@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-63c65ad → 3.3.1-fix-use-standard-env-var-for-metric-server-host-7ed2241

package/src/authorization-service.ts

@@ -0,0 +1,356 @@
+import { performance } from 'perf_hooks';
+import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
+import { Api } from '@mondaydotcomorg/trident-backend-api';
+import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
+import { getIgniteClient, IgniteClient } from '@mondaydotcomorg/ignite-sdk';
+import { Action, AuthorizationObject, AuthorizationParams, Resource } from './types/general';
+import { sendAuthorizationCheckResponseTimeMetric } from './prometheus-service';
+import { recordAuthorizationTiming } from './metrics-service';
+import {
+  ScopedAction,
+  ScopedActionPermit,
+  ScopedActionResponseObject,
+  ScopeOptions,
+} from './types/scoped-actions-contracts';
+import { AuthorizationInternalService, logger } from './authorization-internal-service';
+import { getAttributionsFromApi, getProfile, PlatformProfile } from './attributions-service';
+import { GraphApi } from './clients/graph-api';
+import { PlatformApi } from './clients/platform-api';
+import { scopeToResource } from './utils/authorization.utils';
+
+const GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS = 5 * 60;
+const PLATFORM_AUTHORIZE_PATH = '/internal_ms/authorization/authorize';
+
+const ALLOWED_SDK_PLATFORM_PROFILES_KEY = 'allowed-sdk-platform-profiles';
+const IN_RELEASE_SDK_PLATFORM_PROFILES_KEY = 'in-release-sdk-platform-profile';
+const PLATFORM_PROFILE_RELEASE_FF = 'sdk-platform-profiles';
+const NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF = 'navigate-can-action-in-scope-to-graph';
+
+export interface AuthorizeResponse {
+  isAuthorized: boolean;
+  unauthorizedIds?: number[];
+  unauthorizedObjects?: AuthorizationObject[];
+}
+
+export function setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions) {
+  AuthorizationInternalService.setRequestFetchOptions(customMondayFetchOptions);
+}
+
+interface IsAuthorizedResponse {
+  result: boolean[];
+}
+
+export class AuthorizationService {
+  private static get graphApi(): GraphApi {
+    if (!this._graphApi) {
+      this._graphApi = new GraphApi();
+    }
+    return this._graphApi;
+  }
+  private static _graphApi?: GraphApi;
+
+  private static get platformApi(): PlatformApi {
+    if (!this._platformApi) {
+      this._platformApi = new PlatformApi();
+    }
+    return this._platformApi;
+  }
+  private static _platformApi?: PlatformApi;
+
+  static resetApiClients(): void {
+    this._graphApi = undefined;
+    this._platformApi = undefined;
+  }
+
+  static redisClient?;
+  static grantedFeatureRedisExpirationInSeconds?: number;
+  static igniteClient?: IgniteClient;
+
+  /**
+   * @deprecated use the second form with authorizationRequestObjects instead,
+   * support of this function will be dropped gradually
+   */
+  static async isAuthorized(
+    accountId: number,
+    userId: number,
+    resources: Resource[],
+    action: Action
+  ): Promise<AuthorizeResponse>;
+
+  static async isAuthorized(
+    accountId: number,
+    userId: number,
+    authorizationRequestObjects: AuthorizationObject[]
+  ): Promise<AuthorizeResponse>;
+
+  static async isAuthorized(...args: any[]) {
+    if (args.length === 3) {
+      return this.isAuthorizedMultiple(args[0], args[1], args[2]);
+    } else if (args.length == 4) {
+      return this.isAuthorizedSingular(args[0], args[1], args[2], args[3]);
+    } else {
+      throw new Error('isAuthorized accepts either 3 or 4 arguments');
+    }
+  }
+
+  /**
+   * @deprecated - Please use Ignite instead: https://github.com/DaPulse/ignite-monorepo/blob/master/packages/ignite-sdk/README.md
+   * @sunsetDate 2024-12-31
+   */
+  static async isUserGrantedWithFeature(
+    accountId: number,
+    userId: number,
+    featureName: string,
+    options: { shouldSkipCache?: boolean } = {}
+  ): Promise<boolean> {
+    const cachedKey = this.getCachedKeyName(userId, featureName);
+    const shouldSkipCache = options.shouldSkipCache ?? false;
+    if (this.redisClient && !shouldSkipCache) {
+      const grantedFeatureValue = await this.redisClient.get(cachedKey);
+      if (!(grantedFeatureValue === undefined || grantedFeatureValue === null)) {
+        // redis returns the value as string
+        return grantedFeatureValue === 'true';
+      }
+    }
+
+    const grantedFeatureValue = await this.fetchIsUserGrantedWithFeature(featureName, accountId, userId);
+    if (this.redisClient) {
+      await this.redisClient.set(cachedKey, grantedFeatureValue, 'EX', this.grantedFeatureRedisExpirationInSeconds);
+    }
+    return grantedFeatureValue;
+  }
+
+  private static async fetchIsUserGrantedWithFeature(
+    featureName: string,
+    accountId: number,
+    userId: number
+  ): Promise<boolean> {
+    const authorizationObject: AuthorizationObject = {
+      action: featureName,
+      resource_type: 'feature',
+    };
+
+    const authorizeResponsePromise = await this.isAuthorized(accountId, userId, [authorizationObject]);
+    return authorizeResponsePromise.isAuthorized;
+  }
+
+  private static getCachedKeyName(userId: number, featureName: string): string {
+    return `granted-feature-${featureName}-${userId}`;
+  }
+
+  static async canActionInScope(
+    accountId: number,
+    userId: number,
+    action: string,
+    scope: ScopeOptions
+  ): Promise<ScopedActionPermit> {
+    const scopedActions = [{ action, scope }];
+    const scopedActionResponseObjects = await this.canActionInScopeMultiple(accountId, userId, scopedActions);
+    return scopedActionResponseObjects[0].permit;
+  }
+
+  private static getProfile(accountId: number, userId: number): PlatformProfile {
+    const appName: string = process.env.APP_NAME ?? 'INVALID_APP_NAME';
+    if (!this.igniteClient) {
+      logger.error({ tag: 'authorization-service' }, 'AuthorizationService: igniteClient is not set, failing request');
+      throw new Error('AuthorizationService: igniteClient is not set, failing request');
+    }
+    if (
+      this.igniteClient.configuration.getObjectValue<string[]>(ALLOWED_SDK_PLATFORM_PROFILES_KEY, []).includes(appName)
+    ) {
+      return getProfile();
+    }
+    if (
+      this.igniteClient.configuration
+        .getObjectValue<string[]>(IN_RELEASE_SDK_PLATFORM_PROFILES_KEY, [])
+        .includes(appName) &&
+      this.igniteClient.isReleased(PLATFORM_PROFILE_RELEASE_FF, { accountId, userId })
+    ) {
+      return getProfile();
+    }
+    return PlatformProfile.APP;
+  }
+
+  static async canActionInScopeMultiple(
+    accountId: number,
+    userId: number,
+    scopedActions: ScopedAction[]
+  ): Promise<ScopedActionResponseObject[]> {
+    if (scopedActions.length === 0) {
+      return [];
+    }
+
+    const shouldNavigateToGraph = Boolean(
+      this.igniteClient?.isReleased(NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF, { accountId, userId })
+    );
+
+    const startTime = performance.now();
+    let scopedActionResponseObjects: ScopedActionResponseObject[];
+    let apiType: 'graph' | 'platform';
+
+    if (shouldNavigateToGraph) {
+      apiType = 'graph';
+      scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
+    } else {
+      apiType = 'platform';
+      const profile = this.getProfile(accountId, userId);
+      const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+
+      scopedActionResponseObjects = await this.platformApi.checkPermissions(
+        profile,
+        internalAuthToken,
+        userId,
+        scopedActions
+      );
+    }
+
+    const endTime = performance.now();
+    const time = endTime - startTime;
+
+    // Record metrics for each authorization check
+    for (const obj of scopedActionResponseObjects) {
+      const { action, scope } = obj.scopedAction;
+      const { resourceType } = scopeToResource(scope);
+      const isAuthorized = obj.permit.can;
+      sendAuthorizationCheckResponseTimeMetric(resourceType, action, isAuthorized, 200, time);
+      recordAuthorizationTiming(apiType, time);
+    }
+
+    return scopedActionResponseObjects;
+  }
+
+  private static async isAuthorizedSingular(
+    accountId: number,
+    userId: number,
+    resources: Resource[],
+    action: Action
+  ): Promise<AuthorizeResponse> {
+    const { authorizationObjects } = createAuthorizationParams(resources, action);
+    return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
+  }
+
+  private static async isAuthorizedMultiple(
+    accountId: number,
+    userId: number,
+    authorizationRequestObjects: AuthorizationObject[]
+  ): Promise<AuthorizeResponse> {
+    const profile = this.getProfile(accountId, userId);
+    const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
+    const startTime = performance.now();
+    const attributionHeaders = getAttributionsFromApi();
+    const httpClient = Api.getPart('httpClient');
+
+    let response: IsAuthorizedResponse | undefined;
+    try {
+      response = await httpClient!.fetch<IsAuthorizedResponse>(
+        {
+          url: {
+            appName: 'platform',
+            path: PLATFORM_AUTHORIZE_PATH,
+            profile,
+          },
+          method: 'POST',
+          headers: {
+            Authorization: internalAuthToken,
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({
+            user_id: userId,
+            authorize_request_objects: authorizationRequestObjects,
+          }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        AuthorizationInternalService.throwOnHttpError((err as HttpFetcherError).status, 'isAuthorizedMultiple');
+      } else {
+        throw err;
+      }
+    }
+    const endTime = performance.now();
+    const time = endTime - startTime;
+
+    const unauthorizedObjects: AuthorizationObject[] = [];
+
+    if (!response) {
+      logger.error({ tag: 'authorization-service', response }, 'AuthorizationService: missing response');
+      throw new Error('AuthorizationService: missing response');
+    }
+
+    response.result.forEach(function (isAuthorized, index) {
+      const authorizationObject = authorizationRequestObjects[index];
+      if (!isAuthorized) {
+        unauthorizedObjects.push(authorizationObject);
+      }
+
+      sendAuthorizationCheckResponseTimeMetric(
+        authorizationObject.resource_type,
+        authorizationObject.action,
+        isAuthorized,
+        200,
+        time
+      );
+    });
+
+    if (unauthorizedObjects.length > 0) {
+      logger.info(
+        {
+          resources: JSON.stringify(unauthorizedObjects),
+        },
+        'AuthorizationService: resource is unauthorized'
+      );
+      const unauthorizedIds = unauthorizedObjects
+        .filter(obj => !!obj.resource_id)
+        .map(obj => obj.resource_id) as number[];
+      return { isAuthorized: false, unauthorizedIds, unauthorizedObjects };
+    }
+
+    return { isAuthorized: true };
+  }
+}
+
+export function setRedisClient(
+  client,
+  grantedFeatureRedisExpirationInSeconds: number = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS
+) {
+  AuthorizationService.redisClient = client;
+  if (grantedFeatureRedisExpirationInSeconds && grantedFeatureRedisExpirationInSeconds > 0) {
+    AuthorizationService.grantedFeatureRedisExpirationInSeconds = grantedFeatureRedisExpirationInSeconds;
+  } else {
+    logger.warn(
+      { grantedFeatureRedisExpirationInSeconds },
+      'Invalid input for grantedFeatureRedisExpirationInSeconds, must be positive number. using default ttl.'
+    );
+    AuthorizationService.grantedFeatureRedisExpirationInSeconds = GRANTED_FEATURE_CACHE_EXPIRATION_SECONDS;
+  }
+}
+
+export async function setIgniteClient() {
+  const igniteClient = await getIgniteClient({
+    namespace: ['authorization-sdk'],
+  });
+  AuthorizationService.igniteClient = igniteClient;
+  AuthorizationInternalService.setIgniteClient(igniteClient);
+}
+
+export function createAuthorizationParams(resources: Resource[], action: Action): AuthorizationParams {
+  const params = {
+    authorizationObjects: resources.map((resource: Resource) => {
+      const authorizationObject: AuthorizationObject = {
+        resource_id: resource.id,
+        resource_type: resource.type,
+        action,
+      };
+      if (resource.wrapperData) {
+        authorizationObject.wrapper_data = resource.wrapperData;
+      }
+      return authorizationObject;
+    }),
+  };
+  return params;
+}

package/src/clients/graph-api.ts

@@ -0,0 +1,170 @@
+import { Api, HttpClient } from '@mondaydotcomorg/trident-backend-api';
+import {
+  ScopedAction,
+  ScopedActionResponseObject,
+  ScopedActionPermit,
+  PermitTechnicalReason,
+} from '../types/scoped-actions-contracts';
+import { AuthorizationInternalService } from '../authorization-internal-service';
+import { getAttributionsFromApi } from '../attributions-service';
+import {
+  GraphIsAllowedDto,
+  GraphIsAllowedResponse,
+  ResourceType,
+  ResourceId,
+  ActionName,
+  GraphPermissionResult,
+  GraphPermissionReason,
+} from '../types/graph-api.types';
+import { scopeToResource } from '../utils/authorization.utils';
+import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
+import { GRAPH_APP_NAME } from '../constants';
+import { handleApiError } from '../utils/api-error-handler';
+
+const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
+const APP_NAME_REQUIRED_ERROR = 'GraphApi: APP_NAME environment variable is required for Graph API authentication';
+
+/**
+ * Client for handling Graph API authorization operations
+ */
+export class GraphApi {
+  private readonly httpClient: HttpClient;
+  private readonly consumerAppName: string;
+
+  constructor() {
+    const httpClient = Api.getPart('httpClient');
+    if (!httpClient) {
+      throw new Error('GraphApi: http client is not initialized');
+    }
+    const consumerAppName = process.env.APP_NAME?.trim();
+    if (!consumerAppName) {
+      throw new Error(APP_NAME_REQUIRED_ERROR);
+    }
+    this.httpClient = httpClient;
+    this.consumerAppName = consumerAppName;
+  }
+
+  /**
+   * Builds the request body for Graph API calls
+   */
+  private static buildRequestBody(scopedActions: ScopedAction[]): GraphIsAllowedDto {
+    const resourcesAccumulator: Record<ResourceType, Record<ResourceId, Set<ActionName>>> = {};
+    for (const { action, scope } of scopedActions) {
+      const { resourceType, resourceId } = scopeToResource(scope);
+      if (!resourcesAccumulator[resourceType]) {
+        resourcesAccumulator[resourceType] = {};
+      }
+      if (!resourcesAccumulator[resourceType][resourceId]) {
+        resourcesAccumulator[resourceType][resourceId] = new Set<ActionName>();
+      }
+      resourcesAccumulator[resourceType][resourceId].add(action);
+    }
+
+    const resourcesPayload: GraphIsAllowedDto = {};
+    for (const [resourceType, idMap] of Object.entries(resourcesAccumulator)) {
+      resourcesPayload[resourceType] = {};
+      for (const [idStr, actionsSet] of Object.entries(idMap)) {
+        const idNum = Number(idStr);
+        resourcesPayload[resourceType][idNum] = Array.from(actionsSet);
+      }
+    }
+
+    return resourcesPayload;
+  }
+
+  /**
+   * Fetches authorization data from the Graph API
+   */
+  async fetchPermissions(authToken: string, scopedActions: ScopedAction[]): Promise<GraphIsAllowedResponse> {
+    const attributionHeaders = getAttributionsFromApi();
+    const bodyPayload = GraphApi.buildRequestBody(scopedActions);
+
+    try {
+      const response = await this.httpClient.fetch<GraphIsAllowedResponse>(
+        {
+          url: {
+            appName: GRAPH_APP_NAME,
+            path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
+          },
+          method: 'POST',
+          headers: {
+            Authorization: authToken,
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify(bodyPayload),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+
+      return response;
+    } catch (err) {
+      // handleApiError never returns (throws)
+      return handleApiError(err, 'graph', 'canActionInScopeMultiple');
+    }
+  }
+
+  /**
+   * Maps Graph API response to the expected format
+   */
+  private static mapResponse(
+    scopedActions: ScopedAction[],
+    graphResponse: GraphIsAllowedResponse
+  ): ScopedActionResponseObject[] {
+    const resources = graphResponse ?? {};
+
+    return scopedActions.map(scopedAction => {
+      const { action, scope } = scopedAction;
+      const { resourceType, resourceId } = scopeToResource(scope);
+      const permissionResult = resources?.[resourceType]?.[String(resourceId)]?.[action];
+
+      const permit: ScopedActionPermit = {
+        can: permissionResult?.can ?? false,
+        reason: {
+          key: 'unknown',
+        },
+        technicalReason: PermitTechnicalReason.NO_REASON,
+      };
+
+      if (permissionResult) {
+        const graphReason = GraphApi.ensureGraphReason(permissionResult.reason, { resourceType, resourceId, action });
+        permit.reason = {
+          key: graphReason.key,
+          ...(graphReason.additionalOptions ?? {}),
+        };
+        permit.technicalReason = (graphReason.technicalReason ??
+          PermitTechnicalReason.NO_REASON) as PermitTechnicalReason;
+      }
+
+      return { scopedAction, permit };
+    });
+  }
+
+  /**
+   * Performs a complete authorization check using the Graph API
+   */
+  async checkPermissions(
+    accountId: number,
+    userId: number,
+    scopedActions: ScopedAction[]
+  ): Promise<ScopedActionResponseObject[]> {
+    const authToken = signAuthorizationHeader({ appName: this.consumerAppName, accountId, userId });
+    const response = await this.fetchPermissions(authToken, scopedActions);
+    return GraphApi.mapResponse(scopedActions, response);
+  }
+
+  private static ensureGraphReason(
+    reason: GraphPermissionResult['reason'],
+    context: { resourceType: ResourceType; resourceId: ResourceId; action: ActionName }
+  ): GraphPermissionReason {
+    if (!reason || typeof reason !== 'object' || typeof reason.key !== 'string') {
+      throw new Error(
+        `GraphApi: unexpected reason format for ${context.resourceType}/${context.resourceId}/${context.action}`
+      );
+    }
+    return reason;
+  }
+}

package/src/clients/platform-api.ts

@@ -0,0 +1,117 @@
+import { Api, HttpClient } from '@mondaydotcomorg/trident-backend-api';
+import { ScopedAction, ScopedActionResponseObject } from '../types/scoped-actions-contracts';
+import { AuthorizationInternalService, logger } from '../authorization-internal-service';
+import { getAttributionsFromApi, PlatformProfile } from '../attributions-service';
+import { toCamelCase, toSnakeCase } from '../utils/authorization.utils';
+import { handleApiError } from '../utils/api-error-handler';
+
+const PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH = '/internal_ms/authorization/can_actions_in_scopes';
+
+// ScopedAction with snake_case scope keys for Platform API payload
+type ScopedActionPlatformPayload = Omit<ScopedAction, 'scope'> & {
+  scope: Record<string, number>;
+};
+
+interface CanActionsInScopesResponse {
+  result: ScopedActionResponseObject[];
+}
+
+/**
+ * Client for handling Platform API authorization operations
+ */
+export class PlatformApi {
+  private readonly httpClient: HttpClient;
+
+  constructor() {
+    const httpClient = Api.getPart('httpClient');
+    if (!httpClient) {
+      throw new Error('PlatformApi: http client is not initialized');
+    }
+    this.httpClient = httpClient;
+  }
+
+  /**
+   * Builds the request payload for Platform API calls
+   */
+  private static buildRequestPayload(scopedActions: ScopedAction[]): ScopedActionPlatformPayload[] {
+    return scopedActions.map(scopedAction => ({
+      ...scopedAction,
+      scope: toSnakeCase(scopedAction.scope) as Record<string, number>,
+    }));
+  }
+
+  /**
+   * Fetches authorization data from the Platform API
+   */
+  private async fetchPermissions(
+    profile: PlatformProfile,
+    internalAuthToken: string,
+    userId: number,
+    scopedActionsPayload: ScopedActionPlatformPayload[]
+  ): Promise<CanActionsInScopesResponse> {
+    const attributionHeaders = getAttributionsFromApi();
+
+    try {
+      const response = await this.httpClient.fetch<CanActionsInScopesResponse>(
+        {
+          url: {
+            appName: 'platform',
+            path: PLATFORM_CAN_ACTIONS_IN_SCOPES_PATH,
+            profile,
+          },
+          method: 'POST',
+          headers: {
+            Authorization: internalAuthToken,
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ user_id: userId, scoped_actions: scopedActionsPayload }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+
+      return response;
+    } catch (err) {
+      // handleApiError never returns (throws)
+      return handleApiError(err, 'platform', 'canActionInScopeMultiple');
+    }
+  }
+
+  /**
+   * Maps Platform API response to the expected format
+   */
+  private static mapResponse(response: CanActionsInScopesResponse): ScopedActionResponseObject[] {
+    if (!response) {
+      logger.error({ tag: 'platform-api', response }, 'PlatformApi: missing response');
+      throw new Error('PlatformApi: missing response');
+    }
+
+    return response.result.map(responseObject => {
+      const { scopedAction, permit } = responseObject;
+      const { scope } = scopedAction;
+
+      return {
+        ...responseObject,
+        scopedAction: { ...scopedAction, scope: toCamelCase(scope) },
+        permit: toCamelCase(permit),
+      };
+    });
+  }
+
+  /**
+   * Performs a complete authorization check using the Platform API
+   */
+  async checkPermissions(
+    profile: PlatformProfile,
+    internalAuthToken: string,
+    userId: number,
+    scopedActions: ScopedAction[]
+  ): Promise<ScopedActionResponseObject[]> {
+    const scopedActionsPayload = PlatformApi.buildRequestPayload(scopedActions);
+    const platformResponse = await this.fetchPermissions(profile, internalAuthToken, userId, scopedActionsPayload);
+    return PlatformApi.mapResponse(platformResponse);
+  }
+}

package/src/constants/sns.ts

@@ -0,0 +1,5 @@
+export const SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
+export const SNS_DEV_TEST_NAME =
+  'arn:aws:sns:us-east-1:000000000000:monday-authorization-resource-attributes-sns-local';
+export const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+export const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;

package/src/constants.ts

@@ -0,0 +1,23 @@
+import { RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
+import { FetcherConfig } from '@mondaydotcomorg/trident-backend-api';
+
+export const APP_NAME = 'authorization';
+export const GRAPH_APP_NAME = 'authorization-graph';
+
+export const ERROR_MESSAGES = {
+  HTTP_CLIENT_NOT_INITIALIZED: 'MondayAuthorization: HTTP client is not initialized',
+  REQUEST_FAILED: (method: string, status: number, reason: string) =>
+    `MondayAuthorization: [${method}] request failed with status ${status} with reason: ${reason}`,
+} as const;
+
+export const DEFAULT_FETCH_OPTIONS: RecursivePartial<FetcherConfig> = {
+  retryPolicy: {
+    useRetries: true,
+    maxRetries: 3,
+    retryDelayMS: 10,
+  },
+  logPolicy: {
+    logErrors: 'error',
+    logRequests: 'info',
+  },
+};