resource memberships

[swaroopAkkineniWorkos]

linear: https://linear.app/workos/issue/ENT-4372/sdk-updates

I decided to break up the work for ENT-4372 into a smaller pr's that we can be easily reviewed and merge them into ENT-4372-base-authorization-branch. Then we can have one final merge that merges ENT-4372-base-authorization-branch into the main.

desc: the goal of this pr is to implement the following endpoints in the node sdk.

listResourcesForMembership() | GET /authorization/organization_memberships/{om_id}/resources
listMembershipsForResource() | GET /authorization/resources/{resource_id}/organization_memberships
listMembershipsForResourceByExternalId() | GET /authorization/organizations/{org_id}/resources/{type}/{external_id}/organization_memberships

listResourcesForMembership() ~ https://github.com/workos/workos/blob/main/packages/api/src/authorization/authorization.controller.ts#L221
listOrganizationMembershipsForResource() ~ https://github.com/workos/workos/blob/main/packages/api/src/authorization-resources/authorization-resources.controller.ts#L411
listOrganizationMembershipsForResourceByExternalId() ~ https://github.com/workos/workos/blob/main/packages/api/src/authorization-resources/authorization-resources-by-external-id.controller.ts#L135

[linear]

ENT-4372 SDK Updates

[swaroopAkkineniWorkos]

@greptile review plz

[greptile-apps]

_{12 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[swaroopAkkineniWorkos]

@greptile re-review plz. Look at the api implementation linked in the description as part of your review. The sdk should implement calling them

[greptile-apps]

Greptile Overview

Greptile Summary

Implements three new endpoints for querying relationships between organization memberships and resources:

• listResourcesForMembership() - retrieves resources accessible to a membership with a specific permission
• listMembershipsForResource() - retrieves memberships that have access to a resource with a specific permission (by internal resource ID)
• listMembershipsForResourceByExternalId() - same as above but using external resource identifiers

Key Implementation Details:

• All methods follow existing SDK patterns for pagination, serialization, and deserialization
• Proper TypeScript typing with separate response and deserialized interfaces
• Union type used for listResourcesForMembership to support either internal ID or external ID for parent resource
• Comprehensive test coverage including pagination, edge cases, and optional parameters
• Authorization-specific AuthorizationOrganizationMembership type introduced to handle simplified membership data (without role information)

Code Quality:

• Consistent with existing codebase patterns and conventions
• No security concerns (no SQL, CORS, or logging of sensitive data)
• Proper null coalescing for optional fields like customAttributes

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation follows established SDK patterns precisely, includes comprehensive test coverage for all three new methods and their edge cases, and introduces no security concerns. The code is well-structured with proper TypeScript typing and consistent with the existing authorization module architecture.
• No files require special attention

Important Files Changed

Filename	Overview
src/authorization/authorization.ts	Added three new list methods for querying resource-membership relationships. Implementation follows existing patterns correctly with proper serialization/deserialization.
src/authorization/authorization.spec.ts	Comprehensive test coverage for all three new methods including edge cases, pagination, and optional parameters.
src/authorization/interfaces/organization-membership-list.interface.ts	Defines authorization-specific organization membership types with proper response/deserialized pairs.
src/authorization/serializers/list-resources-for-membership-options.serializer.ts	Correctly serializes options to API format, handling union type with proper conditional logic.
src/authorization/serializers/list-memberships-for-resource-options.serializer.ts	Serializer shared between both membership query methods with proper optional field handling.

Sequence Diagram

sequenceDiagram
    participant Client as SDK Client
    participant SDK as Authorization Module
    participant API as WorkOS API

    Note over Client,API: listResourcesForMembership Flow
    Client->>SDK: listResourcesForMembership(organizationMembershipId, permissionSlug, parent...)
    SDK->>SDK: serializeListResourcesForMembershipOptions()
    SDK->>API: GET /authorization/organization_memberships/{om_id}/resources
    API-->>SDK: AuthorizationResourceListResponse
    SDK->>SDK: deserializeAuthorizationResource() for each item
    SDK-->>Client: AuthorizationResourceList

    Note over Client,API: listMembershipsForResource Flow
    Client->>SDK: listMembershipsForResource(resourceId, permissionSlug)
    SDK->>SDK: serializeListMembershipsForResourceOptions()
    SDK->>API: GET /authorization/resources/{resource_id}/organization_memberships
    API-->>SDK: AuthorizationOrganizationMembershipListResponse
    SDK->>SDK: deserializeAuthorizationOrganizationMembership() for each item
    SDK-->>Client: AuthorizationOrganizationMembershipList

    Note over Client,API: listMembershipsForResourceByExternalId Flow
    Client->>SDK: listMembershipsForResourceByExternalId(orgId, typeSlug, externalId, permissionSlug)
    SDK->>SDK: serializeListMembershipsForResourceOptions()
    SDK->>API: GET /authorization/organizations/{org_id}/resources/{type}/{external_id}/organization_memberships
    API-->>SDK: AuthorizationOrganizationMembershipListResponse
    SDK->>SDK: deserializeAuthorizationOrganizationMembership() for each item
    SDK-->>Client: AuthorizationOrganizationMembershipList

Loading

_{Last reviewed commit: 2eefd57}

[greptile-apps]

_{12 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[atainter]

I think we already have types for organization membership because it's used with the organization memberships API. It uses the same JSON type so we should probably use the same interface.

[atainter]

I think we'll need to create a base type because this interface includes a non-optional role field but it's not in the server response

https://github.com/workos/workos-node/blob/main/src/user-management/interfaces/organization-membership.interface.ts#L28

vs

https://github.com/workos/workos/blob/main/packages/api-json-models/src/rest-api/userland-user-organization-membership.ts#L8

[swaroopAkkineniWorkos]

changed to deleteWithBody because the delete role assignment API expects the identifying fields in the request body, and delete() doesn't send a body.

https://github.com/workos/workos/blob/1bf21e074e2cde476d83660ca41e05853fa081b8/packages/api/src/authorization/authorization-role-assignments.controller.ts#L205

[atainter]

This should be in the userland package for base organization membership

[atainter]

I think we should remove this because authz doesn't use it

[atainter]

Is there a common helper for the pagination params?

[atainter]

this should be in the base