  } catch (_err) {
+    return value;
+  }
+}