@mondaydotcomorg/monday-authorization 3.5.1-fix-authorize-profile-picker-7481de0 → 3.5.2-feat-shaime-support-entity-attributes-4-ddec1d3

package/src/base-attribute-assignment.ts

@@ -0,0 +1,46 @@
+import { ValidationUtils } from './utils/validation';
+import isEqual from 'lodash/isEqual.js';
+import { EntityAttributeAssignment, ResourceAttributeDelete } from './types/authorization-attributes-contracts';
+
+/**
+ * Base class for attribute assignments (Resource or Entity)
+ * Provides common validation and functionality
+ */
+export abstract class BaseAttributeAssignment<TId extends number, TType extends string> {
+  public readonly id: TId;
+  public readonly type: TType;
+  public readonly attributeKey: string;
+  public readonly attributeValue: string;
+
+  constructor(
+    id: TId,
+    type: string,
+    attributeKey: string,
+    attributeValue: string,
+    validTypes: readonly string[],
+    idFieldName: string,
+    typeFieldName: string
+  ) {
+    const validated = ValidationUtils.validateAssignment<TType>(
+      { id, type, attributeKey, attributeValue },
+      validTypes as readonly TType[],
+      { id: idFieldName, type: typeFieldName }
+    );
+
+    this.id = validated.id as TId;
+    this.type = validated.type as TType;
+    this.attributeKey = validated.attributeKey;
+    this.attributeValue = validated.attributeValue;
+  }
+
+  /**
+   * Compares two assignments for equality
+   * @param other Another assignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: BaseAttributeAssignment<TId, TType>): boolean {
+    return isEqual(this, other);
+  }
+
+  abstract toDataTransferObject(): EntityAttributeAssignment | ResourceAttributeDelete;
+}

package/src/constants/sns.ts

@@ -1,5 +1,22 @@
-export const SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
-export const SNS_DEV_TEST_NAME =
+export enum SnsTopicType {
+  RESOURCE = 'resource',
+  ENTITY = 'entity',
+}
+
+// Resource SNS constants
+export const RESOURCE_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
+export const RESOURCE_SNS_DEV_TEST_NAME =
   'arn:aws:sns:us-east-1:000000000000:monday-authorization-resource-attributes-sns-local';
+
+// Entity SNS constants
+export const ENTITY_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_ENTITY_ATTRIBUTES';
+export const ENTITY_SNS_DEV_TEST_NAME =
+  'arn:aws:sns:us-east-1:000000000000:monday-authorization-entity-attributes-sns-local';
 export const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+export const ENTITY_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'entityAttributeModification';
 export const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+export const ASYNC_ENTITY_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+
+// Legacy exports for backward compatibility
+export const SNS_ARN_ENV_VAR_NAME = RESOURCE_SNS_ARN_ENV_VAR_NAME;
+export const SNS_DEV_TEST_NAME = RESOURCE_SNS_DEV_TEST_NAME;

package/src/entity-attribute-assignment.ts

@@ -0,0 +1,30 @@
+import { ENTITY_TYPES, EntityType } from './entity-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+
+export class EntityAttributeAssignment extends BaseAttributeAssignment<number, EntityType> {
+  public readonly entityId: number;
+  public readonly entityType: EntityType;
+
+  constructor(entityId: number, entityType: string, attributeKey: string, attributeValue: string) {
+    super(entityId, entityType, attributeKey, attributeValue, ENTITY_TYPES, 'entityId', 'entityType');
+    this.entityId = entityId;
+    this.entityType = this.type;
+  }
+
+  toDataTransferObject() {
+    return {
+      entityId: this.entityId,
+      entityType: this.entityType,
+      key: this.attributeKey,
+      value: this.attributeValue,
+    };
+  }
+  /**
+   * Compares two assignments for equality
+   * @param other Another EntityAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: EntityAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/entity-attributes-constants.ts

@@ -0,0 +1,7 @@
+export enum EntityType {
+  User = 'user',
+  Team = 'team',
+  Account = 'account',
+}
+
+export const ENTITY_TYPES = Object.freeze(Object.values(EntityType));

package/src/errors/argument-error.ts

@@ -0,0 +1,7 @@
+export class ArgumentError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'ArgumentError';
+    Object.setPrototypeOf(this, ArgumentError.prototype);
+  }
+}

package/src/resource-attribute-assignment.ts

@@ -0,0 +1,38 @@
+import { RESOURCE_TYPES, ResourceType } from './resource-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+
+export class ResourceAttributeAssignment extends BaseAttributeAssignment<number, ResourceType> {
+  public readonly resourceId: number;
+  public readonly resourceType: ResourceType;
+
+  constructor(resourceId: number, resourceType: ResourceType, attributeKey: string, attributeValue: string) {
+    super(
+      resourceId,
+      resourceType,
+      attributeKey,
+      attributeValue,
+      Object.values(RESOURCE_TYPES),
+      'resourceId',
+      'resourceType'
+    );
+    this.resourceId = resourceId;
+    this.resourceType = this.type;
+  }
+
+  toDataTransferObject() {
+    return {
+      resourceId: this.resourceId,
+      resourceType: this.resourceType,
+      key: this.attributeKey,
+      value: this.attributeValue,
+    };
+  }
+  /**
+   * Compares two assignments for equality
+   * @param other Another ResourceAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: ResourceAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/resource-attributes-constants.ts

@@ -0,0 +1,27 @@
+export const RESOURCE_ATTRIBUTES_CONSTANTS = {
+  ACCOUNT_RESOURCE_ATTRIBUTES: {
+    ENABLE_MEMBERS_INVITE_FROM_NON_AUTH_DOMAIN: 'enable_members_invite_from_non_auth_domain',
+  },
+  WORKSPACE_RESOURCE_ATTRIBUTES: {
+    IS_DEFAULT_WORKSPACE: 'is_default_workspace',
+  },
+  BOARD_RESOURCE_ATTRIBUTES: {
+    IS_SYNCABLE_CHILD_ENTITY: 'is_syncable_child_entity',
+    SYSTEM_ENTITY_TYPE: 'system_entity_type',
+  },
+} as const;
+
+export enum ResourceType {
+  Account = 'account',
+  AccountProduct = 'account_product',
+  Workspace = 'workspace',
+  Board = 'board',
+  Item = 'item',
+  Team = 'team',
+  Overview = 'overview',
+  Document = 'document',
+  Crm = 'crm',
+}
+
+// Define the array of strings and use 'as const' to make its contents literal types
+export const RESOURCE_TYPES = Object.freeze(Object.values(ResourceType));

package/src/testKit/index.ts

@@ -1,4 +1,4 @@
-import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
+import { BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
 import { defaultContextGetter } from '../authorization-middleware';
 import { AuthorizationInternalService } from '../authorization-internal-service';
 import type { NextFunction } from 'express';
@@ -7,11 +7,11 @@ export type TestPermittedAction = {
   accountId: number;
   userId: number;
   resources: Resource[];
-  action: Action;
+  action: string;
 };
 
 let testPermittedActions: TestPermittedAction[] = [];
-export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: string) => {
   testPermittedActions.push({ accountId, userId, resources, action });
 };
 
@@ -19,7 +19,7 @@ export const clearTestPermittedActions = () => {
   testPermittedActions = [];
 };
 
-const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: string) => {
   // If no resources to check, deny access
   if (resources.length === 0) {
     return { isAuthorized: false };
@@ -46,7 +46,7 @@ const isActionAuthorized = (accountId: number, userId: number, resources: Resour
 };
 
 export const getTestAuthorizationMiddleware = (
-  action: Action,
+  action: string,
   resourceGetter: ResourceGetter,
   contextGetter?: ContextGetter
 ) => {

package/src/types/authorization-attributes-contracts.ts

@@ -1,33 +1,56 @@
 import { Resource } from './general';
+import type { EntityType } from '../entity-attributes-constants';
+import type { ResourceType } from '../resource-attributes-constants';
 
-export interface ResourceAttributeAssignment {
-  resourceType: Resource['type'];
-  resourceId: Resource['id'];
+interface AttributeAssignment {
   key: string;
   value: string;
 }
 
-export interface ResourceAttributeResponse {
-  attributes: ResourceAttributeAssignment[];
+// Resource Attribute Assignment - matching API contract
+export interface ResourceAttributeAssignment extends AttributeAssignment {
+  resourceId: number;
+  resourceType: ResourceType;
 }
 
+// Entity Attribute Assignment - matching API contract
+// Note: For validation, use the EntityAttributeAssignment class from '../entity-attribute-assignment'
+export interface EntityAttributeAssignment extends AttributeAssignment {
+  entityId: number;
+  entityType: EntityType;
+}
+
+// Legacy types for backward compatibility
 export interface ResourceAttributeDelete {
   resourceType: Resource['type'];
   resourceId: Resource['id'];
   key: string;
 }
 
-export enum ResourceAttributeOperationEnum {
+export interface EntityAttributeDelete {
+  entityType: EntityType;
+  entityId: number;
+  key: string;
+}
+
+export enum AttributeOperation {
   UPSERT = 'upsert',
   DELETE = 'delete',
 }
 
-interface UpsertResourceAttributeOperation extends ResourceAttributeAssignment {
-  operationType: ResourceAttributeOperationEnum.UPSERT;
+// Response types
+export interface ResourceAttributeResponse {
+  attributes: ResourceAttributeAssignment[];
 }
 
-interface DeleteResourceAttributeOperation extends ResourceAttributeDelete {
-  operationType: ResourceAttributeOperationEnum.DELETE;
+export interface EntityAttributeResponse {
+  attributes: EntityAttributeAssignment[];
 }
 
-export type ResourceAttributesOperation = UpsertResourceAttributeOperation | DeleteResourceAttributeOperation;
+export interface ResourceAttributeOperation extends ResourceAttributeAssignment {
+  operationType: AttributeOperation;
+}
+
+export interface EntityAttributeOperation extends EntityAttributeAssignment {
+  operationType: AttributeOperation;
+}

package/src/types/authorization-attributes-service.interface.ts

@@ -0,0 +1,101 @@
+import {
+  ResourceAttributeAssignment as ResourceAttributeAssignmentContract,
+  EntityAttributeAssignment as EntityAttributeAssignmentContract,
+  ResourceAttributeOperation,
+  EntityAttributeOperation,
+} from './authorization-attributes-contracts';
+import { ResourceAttributeAssignment } from '../resource-attribute-assignment';
+import { EntityAttributeAssignment } from '../entity-attribute-assignment';
+import { Resource } from './general';
+import { EntityType } from '../entity-attributes-constants';
+
+/**
+ * Resource type compatible with both MS and SNS services
+ */
+export interface CompatibleResource {
+  resourceType?: string;
+  resourceId?: number;
+  type?: string;
+  id?: number;
+}
+
+/**
+ * Interface for authorization attributes operations.
+ * Both MS (direct) and SNS (async) services implement this interface.
+ */
+export interface AuthorizationAttributesService {
+  /**authorization-attributes-service.ts
+   * Upserts resource attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<ResourceAttributesOperation[]>
+   */
+  upsertResourceAttributes(
+    accountId: number,
+    resourceAttributeAssignments: ResourceAttributeAssignment[] | ResourceAttributeAssignmentContract[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | ResourceAttributeOperation[]>;
+
+  /**
+   * Deletes resource attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<ResourceAttributesOperation[]>
+   */
+  deleteResourceAttributes(
+    accountId: number,
+    resource: CompatibleResource | Resource,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | ResourceAttributeOperation[]>;
+
+  /**
+   * Upserts entity attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<EntityAttributesOperation[]>
+   */
+  upsertEntityAttributes(
+    accountId: number,
+    entityAttributeAssignments: EntityAttributeAssignment[] | EntityAttributeAssignmentContract[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | EntityAttributeOperation[]>;
+
+  /**
+   * Deletes entity attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<EntityAttributesOperation[]>
+   */
+  deleteEntityAttributes(
+    accountId: number,
+    entityType: EntityType | string,
+    entityId: number,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | EntityAttributeOperation[]>;
+
+  /**
+   * Updates resource attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<ResourceAttributesOperation[]>
+   */
+  updateResourceAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    resourceAttributeOperations: ResourceAttributeOperation[]
+  ): Promise<ResourceAttributeOperation[]>;
+
+  /**
+   * Updates entity attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<EntityAttributesOperation[]>
+   */
+  updateEntityAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    entityAttributeOperations: EntityAttributeOperation[]
+  ): Promise<EntityAttributeOperation[]>;
+}

package/src/utils/validation.ts

@@ -0,0 +1,171 @@
+import Ajv from 'ajv';
+import { ArgumentError } from '../errors/argument-error';
+import { Resource } from '../types/general';
+
+/**
+ * Utility class for common validation operations using AJV
+ */
+export class ValidationUtils {
+  private static ajv = new Ajv({ allErrors: true });
+  /**
+   * Validates that a value is an integer. Throws ArgumentError with a descriptive message on failure.
+   */
+  static validateInteger(value: number): void {
+    const numberSchema = { type: 'number', multipleOf: 1 };
+    const validate = ValidationUtils.ajv.compile(numberSchema);
+    const isValid = validate(value);
+    if (!isValid) {
+      throw new ArgumentError(`Value must be an integer, got: ${value}`);
+    }
+  }
+
+  /**
+   * Validates that a value is a non-empty string. Throws ArgumentError on failure.
+   */
+  static validateString(value: string): void {
+    const non_empty_string_schema = {
+      type: 'string',
+      minLength: 1,
+      pattern: '\\S',
+    };
+    const validate = ValidationUtils.ajv.compile(non_empty_string_schema);
+    const isValid = validate(value);
+    if (!isValid) {
+      throw new ArgumentError(`Value must be a non-empty string, got: ${value}`);
+    }
+  }
+
+  /**
+   * Validates that a value is an array of non-empty strings. Throws ArgumentError on failure.
+   * Allows empty arrays - caller should handle early return.
+   */
+  static validateStringArray(value: string[]): void {
+    const string_array_schema = {
+      type: 'array',
+      items: {
+        type: 'string',
+        minLength: 1,
+        pattern: '\\S',
+      },
+    };
+    const validateStringArray = ValidationUtils.ajv.compile(string_array_schema);
+    const isValid = validateStringArray(value);
+    if (!isValid) {
+      throw new ArgumentError(`Value must be an array of non-empty strings, got: ${value}`);
+    }
+    // Allow empty arrays to pass validation - caller should handle early return
+    // Non-empty arrays will be validated for string content above
+  }
+
+  /**
+   * Validates an attribute assignment object using a single AJV schema.
+   * Preserves legacy error messages for each field.
+   */
+  static validateAssignment<TType extends string>(
+    data: { id: any; type: string; attributeKey: any; attributeValue: any },
+    validTypes: readonly TType[],
+    fieldNames: { id: string; type: string }
+  ): { id: number; type: TType; attributeKey: string; attributeValue: string } {
+    const schema = {
+      type: 'object',
+      properties: {
+        id: { type: 'number', multipleOf: 1 },
+        type: { type: 'string', enum: validTypes as TType[] },
+        attributeKey: { type: 'string', minLength: 1 },
+        attributeValue: { type: 'string', minLength: 1 },
+      },
+      required: ['id', 'type', 'attributeKey', 'attributeValue'],
+      additionalProperties: false,
+    } as const;
+
+    const validate = this.ajv.compile(schema);
+    const valid = validate(data);
+    if (!valid) {
+      // Map to legacy error messages deterministically
+      const { id, type, attributeKey, attributeValue } = data;
+
+      // id must be integer
+      const isInteger = typeof id === 'number' && Number.isFinite(id) && Math.floor(id) === id;
+      if (!isInteger) {
+        throw new ArgumentError(`${fieldNames.id} must be an integer, got: ${id}`);
+      }
+
+      // type must be within enum
+      if (typeof type !== 'string' || !validTypes.includes(type as TType)) {
+        throw new ArgumentError(`${fieldNames.type} must be one of [${validTypes.join(', ')}], got: ${type}`);
+      }
+
+      // attributeKey
+      if (typeof attributeKey !== 'string') {
+        throw new ArgumentError(`attributeKey must be a string, got: ${typeof attributeKey}`);
+      }
+      if (!attributeKey) {
+        throw new ArgumentError('attributeKey must be a non-empty string');
+      }
+
+      // attributeValue
+      if (typeof attributeValue !== 'string') {
+        throw new ArgumentError(`attributeValue must be a string, got: ${typeof attributeValue}`);
+      }
+      if (!attributeValue) {
+        throw new ArgumentError('attributeValue must be a non-empty string');
+      }
+
+      // Fallback
+      throw new ArgumentError('Invalid attribute assignment');
+    }
+
+    return {
+      id: data.id as number,
+      type: data.type as TType,
+      attributeKey: data.attributeKey as string,
+      attributeValue: data.attributeValue as string,
+    };
+  }
+
+  /**
+   * Validates a Resource-like object shape: { id: number; type: string }.
+   * Throws ArgumentError with legacy-compatible messages.
+   */
+  static validateResource(resource: Resource): void {
+    if (!resource || typeof resource !== 'object') {
+      throw new ArgumentError('resource must be an object');
+    }
+    const schema = {
+      type: 'object',
+      properties: {
+        id: { type: 'number', multipleOf: 1 },
+        type: { type: 'string', minLength: 1 },
+        wrapperData: { type: 'string' },
+      },
+      required: ['type', 'id'],
+      additionalProperties: false,
+    } as const;
+    const validate = this.ajv.compile(schema);
+    const isValid = validate(resource);
+    if (!isValid) {
+      throw new ArgumentError('Invalid resource');
+    }
+  }
+
+  static validateArrayTypeOf<T>(attributesMessages: T[], messageClass: abstract new (...args: any[]) => T): void {
+    const arraySchema = {
+      type: 'array',
+    };
+    const validateArray = ValidationUtils.ajv.compile(arraySchema);
+    const isArrayValid = validateArray(attributesMessages);
+    if (!isArrayValid) {
+      throw new ArgumentError(`attributesMessages must be an array`);
+    }
+    for (let i = 0; i < attributesMessages.length; i++) {
+      const item = attributesMessages[i];
+      if (!(item instanceof messageClass)) {
+        throw new ArgumentError(
+          `attributesMessages[${i}] must be an instance of ${messageClass.name}, got: ${
+            item?.constructor?.name || typeof item
+          }`
+        );
+      }
+    }
+  }
+}