@mondaydotcomorg/monday-authorization 3.5.1-fix-authorize-profile-picker-7481de0 → 3.5.3-feat-shaime-support-entity-attributes-in-authorization-sdk-e355942

package/src/authorization-service.ts

@@ -3,7 +3,7 @@ import { MondayFetchOptions } from '@mondaydotcomorg/monday-fetch';
 import { Api } from '@mondaydotcomorg/trident-backend-api';
 import { HttpFetcherError } from '@mondaydotcomorg/monday-fetch-api';
 import { getIgniteClient, IgniteClient } from '@mondaydotcomorg/ignite-sdk';
-import { Action, AuthorizationObject, AuthorizationParams, Resource } from './types/general';
+import { AuthorizationObject, AuthorizationParams, Resource } from './types/general';
 import { sendAuthorizationCheckResponseTimeMetric } from './prometheus-service';
 import { recordAuthorizationTiming } from './metrics-service';
 import {
@@ -74,7 +74,7 @@ export class AuthorizationService {
     accountId: number,
     userId: number,
     resources: Resource[],
-    action: Action
+    action: string
   ): Promise<AuthorizeResponse>;
 
   static async isAuthorized(
@@ -155,60 +155,19 @@ export class AuthorizationService {
       logger.error({ tag: 'authorization-service' }, 'AuthorizationService: igniteClient is not set, failing request');
       throw new Error('AuthorizationService: igniteClient is not set, failing request');
     }
-
-    const allowedProfiles = this.igniteClient.configuration.getObjectValue<string[]>(
-      ALLOWED_SDK_PLATFORM_PROFILES_KEY,
-      []
-    );
-    const isAllowedProfile = allowedProfiles.includes(appName);
-    logger.error(
-      { tag: 'auth-debug', accountId, userId, appName, allowedProfiles, isAllowedProfile },
-      'AuthorizationService.getProfile: checking allowed profiles'
-    );
-
-    if (isAllowedProfile) {
-      const profile = getProfile();
-      logger.error(
-        { tag: 'auth-debug', accountId, userId, appName, profile },
-        'AuthorizationService.getProfile: selected profile via allowed profiles'
-      );
-      return profile;
+    if (
+      this.igniteClient.configuration.getObjectValue<string[]>(ALLOWED_SDK_PLATFORM_PROFILES_KEY, []).includes(appName)
+    ) {
+      return getProfile();
     }
-
-    const inReleaseProfiles = this.igniteClient.configuration.getObjectValue<string[]>(
-      IN_RELEASE_SDK_PLATFORM_PROFILES_KEY,
-      []
-    );
-    const isInReleaseProfile = inReleaseProfiles.includes(appName);
-    const isFeatureFlagReleased = this.igniteClient.isReleased(PLATFORM_PROFILE_RELEASE_FF, { accountId, userId });
-
-    logger.error(
-      {
-        tag: 'auth-debug',
-        accountId,
-        userId,
-        appName,
-        inReleaseProfiles,
-        isInReleaseProfile,
-        isFeatureFlagReleased,
-        featureFlag: PLATFORM_PROFILE_RELEASE_FF,
-      },
-      'AuthorizationService.getProfile: checking feature flag release'
-    );
-
-    if (isInReleaseProfile && isFeatureFlagReleased) {
-      const profile = getProfile();
-      logger.error(
-        { tag: 'auth-debug', accountId, userId, appName, profile },
-        'AuthorizationService.getProfile: selected profile via feature flag release'
-      );
-      return profile;
+    if (
+      this.igniteClient.configuration
+        .getObjectValue<string[]>(IN_RELEASE_SDK_PLATFORM_PROFILES_KEY, [])
+        .includes(appName) &&
+      this.igniteClient.isReleased(PLATFORM_PROFILE_RELEASE_FF, { accountId, userId })
+    ) {
+      return getProfile();
     }
-
-    logger.error(
-      { tag: 'auth-debug', accountId, userId, appName, profile: PlatformProfile.APP },
-      'AuthorizationService.getProfile: selected default APP profile'
-    );
     return PlatformProfile.APP;
   }
 
@@ -225,34 +184,15 @@ export class AuthorizationService {
       this.igniteClient?.isReleased(NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF, { accountId, userId })
     );
 
-    logger.error(
-      {
-        tag: 'auth-debug',
-        accountId,
-        userId,
-        shouldNavigateToGraph,
-        featureFlag: NAVIGATE_CAN_ACTION_IN_SCOPE_TO_GRAPH_FF,
-      },
-      'AuthorizationService.canActionInScopeMultiple: determining which API flow to use'
-    );
-
     const startTime = performance.now();
     let scopedActionResponseObjects: ScopedActionResponseObject[];
     let apiType: 'graph' | 'platform';
 
     if (shouldNavigateToGraph) {
       apiType = 'graph';
-      logger.error(
-        { tag: 'auth-debug', accountId, userId, apiType },
-        'AuthorizationService.canActionInScopeMultiple: using graph API flow'
-      );
       scopedActionResponseObjects = await this.graphApi.checkPermissions(accountId, userId, scopedActions);
     } else {
       apiType = 'platform';
-      logger.error(
-        { tag: 'auth-debug', accountId, userId, apiType },
-        'AuthorizationService.canActionInScopeMultiple: using platform API flow'
-      );
       const profile = this.getProfile(accountId, userId);
       const internalAuthToken = AuthorizationInternalService.generateInternalAuthToken(accountId, userId);
 
@@ -283,7 +223,7 @@ export class AuthorizationService {
     accountId: number,
     userId: number,
     resources: Resource[],
-    action: Action
+    action: string
   ): Promise<AuthorizeResponse> {
     const { authorizationObjects } = createAuthorizationParams(resources, action);
     return this.isAuthorizedMultiple(accountId, userId, authorizationObjects);
@@ -398,7 +338,7 @@ export async function setIgniteClient() {
   AuthorizationInternalService.setIgniteClient(igniteClient);
 }
 
-export function createAuthorizationParams(resources: Resource[], action: Action): AuthorizationParams {
+export function createAuthorizationParams(resources: Resource[], action: string): AuthorizationParams {
   const params = {
     authorizationObjects: resources.map((resource: Resource) => {
       const authorizationObject: AuthorizationObject = {

package/src/base-attribute-assignment.ts

@@ -0,0 +1,55 @@
+import { ValidationUtils } from './utils/validation';
+
+/**
+ * Base class for attribute assignments (Resource or Entity)
+ * Provides common validation and functionality
+ */
+export abstract class BaseAttributeAssignment<TId extends number, TType extends string> {
+  public readonly id: TId;
+  public readonly type: TType;
+  public readonly attributeKey: string;
+  public readonly attributeValue: string;
+
+  constructor(
+    id: TId,
+    type: string,
+    attributeKey: string,
+    attributeValue: string,
+    validTypes: readonly string[],
+    idFieldName: string,
+    typeFieldName: string
+  ) {
+    // Validate id
+    ValidationUtils.validateInteger(id, idFieldName);
+
+    // Validate type
+    this.type = ValidationUtils.validateEnum(type, validTypes as readonly TType[], typeFieldName) as TType;
+
+    // Validate attributeKey
+    ValidationUtils.validateString(attributeKey, 'attributeKey');
+
+    // Validate attributeValue
+    ValidationUtils.validateString(attributeValue, 'attributeValue');
+
+    this.id = id;
+    this.attributeKey = attributeKey;
+    this.attributeValue = attributeValue;
+  }
+
+  /**
+   * Compares two assignments for equality
+   * @param other Another assignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: BaseAttributeAssignment<TId, TType>): boolean {
+    if (!(other instanceof this.constructor)) {
+      return false;
+    }
+    return (
+      this.id === other.id &&
+      this.type === other.type &&
+      this.attributeKey === other.attributeKey &&
+      this.attributeValue === other.attributeValue
+    );
+  }
+}

package/src/constants/sns.ts

@@ -1,5 +1,22 @@
-export const SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
-export const SNS_DEV_TEST_NAME =
+export enum SnsTopicType {
+  RESOURCE = 'resource',
+  ENTITY = 'entity',
+}
+
+// Resource SNS constants
+export const RESOURCE_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_RESOURCE_ATTRIBUTES';
+export const RESOURCE_SNS_DEV_TEST_NAME =
   'arn:aws:sns:us-east-1:000000000000:monday-authorization-resource-attributes-sns-local';
+
+// Entity SNS constants
+export const ENTITY_SNS_ARN_ENV_VAR_NAME = 'SHARED_AUTHORIZATION_SNS_ENDPOINT_ENTITY_ATTRIBUTES';
+export const ENTITY_SNS_DEV_TEST_NAME =
+  'arn:aws:sns:us-east-1:000000000000:monday-authorization-entity-attributes-sns-local';
 export const RESOURCE_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'resourceAttributeModification';
+export const ENTITY_ATTRIBUTES_SNS_UPDATE_OPERATION_MESSAGE_KIND = 'entityAttributeModification';
 export const ASYNC_RESOURCE_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+export const ASYNC_ENTITY_ATTRIBUTES_MAX_OPERATIONS_PER_MESSAGE = 100;
+
+// Legacy exports for backward compatibility
+export const SNS_ARN_ENV_VAR_NAME = RESOURCE_SNS_ARN_ENV_VAR_NAME;
+export const SNS_DEV_TEST_NAME = RESOURCE_SNS_DEV_TEST_NAME;

package/src/entity-attribute-assignment.ts

@@ -0,0 +1,21 @@
+import { ENTITY_TYPES, EntityType } from './entity-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+
+export class EntityAttributeAssignment extends BaseAttributeAssignment<number, EntityType> {
+  public readonly entityId: number;
+  public readonly entityType: EntityType;
+
+  constructor(entityId: number, entityType: string, attributeKey: string, attributeValue: string) {
+    super(entityId, entityType, attributeKey, attributeValue, Object.values(ENTITY_TYPES), 'entityId', 'entityType');
+    this.entityId = entityId;
+    this.entityType = this.type;
+  }
+  /**
+   * Compares two assignments for equality
+   * @param other Another EntityAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: EntityAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/entity-attributes-constants.ts

@@ -0,0 +1,7 @@
+export const ENTITY_TYPES = {
+  USER: 'user',
+  TEAM: 'team',
+  ACCOUNT: 'account',
+} as const;
+
+export type EntityType = (typeof ENTITY_TYPES)[keyof typeof ENTITY_TYPES];

package/src/errors/argument-error.ts

@@ -0,0 +1,7 @@
+export class ArgumentError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'ArgumentError';
+    Object.setPrototypeOf(this, ArgumentError.prototype);
+  }
+}

package/src/index.ts

@@ -58,6 +58,15 @@ export {
 } from './authorization-middleware';
 export { AuthorizationService, AuthorizeResponse } from './authorization-service';
 export { AuthorizationAttributesService } from './authorization-attributes-service';
+export { AuthorizationAttributesSnsService } from './authorization-attributes-sns-service';
+export { AuthorizationAttributesMsService } from './authorization-attributes-ms-service';
+export { IAuthorizationAttributesService } from './types/authorization-attributes-service.interface';
+export { ResourceAttributeAssignment } from './resource-attribute-assignment';
+export { RESOURCE_TYPES, RESOURCE_ATTRIBUTES_CONSTANTS } from './resource-attributes-constants';
+export { EntityAttributeAssignment } from './entity-attribute-assignment';
+export { ENTITY_TYPES } from './entity-attributes-constants';
+export { ArgumentError } from './errors/argument-error';
+export type { EntityType } from './entity-attributes-constants';
 export { RolesService } from './roles-service';
 export { MembershipsService } from './memberships';
 export { AuthorizationObject, Resource, BaseRequest, ResourceGetter, ContextGetter } from './types/general';

package/src/prometheus-service.ts

@@ -1,4 +1,3 @@
-import { Action } from './types/general';
 
 let prometheus: any = null;
 let authorizationCheckResponseTimeMetric: any = null;
@@ -36,7 +35,7 @@ export function getMetricsManager() {
 
 export function sendAuthorizationCheckResponseTimeMetric(
   resourceType: string,
-  action: Action,
+  action: string,
   isAuthorized: boolean,
   responseStatus: number,
   time: number

package/src/resource-attribute-assignment.ts

@@ -0,0 +1,43 @@
+import { RESOURCE_TYPES, ResourceType } from './resource-attributes-constants';
+import { BaseAttributeAssignment } from './base-attribute-assignment';
+
+export class ResourceAttributeAssignment extends BaseAttributeAssignment<number, ResourceType> {
+  public readonly resourceId: number;
+  public readonly resourceType: ResourceType;
+
+  constructor(resourceId: number, resourceType: string, attributeKey: string, attributeValue: string) {
+    super(
+      resourceId,
+      resourceType,
+      attributeKey,
+      attributeValue,
+      Object.values(RESOURCE_TYPES),
+      'resourceId',
+      'resourceType'
+    );
+    this.resourceId = resourceId;
+    this.resourceType = this.type;
+  }
+
+  /**
+   * Converts the assignment to a plain object with camelCase keys
+   * @returns Plain object with camelCase keys: { resourceId, resourceType, key, value }
+   */
+  toPlainObject(): { resourceId: number; resourceType: string; key: string; value: string } {
+    return {
+      resourceId: this.resourceId,
+      resourceType: this.resourceType,
+      key: this.attributeKey,
+      value: this.attributeValue,
+    };
+  }
+
+  /**
+   * Compares two assignments for equality
+   * @param other Another ResourceAttributeAssignment instance
+   * @returns true if all properties are equal
+   */
+  equals(other: ResourceAttributeAssignment): boolean {
+    return super.equals(other);
+  }
+}

package/src/resource-attributes-constants.ts

@@ -0,0 +1,35 @@
+export const RESOURCE_TYPES = {
+  ACCOUNT: 'account',
+  ACCOUNT_PRODUCT: 'account_product',
+  WORKSPACE: 'workspace',
+  BOARD: 'board',
+  ITEM: 'item',
+  TEAM: 'team',
+  OVERVIEW: 'overview',
+  DOCUMENT: 'document',
+  CRM: 'crm',
+} as Record<string, ResourceType>;
+
+export const RESOURCE_ATTRIBUTES_CONSTANTS = {
+  ACCOUNT_RESOURCE_ATTRIBUTES: {
+    ENABLE_MEMBERS_INVITE_FROM_NON_AUTH_DOMAIN: 'enable_members_invite_from_non_auth_domain',
+  },
+  WORKSPACE_RESOURCE_ATTRIBUTES: {
+    IS_DEFAULT_WORKSPACE: 'is_default_workspace',
+  },
+  BOARD_RESOURCE_ATTRIBUTES: {
+    IS_SYNCABLE_CHILD_ENTITY: 'is_syncable_child_entity',
+    SYSTEM_ENTITY_TYPE: 'system_entity_type',
+  },
+} as const;
+
+export type ResourceType =
+  | 'account'
+  | 'account_product'
+  | 'workspace'
+  | 'board'
+  | 'item'
+  | 'team'
+  | 'overview'
+  | 'document'
+  | 'crm';

package/src/testKit/index.ts

@@ -1,4 +1,4 @@
-import { Action, BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
+import { BaseRequest, BaseResponse, ContextGetter, Resource, ResourceGetter } from '../types/general';
 import { defaultContextGetter } from '../authorization-middleware';
 import { AuthorizationInternalService } from '../authorization-internal-service';
 import type { NextFunction } from 'express';
@@ -7,11 +7,11 @@ export type TestPermittedAction = {
   accountId: number;
   userId: number;
   resources: Resource[];
-  action: Action;
+  action: string;
 };
 
 let testPermittedActions: TestPermittedAction[] = [];
-export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+export const addTestPermittedAction = (accountId: number, userId: number, resources: Resource[], action: string) => {
   testPermittedActions.push({ accountId, userId, resources, action });
 };
 
@@ -19,7 +19,7 @@ export const clearTestPermittedActions = () => {
   testPermittedActions = [];
 };
 
-const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: Action) => {
+const isActionAuthorized = (accountId: number, userId: number, resources: Resource[], action: string) => {
   // If no resources to check, deny access
   if (resources.length === 0) {
     return { isAuthorized: false };
@@ -46,7 +46,7 @@ const isActionAuthorized = (accountId: number, userId: number, resources: Resour
 };
 
 export const getTestAuthorizationMiddleware = (
-  action: Action,
+  action: string,
   resourceGetter: ResourceGetter,
   contextGetter?: ContextGetter
 ) => {

package/src/types/authorization-attributes-contracts.ts

@@ -1,33 +1,58 @@
 import { Resource } from './general';
+import type { EntityType } from '../entity-attributes-constants';
+import type { ResourceType } from '../resource-attributes-constants';
 
-export interface ResourceAttributeAssignment {
-  resourceType: Resource['type'];
-  resourceId: Resource['id'];
+export type { EntityType, ResourceType };
+
+interface AttributeAssignment {
   key: string;
   value: string;
 }
 
-export interface ResourceAttributeResponse {
-  attributes: ResourceAttributeAssignment[];
+// Resource Attribute Assignment - matching API contract
+export interface ResourceAttributeAssignment extends AttributeAssignment {
+  resourceId: number;
+  resourceType: ResourceType;
+}
+
+// Entity Attribute Assignment - matching API contract
+// Note: For validation, use the EntityAttributeAssignment class from '../entity-attribute-assignment'
+export interface EntityAttributeAssignment extends AttributeAssignment {
+  entityId: number;
+  entityType: EntityType;
 }
 
+// Legacy types for backward compatibility
 export interface ResourceAttributeDelete {
   resourceType: Resource['type'];
   resourceId: Resource['id'];
   key: string;
 }
 
-export enum ResourceAttributeOperationEnum {
+export interface EntityAttributeDelete {
+  entityType: EntityType;
+  entityId: number;
+  key: string;
+}
+
+export enum AttributeOperation {
   UPSERT = 'upsert',
   DELETE = 'delete',
 }
 
-interface UpsertResourceAttributeOperation extends ResourceAttributeAssignment {
-  operationType: ResourceAttributeOperationEnum.UPSERT;
+// Response types
+export interface ResourceAttributeResponse {
+  attributes: ResourceAttributeAssignment[];
 }
 
-interface DeleteResourceAttributeOperation extends ResourceAttributeDelete {
-  operationType: ResourceAttributeOperationEnum.DELETE;
+export interface EntityAttributeResponse {
+  attributes: EntityAttributeAssignment[];
 }
 
-export type ResourceAttributesOperation = UpsertResourceAttributeOperation | DeleteResourceAttributeOperation;
+export interface ResourceAttributeOperation extends ResourceAttributeAssignment {
+  operationType: AttributeOperation;
+}
+
+export interface EntityAttributeOperation extends EntityAttributeAssignment {
+  operationType: AttributeOperation;
+}

package/src/types/authorization-attributes-service.interface.ts

@@ -0,0 +1,100 @@
+import {
+  ResourceAttributeAssignment as ResourceAttributeAssignmentContract,
+  EntityAttributeAssignment as EntityAttributeAssignmentContract,
+  EntityType,
+} from './authorization-attributes-contracts';
+import { ResourceAttributeOperation, EntityAttributeOperation } from './authorization-attributes-contracts';
+import { ResourceAttributeAssignment } from '../resource-attribute-assignment';
+import { EntityAttributeAssignment } from '../entity-attribute-assignment';
+import { Resource } from './general';
+
+/**
+ * Resource type compatible with both MS and SNS services
+ */
+export interface CompatibleResource {
+  resourceType?: string;
+  resourceId?: number;
+  type?: string;
+  id?: number;
+}
+
+/**
+ * Interface for authorization attributes operations.
+ * Both MS (direct) and SNS (async) services implement this interface.
+ */
+export interface IAuthorizationAttributesService {
+  /**
+   * Upserts resource attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<ResourceAttributesOperation[]>
+   */
+  upsertResourceAttributes(
+    accountId: number,
+    resourceAttributeAssignments: ResourceAttributeAssignment[] | ResourceAttributeAssignmentContract[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | ResourceAttributeOperation[]>;
+
+  /**
+   * Deletes resource attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<ResourceAttributesOperation[]>
+   */
+  deleteResourceAttributes(
+    accountId: number,
+    resource: CompatibleResource | Resource,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | ResourceAttributeOperation[]>;
+
+  /**
+   * Upserts entity attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<EntityAttributesOperation[]>
+   */
+  upsertEntityAttributes(
+    accountId: number,
+    entityAttributeAssignments: EntityAttributeAssignment[] | EntityAttributeAssignmentContract[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | EntityAttributeOperation[]>;
+
+  /**
+   * Deletes entity attributes.
+   * For MS service: returns Promise<void>
+   * For SNS service: requires appName and callerActionIdentifier, returns Promise<EntityAttributesOperation[]>
+   */
+  deleteEntityAttributes(
+    accountId: number,
+    entityType: EntityType | string,
+    entityId: number,
+    attributeKeys: string[],
+    appName?: string,
+    callerActionIdentifier?: string
+  ): Promise<void | EntityAttributeOperation[]>;
+
+  /**
+   * Updates resource attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<ResourceAttributesOperation[]>
+   */
+  updateResourceAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    resourceAttributeOperations: ResourceAttributeOperation[]
+  ): Promise<ResourceAttributeOperation[]>;
+
+  /**
+   * Updates entity attributes (batch operations).
+   * For MS service: may throw error or delegate to upsert/delete
+   * For SNS service: returns Promise<EntityAttributesOperation[]>
+   */
+  updateEntityAttributes(
+    accountId: number,
+    appName: string,
+    callerActionIdentifier: string,
+    entityAttributeOperations: EntityAttributeOperation[]
+  ): Promise<EntityAttributeOperation[]>;
+}

package/src/types/general.ts

@@ -5,16 +5,17 @@ export interface Resource {
   type: string;
   wrapperData?: object;
 }
-export type Action = string;
+
 export interface Context {
   accountId: number;
   userId: number;
 }
+
 export interface AuthorizationObject {
   resource_id?: Resource['id'];
   resource_type: Resource['type'];
   wrapper_data?: Resource['wrapperData'];
-  action: Action;
+  action: string;
 }
 export interface AuthorizationParams {
   authorizationObjects: AuthorizationObject[];