Skip to content

Adding in Authorization Access Evaluation endpoint#1473

Merged
swaroopAkkineniWorkos merged 27 commits intoENT-4372-base-authorization-branchfrom
ENT-4372-access-evaluation-check-endpoint
Feb 11, 2026
Merged

Adding in Authorization Access Evaluation endpoint#1473
swaroopAkkineniWorkos merged 27 commits intoENT-4372-base-authorization-branchfrom
ENT-4372-access-evaluation-check-endpoint

Conversation

@swaroopAkkineniWorkos
Copy link
Contributor

@swaroopAkkineniWorkos swaroopAkkineniWorkos commented Feb 10, 2026
edited
Loading

linear: https://linear.app/workos/issue/ENT-4372/sdk-updates

I decided to break up the work for ENT-4372 into a smaller pr's that we can be easily reviewed and merge them into ENT-4372-base-authorization-branch. Then we can have one final merge that merges ENT-4372-base-authorization-branch into the main.

desc: the goal of this pr is to implement the following endpoints in the node sdk.

check() | POST /authorization/organization_memberships/{om_id}/check

check() ~ https://github.com/workos/workos/blob/44963176350da59515a31bfeb5f5355b153d18e9/packages/api/src/authorization/authorization.controller.ts#L94

@linear
Copy link

linear bot commented Feb 10, 2026

ENT-4372 SDK Updates

swaroopAkkineniWorkos and others added 4 commits February 10, 2026 14:02
@swaroopAkkineniWorkos
lol
c3bd950
@swaroopAkkineniWorkos
lol
8521c85
@swaroopAkkineniWorkos
sheesh
74867f5
@swaroopAkkineniWorkos @cursoragent
lol
d7f80e6 
Co-authored-by: Cursor <cursoragent@cursor.com>
@swaroopAkkineniWorkos swaroopAkkineniWorkos changed the title moar Access Evaluation Check Feb 11, 2026
@swaroopAkkineniWorkos
Copy link
Contributor Author

swaroopAkkineniWorkos commented Feb 11, 2026

@greptile review this pr plz

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 11, 2026
edited
Loading

Greptile Overview

Greptile Summary

This PR implements the check() endpoint for the Node SDK, allowing evaluation of authorization permissions for organization memberships against specific resources.

Key Changes:

  • Added check() method to Authorization class that posts to /authorization/organization_memberships/{om_id}/check
  • Created interfaces for authorization check options and results with flexible resource identification (resourceId, resourceExternalId, or resourceTypeSlug)
  • Implemented serializer that converts camelCase to snake_case and conditionally includes only provided resource fields
  • Added comprehensive test coverage for authorized/unauthorized cases and field serialization

Issue Found:

  • Missing semicolon in src/authorization/serializers/index.ts (inconsistent with other exports in the file)

Confidence Score: 4/5

  • Safe to merge after fixing the missing semicolon
  • The implementation follows existing patterns in the codebase, has comprehensive test coverage, and properly handles optional resource identification fields. Only issue is a minor syntax inconsistency (missing semicolon) that should be fixed before merging.
  • Fix the semicolon in src/authorization/serializers/index.ts

Important Files Changed

Filename Overview
src/authorization/authorization.ts Added check() method to evaluate authorization permissions for organization memberships
src/authorization/serializers/authorization-check-options.serializer.ts Serializer to convert camelCase options to snake_case API format, conditionally including resource fields
src/authorization/serializers/index.ts Added export for new serializer but missing semicolon (inconsistent with other exports)
src/authorization/authorization.spec.ts Added comprehensive tests for check() method covering authorized/unauthorized cases and field serialization

Sequence Diagram

sequenceDiagram
    participant Client
    participant SDK as WorkOS SDK
    participant Serializer
    participant API as WorkOS API
    
    Client->>SDK: check(options)
    SDK->>Serializer: serializeAuthorizationCheckOptions(options)
    Note over Serializer: Convert camelCase to snake_case<br/>Include only provided resource fields
    Serializer-->>SDK: serialized payload
    SDK->>API: POST /authorization/organization_memberships/{om_id}/check
    API-->>SDK: { authorized: boolean }
    SDK-->>Client: AuthorizationCheckResult
Loading

greptile-apps[bot]
greptile-apps bot reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

src/authorization/authorization.spec.ts
Comment on lines +962 to +993
describe('check', () => {
it('returns authorized when permission is granted (by resource ID)', async () => {
fetchOnce({ authorized: true }, { status: 200 });

const result = await workos.authorization.check({
organizationMembershipId: testOrgMembershipId,
permissionSlug: 'documents:edit',
resourceId: testResourceId,
});

expect(fetchURL()).toContain(
`/authorization/organization_memberships/${testOrgMembershipId}/check`,
);
expect(fetchBody()).toEqual({
permission_slug: 'documents:edit',
resource_id: testResourceId,
});
expect(result).toEqual({ authorized: true });
});

it('returns unauthorized when permission is not granted', async () => {
fetchOnce({ authorized: false }, { status: 200 });

const result = await workos.authorization.check({
organizationMembershipId: testOrgMembershipId,
permissionSlug: 'documents:delete',
resourceId: testResourceId,
});

expect(result).toEqual({ authorized: false });
});
});
Copy link
Contributor

@greptile-apps greptile-apps bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding test cases for resourceExternalId + resourceTypeSlug and resourceTypeSlug alone to validate all resource identification methods

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Copy link
Contributor Author

@swaroopAkkineniWorkos swaroopAkkineniWorkos Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added in

@swaroopAkkineniWorkos swaroopAkkineniWorkos changed the title Access Evaluation Check Adding in Access Evaluation endpoint Feb 11, 2026
@swaroopAkkineniWorkos swaroopAkkineniWorkos changed the title Adding in Access Evaluation endpoint Adding in Authorization Access Evaluation endpoint Feb 11, 2026
@swaroopAkkineniWorkos swaroopAkkineniWorkos marked this pull request as ready for review February 11, 2026 13:51
@swaroopAkkineniWorkos swaroopAkkineniWorkos requested a review from a team as a code owner February 11, 2026 13:51
@swaroopAkkineniWorkos swaroopAkkineniWorkos requested review from alisherry, atainter, csrbarber and mattgd and removed request for a team February 11, 2026 13:51
greptile-apps[bot]
greptile-apps bot reviewed Feb 11, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

6 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

src/authorization/serializers/index.ts
export * from './authorization-resource.serializer';
export * from './create-authorization-resource-options.serializer';
export * from './update-authorization-resource-options.serializer';
export * from './authorization-check-options.serializer';
Copy link
Contributor

@greptile-apps greptile-apps bot Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing semicolon (all other exports have semicolons)

Suggested change
export * from './authorization-check-options.serializer';
export * from './authorization-check-options.serializer';

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

Base automatically changed from ENT-4372-Internal-ID to ENT-4372-base-authorization-branch February 11, 2026 19:12
@swaroopAkkineniWorkos swaroopAkkineniWorkos mentioned this pull request Feb 11, 2026
Merged
@swaroopAkkineniWorkos swaroopAkkineniWorkos merged commit d48a6f8 into ENT-4372-base-authorization-branch Feb 11, 2026
8 checks passed
@swaroopAkkineniWorkos swaroopAkkineniWorkos deleted the ENT-4372-access-evaluation-check-endpoint branch February 11, 2026 19:37
swaroopAkkineniWorkos added a commit that referenced this pull request Feb 13, 2026
@swaroopAkkineniWorkos
Authorization Resources endpoints for Internal ID (#1471) (#1479)
9155aec 
Adding these endpoints to the sdk
#1471
```
getResource()    ~ GET /authorization/resources/{resource_id}
createResource() ~ POST /authorization/resources
updateResource() ~ PATCH /authorization/resources/{resource_id}
deleteResource() ~ DELETE /authorization/resources/{resource_id}
```
#1473
```
check() | POST /authorization/organization_memberships/{om_id}/check
```
#1472
```
listResources()               | GET /authorization/organizations/{org_id}/resources

getResourceByExternalId()     | GET /authorization/organizations/{org_id}/resources/{type}/{external_id}
updateResourceByExternalId()  | PATCH /authorization/organizations/{org_id}/resources/{type}/{external_id}
deleteResourceByExternalId()  | DELETE /authorization/organizations/{org_id}/resources/{type}/{external_id}
```
#1474
```
listRoleAssignments() | GET /authorization/organization_memberships/{om_id}/role_assignments
assignRole() | POST /authorization/organization_memberships/{om_id}/role_assignments
removeRole() | DELETE /authorization/organization_memberships/{om_id}/role_assignments
removeRoleAssignment() | DELETE /authorization/organization_memberships/{om_id}/role_assignments/{ra_id}
```
#1478
```
listResourcesForMembership() | GET /authorization/organization_memberships/{om_id}/resources
listMembershipsForResource() | GET /authorization/resources/{resource_id}/organization_memberships
listMembershipsForResourceByExternalId() | GET /authorization/organizations/{org_id}/resources/{type}/{external_id}/organization_memberships
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@csrbarber csrbarber csrbarber approved these changes

@alisherry alisherry Awaiting requested review from alisherry alisherry was automatically assigned from workos/typescript

@atainter atainter Awaiting requested review from atainter

@mattgd mattgd Awaiting requested review from mattgd

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@swaroopAkkineniWorkos @csrbarber