@mondaydotcomorg/monday-authorization 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-752f21a → 3.3.0-feature-bashanye-navigate-can-action-in-scope-to-graph-13ad8e0

package/DEBUG.md

@@ -1,203 +0,0 @@
-# Debugging @mondaydotcomorg/monday-authorization
-
-This guide explains how to debug the monday-authorization package when it's installed as a dependency in your project.
-
-## 🔧 Setup for Debugging
-
-### 1. Install the Package with Source Files
-
-When you install the package, it includes both compiled JavaScript and TypeScript source files:
-
-```bash
-npm install @mondaydotcomorg/monday-authorization
-```
-
-The package includes:
-
-- `dist/` - Compiled JavaScript with source maps
-- `src/` - Original TypeScript source files
-
-### 2. Configure Your Debugger
-
-#### VS Code Launch Configuration
-
-Create a `.vscode/launch.json` file in your project:
-
-```json
-{
-  "version": "0.2.0",
-  "configurations": [
-    {
-      "name": "Debug Authorization Package",
-      "type": "node",
-      "request": "launch",
-      "program": "${workspaceFolder}/your-main-file.js",
-      "sourceMaps": true,
-      "resolveSourceMapLocations": [
-        "${workspaceFolder}/**",
-        "!**/node_modules/**",
-        "**/node_modules/@mondaydotcomorg/monday-authorization/**"
-      ],
-      "skipFiles": ["<node_internals>/**", "node_modules/**"],
-      "outFiles": ["${workspaceFolder}/node_modules/@mondaydotcomorg/monday-authorization/dist/**/*.js"]
-    }
-  ]
-}
-```
-
-#### WebStorm/IntelliJ IDEA
-
-1. Go to `Run` → `Edit Configurations`
-2. Add a new `Node.js` configuration
-3. Set the JavaScript file to your main application file
-4. In the debugger settings, ensure source maps are enabled
-
-### 3. Enable Debug Logging
-
-The package includes comprehensive debug logging. To see debug logs:
-
-```bash
-# Set environment variable
-export LOG_LEVEL=debug
-
-# Or in your application
-process.env.LOG_LEVEL = 'debug';
-```
-
-### 4. Breakpoints in Source Files
-
-You can set breakpoints directly in the TypeScript source files:
-
-1. Open the source file: `node_modules/@mondaydotcomorg/monday-authorization/src/`
-2. Set breakpoints in the TypeScript code
-3. Your debugger should map them to the running JavaScript
-
-## 🔍 Debug Log Categories
-
-The package logs debug information with these tags:
-
-### Authorization Service (`authorization-service`)
-
-```
-🔍 canActionInScopeMultiple called { accountId, userId, scopedActionsCount }
-📍 Graph API routing feature flag: ENABLED/DISABLED
-🎯 Attempting Graph API authorization
-✅ Graph API authorization successful
-❌ Graph API authorization failed, falling back to Platform API
-🔄 Using Platform API directly (Graph API FF disabled)
-```
-
-### Graph API Client (`graph-api-client`)
-
-```
-🔍 Graph API Debug: Starting request { scopedActionsCount, appName, path, timeout, bodyPayloadKeys }
-✅ Graph API Debug: Request successful { responseKeys, scopedActionsCount }
-❌ Graph API Debug: Request failed { error, status, scopedActionsCount }
-```
-
-### Platform API Client (`platform-api-client`)
-
-```
-🔍 Platform API Debug: Starting request { profile, userId, scopedActionsCount, appName, path }
-✅ Platform API Debug: Request successful { hasResult, resultCount }
-❌ Platform API Debug: Request failed { error, status, profile, userId }
-```
-
-### Authorization Utils (`authorization-utils`)
-
-```
-🔍 Utils Debug: Converting scope to resource { scopeKeys, scopeValues }
-🔍 Utils Debug: Mapped to workspace/board/pulse/etc { resourceId }
-❌ Utils Debug: Unsupported scope provided { scope }
-```
-
-## 🐛 Common Debugging Scenarios
-
-### Graph API 500 Errors
-
-When you see Graph API failures, the logs will show:
-
-1. ✅ Feature flag status (enabled/disabled)
-2. 🎯 API attempt (Graph API first)
-3. ❌ Failure details (error message, status code)
-4. 🔄 Fallback trigger (automatic switch to Platform API)
-5. ✅ Fallback success (Platform API response)
-
-### Scope Mapping Issues
-
-Debug logs show how scopes are converted to resources:
-
-```
-🔍 Utils Debug: Converting scope to resource { scopeKeys: ['boardId'], scopeValues: [123] }
-🔍 Utils Debug: Mapped to board { resourceId: 123 }
-```
-
-### Authorization Flow
-
-Complete flow visibility:
-
-1. **Entry**: `canActionInScopeMultiple called`
-2. **Decision**: Feature flag check
-3. **Attempt**: API selection and request
-4. **Result**: Success/failure with details
-5. **Fallback**: Automatic recovery if needed
-
-## 📊 Source Maps
-
-The package includes source maps for both:
-
-- `dist/index.js.map` - Main CommonJS build
-- `dist/esm/index.mjs.map` - ESM build
-
-These allow your debugger to map the running JavaScript back to the original TypeScript source.
-
-## 🔧 Advanced Debugging
-
-### Custom Logger Configuration
-
-```typescript
-import { logger } from '@mondaydotcomorg/monday-authorization/src/authorization-internal-service';
-
-// Configure custom logging
-logger.level = 'debug';
-```
-
-### Inspecting Authorization Objects
-
-```typescript
-// Add this to your code to inspect authorization calls
-import { AuthorizationService } from '@mondaydotcomorg/monday-authorization';
-
-// Monkey patch for debugging
-const originalCanActionInScopeMultiple = AuthorizationService.canActionInScopeMultiple;
-AuthorizationService.canActionInScopeMultiple = async (...args) => {
-  console.log('🔍 Authorization call:', args);
-  const result = await originalCanActionInScopeMultiple.apply(AuthorizationService, args);
-  console.log('✅ Authorization result:', result);
-  return result;
-};
-```
-
-## 📝 Troubleshooting
-
-### Breakpoints Not Working
-
-1. Ensure source maps are enabled in your debugger
-2. Check that `node_modules/@mondaydotcomorg/monday-authorization/src/` files are accessible
-3. Verify the source map files exist in `dist/`
-
-### Logs Not Showing
-
-1. Set `LOG_LEVEL=debug` environment variable
-2. Check that your logger configuration includes debug level
-3. Look for logs with tags: `authorization-service`, `graph-api-client`, `platform-api-client`, `authorization-utils`
-
-### Source Files Not Found
-
-1. Clear node_modules and reinstall the package
-2. Ensure the package version includes source files
-3. Check that `src/` directory exists in `node_modules/@mondaydotcomorg/monday-authorization/`
-
----
-
-With these debugging capabilities, you can fully inspect and understand the authorization flow in your applications! 🚀

package/src/attributions-service.ts

@@ -1,92 +0,0 @@
-import { Api, Context, ExecutionContext } from '@mondaydotcomorg/trident-backend-api';
-import { logger } from './authorization-internal-service';
-
-const APP_NAME_VARIABLE_KEY = 'APP_NAME';
-const APP_NAME_HEADER_NAME = 'x-caller-app-name-from-sdk';
-const FROM_SDK_HEADER_SUFFIX = `-from-sdk`;
-
-let didSendFailureLogOnce = false;
-
-export enum PlatformProfile {
-  API_INTERNAL = 'api-internal',
-  SLOW = 'slow',
-  INTERNAL = 'internal',
-}
-
-export function getProfile() {
-  const tridentContext = Api.getPart('context');
-  if (!tridentContext) {
-    return PlatformProfile.INTERNAL;
-  }
-  const { mondayRequestSource } = getExecutionContext(tridentContext);
-
-  switch (mondayRequestSource) {
-    case 'api': {
-      return PlatformProfile.API_INTERNAL;
-    }
-    case 'slow': {
-      return PlatformProfile.SLOW;
-    }
-    default:
-      return PlatformProfile.INTERNAL;
-  }
-}
-
-export function getExecutionContext(context: Context): ExecutionContext {
-  return context.execution.get();
-}
-
-export function getAttributionsFromApi(): { [key: string]: string } {
-  const callerAppNameFromSdk = {
-    [APP_NAME_HEADER_NAME]: tryJsonParse(getEnvVariable(APP_NAME_VARIABLE_KEY)),
-  };
-
-  try {
-    const tridentContext = Api.getPart('context');
-
-    if (!tridentContext) {
-      return callerAppNameFromSdk;
-    }
-
-    const { runtimeAttributions } = tridentContext;
-    const runtimeAttributionsOutgoingHeaders = runtimeAttributions?.buildOutgoingHeaders('HTTP_INTERNAL');
-
-    if (!runtimeAttributionsOutgoingHeaders) {
-      return callerAppNameFromSdk;
-    }
-
-    const attributionsHeaders = Object.fromEntries(runtimeAttributionsOutgoingHeaders);
-
-    const attributionHeadersFromSdk = {};
-    Object.keys(attributionsHeaders).forEach(function (key) {
-      attributionHeadersFromSdk[`${key}${FROM_SDK_HEADER_SUFFIX}`] = attributionsHeaders[key];
-    });
-
-    return attributionHeadersFromSdk;
-  } catch (error) {
-    if (!didSendFailureLogOnce) {
-      logger.warn(
-        { tag: 'authorization-service', error },
-        'Failed to generate attributions headers from the API. Unexpected error while extracting headers. It may be caused by out of date Trident version.'
-      );
-      didSendFailureLogOnce = true;
-    }
-    return callerAppNameFromSdk;
-  }
-}
-
-function getEnvVariable(key: string) {
-  const envVar = process.env[key] || process.env[key.toUpperCase()] || process.env[key.toLowerCase()];
-  return envVar;
-}
-
-function tryJsonParse(value: string | undefined) {
-  if (!value) {
-    return value;
-  }
-  try {
-    return JSON.parse(value);
-  } catch (_err) {
-    return value;
-  }
-}

package/src/authorization-attributes-service.ts

@@ -1,234 +0,0 @@
-import chunk from 'lodash/chunk.js';
-import { Api, FetcherConfig, HttpClient } from '@mondaydotcomorg/trident-backend-api';
-import { getTopicAttributes, sendToSns } from '@mondaydotcomorg/monday-sns';
-import { HttpFetcherError, RecursivePartial } from '@mondaydotcomorg/monday-fetch-api';
-import {
-  ResourceAttributeAssignment,
-  ResourceAttributeResponse,
-  ResourceAttributesOperation,
-} from './types/authorization-attributes-contracts';
-import { Resource } from './types/general';
-import { logger } from './authorization-internal-service';
-import { getAttributionsFromApi } from './attributions-service';
-import {
-  ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE,
-  RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
-  SNS_ARN_ENV_VAR_NAME,
-  SNS_DEV_TEST_NAME,
-} from './constants/sns';
-import { APP_NAME, DEFAULT_FETCH_OPTIONS, ERROR_MESSAGES } from './constants';
-import type { TopicAttributesMap } from 'aws-sdk/clients/sns';
-
-export class AuthorizationAttributesService {
-  private static LOG_TAG = 'authorization_attributes';
-  private static API_PATHS = {
-    UPSERT_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource',
-    DELETE_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource/{resourceType}/{resourceId}',
-  } as const;
-  private httpClient: HttpClient;
-  private fetchOptions: RecursivePartial<FetcherConfig>;
-  private snsArn: string;
-
-  /**
-   * Public constructor to create the AuthorizationAttributesService instance.
-   * @param httpClient The HTTP client to use for API requests, if not provided, the default HTTP client from Api will be used.
-   * @param fetchOptions The fetch options to use for API requests, if not provided, the default fetch options will be used.
-   */
-  constructor(httpClient?: HttpClient, fetchOptions?: RecursivePartial<FetcherConfig>) {
-    if (!httpClient) {
-      httpClient = Api.getPart('httpClient');
-      if (!httpClient) {
-        throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
-      }
-    }
-
-    if (!fetchOptions) {
-      fetchOptions = DEFAULT_FETCH_OPTIONS;
-    } else {
-      fetchOptions = {
-        ...DEFAULT_FETCH_OPTIONS,
-        ...fetchOptions,
-      };
-    }
-    this.httpClient = httpClient;
-    this.fetchOptions = fetchOptions;
-    this.snsArn = AuthorizationAttributesService.getSnsTopicArn();
-  }
-
-  /**
-   * Upsert resource attributes synchronously, performing http call to the authorization MS to assign the given attributes to the given resource.
-   * @param accountId
-   * @param resourceAttributeAssignments - Array of resource (resourceType, resourceId) and attribute (key, value) pairs to upsert in the authorization MS.
-   * e.g. [{ resourceType: 'board', resourceId: 123, key: 'board_kind', value: 'private' }]
-   * @returns ResourceAttributeResponse - The affected (created and updated_ resource attributes assignments in the `attributes` field.
-   */
-  async upsertResourceAttributes(
-    accountId: number,
-    resourceAttributeAssignments: ResourceAttributeAssignment[]
-  ): Promise<ResourceAttributeResponse> {
-    const attributionHeaders = getAttributionsFromApi();
-    try {
-      return await this.httpClient.fetch<ResourceAttributeResponse>(
-        {
-          url: {
-            appName: APP_NAME,
-            path: AuthorizationAttributesService.API_PATHS.UPSERT_RESOURCE_ATTRIBUTES.replace(
-              '{accountId}',
-              accountId.toString()
-            ),
-          },
-          method: 'POST',
-          headers: {
-            'Content-Type': 'application/json',
-            ...attributionHeaders,
-          },
-          body: JSON.stringify({ resourceAttributeAssignments }),
-        },
-        this.fetchOptions
-      );
-    } catch (err) {
-      if (err instanceof HttpFetcherError) {
-        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('upsertResourceAttributes', err.status, err.message));
-      }
-      throw err;
-    }
-  }
-
-  /**
-   * Delete resource attributes assignments synchronously, performing http call to the authorization MS to delete the given attributes from the given singular resource.
-   * @param accountId
-   * @param resource - The resource (resourceType, resourceId) to delete the attributes for.
-   * @param attributeKeys - Array of attribute keys to delete for the resource.
-   * @returns ResourceAttributeResponse - The affected (deleted) resource attributes assignments in the `attributes` field.
-   */
-  async deleteResourceAttributes(
-    accountId: number,
-    resource: Resource,
-    attributeKeys: string[]
-  ): Promise<ResourceAttributeResponse> {
-    const attributionHeaders = getAttributionsFromApi();
-    if (!resource.id) {
-      throw new Error('Resource ID is required');
-    }
-    try {
-      return await this.httpClient.fetch<ResourceAttributeResponse>(
-        {
-          url: {
-            appName: APP_NAME,
-            path: AuthorizationAttributesService.API_PATHS.DELETE_RESOURCE_ATTRIBUTES.replace(
-              '{accountId}',
-              accountId.toString()
-            )
-              .replace('{resourceType}', resource.type)
-              .replace('{resourceId}', resource.id.toString()),
-          },
-          method: 'DELETE',
-          headers: {
-            'Content-Type': 'application/json',
-            ...attributionHeaders,
-          },
-          body: JSON.stringify({ keys: attributeKeys }),
-        },
-        this.fetchOptions
-      );
-    } catch (err) {
-      if (err instanceof HttpFetcherError) {
-        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('deleteResourceAttributes', err.status, err.message));
-      }
-      throw err;
-    }
-  }
-
-  /**
-   *  Async function, this function only send the updates request to SNS and return before the change actually took place
-   * @param accountId
-   * @param appName - App name of the calling app
-   * @param callerActionIdentifier - action identifier
-   * @param resourceAttributeOperations - Array of operations to do on resource attributes.
-   * @return {Promise<ResourceAttributesOperation[]>} Array of sent operations
-   *  */
-  async updateResourceAttributesAsync(
-    accountId: number,
-    appName: string,
-    callerActionIdentifier: string,
-    resourceAttributeOperations: ResourceAttributesOperation[]
-  ): Promise<ResourceAttributesOperation[]> {
-    const topicArn: string = this.snsArn;
-    const sendToSnsPromises: Promise<ResourceAttributesOperation[]>[] = [];
-    const operationChucks = chunk(resourceAttributeOperations, ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE);
-    for (const operationsChunk of operationChucks) {
-      sendToSnsPromises.push(
-        this.sendSingleSnsMessage(topicArn, accountId, appName, callerActionIdentifier, operationsChunk)
-      );
-    }
-    return (await Promise.all(sendToSnsPromises)).flat();
-  }
-
-  private async sendSingleSnsMessage(
-    topicArn: string,
-    accountId: number,
-    appName: string,
-    callerActionIdentifier: string,
-    operations: ResourceAttributesOperation[]
-  ): Promise<ResourceAttributesOperation[]> {
-    const payload = {
-      kind: RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND,
-      payload: {
-        accountId: accountId,
-        callerAppName: appName,
-        callerActionIdentifier: callerActionIdentifier,
-        operations: operations,
-      },
-    };
-    try {
-      await sendToSns(payload, topicArn);
-      return operations;
-    } catch (error) {
-      logger.error(
-        { error, tag: AuthorizationAttributesService.LOG_TAG },
-        'Authorization resource attributes async update: failed to send operations to SNS'
-      );
-      return [];
-    }
-  }
-
-  private static getSnsTopicArn(): string {
-    const arnFromEnv: string | undefined = process.env[SNS_ARN_ENV_VAR_NAME];
-    if (arnFromEnv) {
-      return arnFromEnv;
-    }
-    if (process.env.NODE_ENV === 'development' || process.env.NODE_ENV === 'test') {
-      return SNS_DEV_TEST_NAME;
-    }
-    throw new Error('Unable to get sns topic arn from env variable');
-  }
-
-  /**
-   * Checks we can contact the required SNS topic that used to send attribute updates to Authorization MS.
-   * This function can be used as health check for services that updating resource attributes in async is crucial.
-   * Note this function only verify the POD can contact AWS SDK and the topic exists, but the user still might get
-   * errors when pushing for the SNS (e.g: in case the AWS role of the POD don't have permissions to push messages).
-   * However, this is the best we can do without actually push dummy messages to the SNS.
-   * @return {Promise<boolean>} - true if succeeded
-   */
-  async asyncResourceAttributesHealthCheck(): Promise<boolean> {
-    try {
-      const requestedTopicArn: string = this.snsArn;
-      const attributes: TopicAttributesMap = await getTopicAttributes(requestedTopicArn);
-      const isHealthy = !(!attributes || !('TopicArn' in attributes) || attributes.TopicArn !== requestedTopicArn);
-      if (!isHealthy) {
-        logger.error(
-          { requestedTopicArn, snsReturnedAttributes: attributes, tag: AuthorizationAttributesService.LOG_TAG },
-          'authorization-attributes-service failed in health check'
-        );
-      }
-      return isHealthy;
-    } catch (error) {
-      logger.error(
-        { error, tag: AuthorizationAttributesService.LOG_TAG },
-        'authorization-attributes-service got error during health check'
-      );
-      return false;
-    }
-  }
-}

package/src/authorization-internal-service.ts

@@ -1,129 +0,0 @@
-import { signAuthorizationHeader } from '@mondaydotcomorg/monday-jwt';
-import { fetch, MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
-import * as MondayLogger from '@mondaydotcomorg/monday-logger';
-import { NullableErrorWithType, OnRetryCallback, RetryPolicy } from '@mondaydotcomorg/monday-fetch-api';
-import { IgniteClient } from '@mondaydotcomorg/ignite-sdk';
-import { BaseRequest } from './types/general';
-
-const INTERNAL_APP_NAME = 'internal_ms';
-const MAX_RETRIES = 3;
-const RETRY_DELAY_MS = 10;
-export const logger = MondayLogger.getLogger();
-
-const defaultMondayFetchOptions: MondayFetchOptions = {
-  retries: MAX_RETRIES,
-  callback: logOnFetchFail,
-};
-
-export const onRetryCallback: OnRetryCallback = (attempt: number, error?: NullableErrorWithType) => {
-  if (attempt == MAX_RETRIES) {
-    logger.error({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed');
-  } else {
-    logger.info({ tag: 'authorization-service', attempt, error }, 'Authorization attempt failed, trying again');
-  }
-};
-
-function logOnFetchFail(retriesLeft: number, error: Error) {
-  if (retriesLeft == 0) {
-    logger.error({ retriesLeft, error }, 'Authorization attempt failed due to network issues');
-  } else {
-    logger.info({ retriesLeft, error }, 'Authorization attempt failed due to network issues, trying again');
-  }
-}
-
-let mondayFetchOptions: MondayFetchOptions = defaultMondayFetchOptions;
-
-export class AuthorizationInternalService {
-  static igniteClient?: IgniteClient;
-  static skipAuthorization(requset: BaseRequest): void {
-    requset.authorizationSkipPerformed = true;
-  }
-
-  static markAuthorized(request: BaseRequest): void {
-    request.authorizationCheckPerformed = true;
-  }
-
-  static failIfNotCoveredByAuthorization(request: BaseRequest): void {
-    if (!request.authorizationCheckPerformed && !request.authorizationSkipPerformed) {
-      throw 'Endpoint is not covered by authorization check';
-    }
-  }
-
-  static throwOnHttpErrorIfNeeded(response: Awaited<ReturnType<typeof fetch>>, placement: string): void {
-    if (response.ok) {
-      return;
-    }
-
-    const status = response.status;
-    logger.error(
-      { tag: 'authorization-service', placement, status },
-      'AuthorizationService: authorization request failed'
-    );
-
-    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
-  }
-
-  static throwOnHttpError(status: number, placement: string) {
-    logger.error(
-      { tag: 'authorization-service', placement, status },
-      'AuthorizationService: authorization request failed'
-    );
-    throw new Error(`AuthorizationService: [${placement}] authorization request failed with status ${status}`);
-  }
-
-  static generateInternalAuthToken(accountId: number, userId: number) {
-    return signAuthorizationHeader({ appName: INTERNAL_APP_NAME, accountId, userId });
-  }
-
-  static setRequestFetchOptions(customMondayFetchOptions: MondayFetchOptions) {
-    mondayFetchOptions = {
-      ...defaultMondayFetchOptions,
-      ...customMondayFetchOptions,
-    };
-  }
-
-  static getRequestFetchOptions(): MondayFetchOptions {
-    return mondayFetchOptions;
-  }
-
-  static setIgniteClient(client: IgniteClient) {
-    this.igniteClient = client;
-  }
-
-  static getRequestTimeout() {
-    const isDevEnv = process.env.NODE_ENV === 'development';
-    const defaultTimeout = isDevEnv ? 60000 : 2000;
-
-    if (!this.igniteClient) {
-      return defaultTimeout;
-    }
-
-    const overrideTimeouts = this.igniteClient.configuration.getObjectValue<Record<string, number>>(
-      'override-outgoing-request-timeout-ms',
-      {}
-    );
-    try {
-      if (process.env.APP_NAME && process.env.APP_NAME in overrideTimeouts) {
-        return overrideTimeouts[process.env.APP_NAME];
-      } else {
-        return this.igniteClient.configuration.getNumberValue('outgoing-request-timeout-ms', defaultTimeout);
-      }
-    } catch (error) {
-      logger.error(
-        { tag: 'authorization-service', error, defaultTimeout },
-        'Failed to get timeout from ignite configuration, returning default timeout'
-      );
-      return defaultTimeout;
-    }
-  }
-
-  static getRetriesPolicy(): RetryPolicy {
-    const fetchOptions = AuthorizationInternalService.getRequestFetchOptions();
-    return {
-      useRetries: fetchOptions.retries !== undefined,
-      maxRetries: fetchOptions.retries !== undefined ? fetchOptions.retries : 0,
-      onRetry: onRetryCallback,
-      retryDelayMS: fetchOptions.retryDelay ?? RETRY_DELAY_MS,
-    };
-  }
-}