@mondaydotcomorg/monday-authorization 3.5.0-feat-use-profile-for-graph-can-action-in-scope-f1451ab → 3.5.0-feat-shaime-support-entity-attributes-in-authorization-sdk-c9e4cfc

package/src/authorization-attributes-service.ts

@@ -6,7 +6,14 @@ import {
   ResourceAttributeAssignment,
   ResourceAttributeResponse,
   ResourceAttributesOperation,
+  EntityAttributeAssignment,
+  EntityAttributeResponse,
+  ResourceType,
+  EntityType,
+  ResourceAttributeKeyType,
+  EntityAttributeKeyType,
 } from './types/authorization-attributes-contracts';
+import { AuthorizationInternalService } from './authorization-internal-service';
 import { Resource } from './types/general';
 import { logger } from './authorization-internal-service';
 import { getAttributionsFromApi } from './attributions-service';
@@ -24,6 +31,8 @@ export class AuthorizationAttributesService {
   private static API_PATHS = {
     UPSERT_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource',
     DELETE_RESOURCE_ATTRIBUTES: '/attributes/{accountId}/resource/{resourceType}/{resourceId}',
+    UPSERT_ENTITY_ATTRIBUTES: '/attributes/{accountId}/entity',
+    DELETE_ENTITY_ATTRIBUTES: '/attributes/{accountId}/entity/{entityType}/{entityId}',
   } as const;
   private httpClient: HttpClient;
   private fetchOptions: RecursivePartial<FetcherConfig>;
@@ -231,4 +240,320 @@ export class AuthorizationAttributesService {
       return false;
     }
   }
+
+  /**
+   * Validates resource attribute assignments array
+   */
+  private static validateResourceAttributeAssignments(
+    assignments: ResourceAttributeAssignment[]
+  ): void {
+    if (!Array.isArray(assignments)) {
+      throw new Error('resourceAttributeAssignments must be an array');
+    }
+    if (assignments.length === 0) {
+      throw new Error('resourceAttributeAssignments must contain at least 1 item');
+    }
+    if (assignments.length > 100) {
+      throw new Error('resourceAttributeAssignments must contain at most 100 items');
+    }
+    for (let i = 0; i < assignments.length; i++) {
+      const assignment = assignments[i];
+      if (!assignment.resourceId || typeof assignment.resourceId !== 'number') {
+        throw new Error(`resourceAttributeAssignments[${i}].resourceId is required and must be a number`);
+      }
+      if (!assignment.resourceType || typeof assignment.resourceType !== 'string') {
+        throw new Error(`resourceAttributeAssignments[${i}].resourceType is required and must be a string`);
+      }
+      if (!assignment.key || typeof assignment.key !== 'string') {
+        throw new Error(`resourceAttributeAssignments[${i}].key is required and must be a string`);
+      }
+      if (assignment.value === undefined || typeof assignment.value !== 'string') {
+        throw new Error(`resourceAttributeAssignments[${i}].value is required and must be a string`);
+      }
+    }
+  }
+
+  /**
+   * Validates entity attribute assignments array
+   */
+  private static validateEntityAttributeAssignments(assignments: EntityAttributeAssignment[]): void {
+    if (!Array.isArray(assignments)) {
+      throw new Error('entityAttributeAssignments must be an array');
+    }
+    if (assignments.length === 0) {
+      throw new Error('entityAttributeAssignments must contain at least 1 item');
+    }
+    if (assignments.length > 100) {
+      throw new Error('entityAttributeAssignments must contain at most 100 items');
+    }
+    for (let i = 0; i < assignments.length; i++) {
+      const assignment = assignments[i];
+      if (!assignment.entityId || typeof assignment.entityId !== 'number') {
+        throw new Error(`entityAttributeAssignments[${i}].entityId is required and must be a number`);
+      }
+      if (!assignment.entityType || typeof assignment.entityType !== 'string') {
+        throw new Error(`entityAttributeAssignments[${i}].entityType is required and must be a string`);
+      }
+      if (!assignment.key || typeof assignment.key !== 'string') {
+        throw new Error(`entityAttributeAssignments[${i}].key is required and must be a string`);
+      }
+      if (assignment.value === undefined || typeof assignment.value !== 'string') {
+        throw new Error(`entityAttributeAssignments[${i}].value is required and must be a string`);
+      }
+    }
+  }
+
+  /**
+   * Upsert resource attributes synchronously.
+   * Matches API endpoint: POST /attributes/:accountId/resource
+   * @param accountId The account ID
+   * @param resourceAttributeAssignments Array of ResourceAttributeAssignment objects (1-100 items)
+   * @returns Promise with response containing affected attributes
+   */
+  static async upsertResourceAttributesSync(
+    accountId: number,
+    resourceAttributeAssignments: ResourceAttributeAssignment[]
+  ): Promise<ResourceAttributeResponse> {
+    // Validate inputs
+    if (!Number.isInteger(accountId)) {
+      throw new Error(`accountId must be an integer, got: ${accountId}`);
+    }
+    AuthorizationAttributesService.validateResourceAttributeAssignments(resourceAttributeAssignments);
+
+    const httpClient = Api.getPart('httpClient');
+    if (!httpClient) {
+      throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+    }
+
+    const attributionHeaders = getAttributionsFromApi();
+    const path = AuthorizationAttributesService.API_PATHS.UPSERT_RESOURCE_ATTRIBUTES.replace(
+      '{accountId}',
+      accountId.toString()
+    );
+
+    try {
+      return await httpClient.fetch<ResourceAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path,
+          },
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ resourceAttributeAssignments }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('upsertResourceAttributesSync', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Delete resource attributes synchronously.
+   * Matches API endpoint: DELETE /attributes/:accountId/resource/:resourceType/:resourceId
+   * @param accountId The account ID
+   * @param resourceType The resource type
+   * @param resourceId The resource ID
+   * @param keys Array of attribute keys to delete
+   * @returns Promise with response containing affected attributes
+   */
+  static async deleteResourceAttributesSync(
+    accountId: number,
+    resourceType: ResourceType,
+    resourceId: number,
+    keys: ResourceAttributeKeyType[]
+  ): Promise<ResourceAttributeResponse> {
+    // Validate inputs
+    if (!Number.isInteger(accountId)) {
+      throw new Error(`accountId must be an integer, got: ${accountId}`);
+    }
+    if (!resourceType || typeof resourceType !== 'string') {
+      throw new Error(`resourceType must be a string, got: ${typeof resourceType}`);
+    }
+    if (!Number.isInteger(resourceId)) {
+      throw new Error(`resourceId must be an integer, got: ${resourceId}`);
+    }
+    if (!Array.isArray(keys)) {
+      throw new Error('keys must be an array');
+    }
+    if (keys.length === 0) {
+      throw new Error('keys must contain at least 1 item');
+    }
+
+    const httpClient = Api.getPart('httpClient');
+    if (!httpClient) {
+      throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+    }
+
+    const attributionHeaders = getAttributionsFromApi();
+    const path = AuthorizationAttributesService.API_PATHS.DELETE_RESOURCE_ATTRIBUTES.replace(
+      '{accountId}',
+      accountId.toString()
+    )
+      .replace('{resourceType}', resourceType)
+      .replace('{resourceId}', resourceId.toString());
+
+    try {
+      return await httpClient.fetch<ResourceAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path,
+          },
+          method: 'DELETE',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ keys }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('deleteResourceAttributesSync', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Upsert entity attributes synchronously.
+   * Matches API endpoint: POST /attributes/:accountId/entity
+   * @param accountId The account ID
+   * @param entityAttributeAssignments Array of EntityAttributeAssignment objects (1-100 items)
+   * @returns Promise with response containing affected attributes
+   */
+  static async upsertEntityAttributesSync(
+    accountId: number,
+    entityAttributeAssignments: EntityAttributeAssignment[]
+  ): Promise<EntityAttributeResponse> {
+    // Validate inputs
+    if (!Number.isInteger(accountId)) {
+      throw new Error(`accountId must be an integer, got: ${accountId}`);
+    }
+    AuthorizationAttributesService.validateEntityAttributeAssignments(entityAttributeAssignments);
+
+    const httpClient = Api.getPart('httpClient');
+    if (!httpClient) {
+      throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+    }
+
+    const attributionHeaders = getAttributionsFromApi();
+    const path = AuthorizationAttributesService.API_PATHS.UPSERT_ENTITY_ATTRIBUTES.replace(
+      '{accountId}',
+      accountId.toString()
+    );
+
+    try {
+      return await httpClient.fetch<EntityAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path,
+          },
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ entityAttributeAssignments }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('upsertEntityAttributesSync', err.status, err.message));
+      }
+      throw err;
+    }
+  }
+
+  /**
+   * Delete entity attributes synchronously.
+   * Matches API endpoint: DELETE /attributes/:accountId/entity/:entityType/:entityId
+   * @param accountId The account ID
+   * @param entityType The entity type
+   * @param entityId The entity ID
+   * @param keys Array of attribute keys to delete
+   * @returns Promise with response containing affected attributes
+   */
+  static async deleteEntityAttributesSync(
+    accountId: number,
+    entityType: EntityType,
+    entityId: number,
+    keys: EntityAttributeKeyType[]
+  ): Promise<EntityAttributeResponse> {
+    // Validate inputs
+    if (!Number.isInteger(accountId)) {
+      throw new Error(`accountId must be an integer, got: ${accountId}`);
+    }
+    if (!entityType || typeof entityType !== 'string') {
+      throw new Error(`entityType must be a string, got: ${typeof entityType}`);
+    }
+    if (!Number.isInteger(entityId)) {
+      throw new Error(`entityId must be an integer, got: ${entityId}`);
+    }
+    if (!Array.isArray(keys)) {
+      throw new Error('keys must be an array');
+    }
+    if (keys.length === 0) {
+      throw new Error('keys must contain at least 1 item');
+    }
+
+    const httpClient = Api.getPart('httpClient');
+    if (!httpClient) {
+      throw new Error(ERROR_MESSAGES.HTTP_CLIENT_NOT_INITIALIZED);
+    }
+
+    const attributionHeaders = getAttributionsFromApi();
+    const path = AuthorizationAttributesService.API_PATHS.DELETE_ENTITY_ATTRIBUTES.replace(
+      '{accountId}',
+      accountId.toString()
+    )
+      .replace('{entityType}', entityType)
+      .replace('{entityId}', entityId.toString());
+
+    try {
+      return await httpClient.fetch<EntityAttributeResponse>(
+        {
+          url: {
+            appName: APP_NAME,
+            path,
+          },
+          method: 'DELETE',
+          headers: {
+            'Content-Type': 'application/json',
+            ...attributionHeaders,
+          },
+          body: JSON.stringify({ keys }),
+        },
+        {
+          timeout: AuthorizationInternalService.getRequestTimeout(),
+          retryPolicy: AuthorizationInternalService.getRetriesPolicy(),
+        }
+      );
+    } catch (err) {
+      if (err instanceof HttpFetcherError) {
+        throw new Error(ERROR_MESSAGES.REQUEST_FAILED('deleteEntityAttributesSync', err.status, err.message));
+      }
+      throw err;
+    }
+  }
 }

package/src/clients/graph-api.ts

@@ -18,7 +18,7 @@ import {
   GraphPermissionReason,
 } from '../types/graph-api.types';
 import { scopeToResource } from '../utils/authorization.utils';
-import { GRAPH_APP_NAME, GraphProfile } from '../constants';
+import { GRAPH_APP_NAME } from '../constants';
 import { handleApiError } from '../utils/api-error-handler';
 
 const CAN_ACTION_IN_SCOPE_GRAPH_PATH = '/permissions/is-allowed';
@@ -85,7 +85,6 @@ export class GraphApi {
           url: {
             appName: GRAPH_APP_NAME,
             path: CAN_ACTION_IN_SCOPE_GRAPH_PATH,
-            profile: GraphProfile.PERMISSION,
           },
           method: 'POST',
           headers: {

package/src/constants.ts

@@ -4,10 +4,6 @@ import { FetcherConfig } from '@mondaydotcomorg/trident-backend-api';
 export const APP_NAME = 'authorization';
 export const GRAPH_APP_NAME = 'authorization-graph';
 
-export enum GraphProfile {
-  PERMISSION = 'authorization-graph-permission',
-}
-
 export const ERROR_MESSAGES = {
   HTTP_CLIENT_NOT_INITIALIZED: 'MondayAuthorization: HTTP client is not initialized',
   REQUEST_FAILED: (method: string, status: number, reason: string) =>

package/src/errors/argument-error.ts

@@ -0,0 +1,8 @@
+export class ArgumentError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'ArgumentError'; 
+    Object.setPrototypeOf(this, ArgumentError.prototype);
+  }
+}
+

package/src/index.ts

@@ -58,6 +58,22 @@ export {
 } from './authorization-middleware';
 export { AuthorizationService, AuthorizeResponse } from './authorization-service';
 export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { AuthorizationAttributesMsService } from './authorization-attributes-ms-service';
+export { ResourceAttributeAssignment } from './resource-attribute-assignment';
+export { RESOURCE_TYPES, RESOURCE_ATTRIBUTES_CONSTANTS } from './resource-attributes-constants';
+export { ArgumentError } from './errors/argument-error';
+export {
+  EntityAttributeAssignment,
+  ResourceAttributeResponse,
+  EntityAttributeResponse,
+  ResourceType,
+  EntityType,
+  ResourceAttributeKeyType,
+  EntityAttributeKeyType,
+  CommonAttributeKey,
+  ResourceAttributeKey,
+  EntityAttributeKey,
+} from './types/authorization-attributes-contracts';
 export { RolesService } from './roles-service';
 export { MembershipsService } from './memberships';
 export { AuthorizationObject, Resource, BaseRequest, ResourceGetter, ContextGetter } from './types/general';

package/src/resource-attribute-assignment.ts

@@ -0,0 +1,70 @@
+import { RESOURCE_TYPES, ResourceType } from './resource-attributes-constants';
+import { ArgumentError } from './errors/argument-error';
+
+export class ResourceAttributeAssignment {
+  public readonly resourceId: number;
+  public readonly resourceType: ResourceType;
+  public readonly attributeKey: string;
+  public readonly attributeValue: string;
+
+  constructor(resourceId: number, resourceType: string, attributeKey: string, attributeValue: string) {
+    // Validate resourceId
+    if (!Number.isInteger(resourceId)) {
+      throw new ArgumentError(`resourceId must be an integer, got: ${resourceId}`);
+    }
+
+    // Validate resourceType
+    const validResourceTypes = Object.values(RESOURCE_TYPES);
+    if (!validResourceTypes.includes(resourceType as ResourceType)) {
+      throw new ArgumentError(
+        `resourceType must be one of [${validResourceTypes.join(', ')}], got: ${resourceType}`
+      );
+    }
+
+    // Validate attributeKey
+    if (typeof attributeKey !== 'string') {
+      throw new ArgumentError(`attributeKey must be a string, got: ${typeof attributeKey}`);
+    }
+
+    // Validate attributeValue
+    if (typeof attributeValue !== 'string') {
+      throw new ArgumentError(`attributeValue must be a string, got: ${typeof attributeValue}`);
+    }
+
+    this.resourceId = resourceId;
+    this.resourceType = resourceType as ResourceType;
+    this.attributeKey = attributeKey;
+    this.attributeValue = attributeValue;
+  }
+
+  /**
+   * Converts the assignment to hash format with camelCase keys
+   * @returns Object with camelCase keys: { resourceId, resourceType, key, value }
+   */
+  toH(): { resourceId: number; resourceType: string; key: string; value: string } {
+    return {
+      resourceId: this.resourceId,
+      resourceType: this.resourceType,
+      key: this.attributeKey,
+      value: this.attributeValue,
+    };
+  }
+
+  /**
+   * Compares two assignments for equality
+   * @param other Another ResourceAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: ResourceAttributeAssignment): boolean {
+    if (!(other instanceof ResourceAttributeAssignment)) {
+      return false;
+    }
+    return (
+      this.resourceId === other.resourceId &&
+      this.resourceType === other.resourceType &&
+      this.attributeKey === other.attributeKey &&
+      this.attributeValue === other.attributeValue
+    );
+  }
+}
+

package/src/resource-attributes-constants.ts

@@ -0,0 +1,27 @@
+export const RESOURCE_TYPES = {
+  ACCOUNT: 'account',
+  ACCOUNT_PRODUCT: 'account_product',
+  WORKSPACE: 'workspace',
+  BOARD: 'board',
+  ITEM: 'item',
+  TEAM: 'team',
+  OVERVIEW: 'overview',
+  DOCUMENT: 'document',
+  CRM: 'crm',
+} as const;
+
+export const RESOURCE_ATTRIBUTES_CONSTANTS = {
+  ACCOUNT_RESOURCE_ATTRIBUTES: {
+    ENABLE_MEMBERS_INVITE_FROM_NON_AUTH_DOMAIN: 'enable_members_invite_from_non_auth_domain',
+  },
+  WORKSPACE_RESOURCE_ATTRIBUTES: {
+    IS_DEFAULT_WORKSPACE: 'is_default_workspace',
+  },
+  BOARD_RESOURCE_ATTRIBUTES: {
+    IS_SYNCABLE_CHILD_ENTITY: 'is_syncable_child_entity',
+    SYSTEM_ENTITY_TYPE: 'system_entity_type',
+  },
+} as const;
+
+export type ResourceType = typeof RESOURCE_TYPES[keyof typeof RESOURCE_TYPES];
+

package/src/types/authorization-attributes-contracts.ts

@@ -1,16 +1,62 @@
 import { Resource } from './general';
 
+// Resource Types - matching the API
+export type ResourceType = 
+  | 'account'
+  | 'account_product'
+  | 'workspace'
+  | 'board'
+  | 'item'
+  | 'team'
+  | 'overview'
+  | 'document'
+  | 'crm';
+
+// Entity Types - matching the API
+export type EntityType = 
+  | 'user'
+  | 'team'
+  | 'account';
+
+// Common attribute keys that can be used for both resources and entities
+export type CommonAttributeKey = string;
+
+// Resource-specific attribute keys
+export type ResourceAttributeKey = string;
+
+// Entity-specific attribute keys
+export type EntityAttributeKey = string;
+
+// Combined types for attribute keys
+export type ResourceAttributeKeyType = CommonAttributeKey | ResourceAttributeKey;
+export type EntityAttributeKeyType = CommonAttributeKey | EntityAttributeKey;
+
+// Resource Attribute Assignment - matching API contract
 export interface ResourceAttributeAssignment {
-  resourceType: Resource['type'];
-  resourceId: Resource['id'];
-  key: string;
+  resourceId: number;
+  resourceType: ResourceType;
+  key: ResourceAttributeKeyType;
   value: string;
 }
 
+// Entity Attribute Assignment - matching API contract
+export interface EntityAttributeAssignment {
+  entityId: number;
+  entityType: EntityType;
+  key: EntityAttributeKeyType;
+  value: string;
+}
+
+// Response types
 export interface ResourceAttributeResponse {
   attributes: ResourceAttributeAssignment[];
 }
 
+export interface EntityAttributeResponse {
+  attributes: EntityAttributeAssignment[];
+}
+
+// Legacy types for backward compatibility
 export interface ResourceAttributeDelete {
   resourceType: Resource['type'];
   resourceId: Resource['id'];