Authorization Resources endpoints for Internal ID (#1471)

[swaroopAkkineniWorkos]

adding these new api's that can be called

getResource() - GET /authorization/resources/{resource_id}
createResource() - POST /authorization/resources
updateResource() - PATCH /authorization/resources/{resource_id}
deleteResource() - DELETE /authorization/resources/{resource_id}
listResources()  - GET /authorization/organizations/{org_id}/resources

check() - POST /authorization/organization_memberships/{om_id}/check

getResourceByExternalId() - GET /authorization/organizations/{org_id}/resources/{type}/{external_id}
updateResourceByExternalId() - PATCH /authorization/organizations/{org_id}/resources/{type}/{external_id}
deleteResourceByExternalId() - DELETE /authorization/organizations/{org_id}/resources/{type}/{external_id}

listRoleAssignments() - GET /authorization/organization_memberships/{om_id}/role_assignments
assignRole() - POST /authorization/organization_memberships/{om_id}/role_assignments
removeRole() - DELETE /authorization/organization_memberships/{om_id}/role_assignments
removeRoleAssignment() - DELETE /authorization/organization_memberships/{om_id}/role_assignments/{ra_id}

listResourcesForMembership() - GET /authorization/organization_memberships/{om_id}/resources
listMembershipsForResource() - GET /authorization/resources/{resource_id}/organization_memberships
listMembershipsForResourceByExternalId() - GET /authorization/organizations/{org_id}/resources/{type}/{external_id}/organization_memberships

[linear]

ENT-4372 SDK Updates

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds support for authorization resource management using internal IDs, consolidating functionality from previously merged PRs (#1471, #1472, #1473, #1474, #1478). The implementation adds 8 new methods to the Authorization class for managing resources and role assignments.

Key Changes:

• Added resource management methods: getResource(), createResource(), updateResource(), deleteResource() for working with internal resource IDs
• Added resource listing methods: listResources(), getResourceByExternalId(), updateResourceByExternalId(), deleteResourceByExternalId() for external ID operations
• Added role assignment methods: listRoleAssignments(), assignRole(), removeRole(), removeRoleAssignment() for organization membership role management
• Added resource-membership relationship methods: listResourcesForMembership(), listMembershipsForResource(), listMembershipsForResourceByExternalId()
• Implemented deleteWithBody() across HTTP client layers to support DELETE requests with request bodies
• Refactored OrganizationMembership interface to extract base fields, enabling authorization-specific membership responses without role/organizationName
• Created reusable serializePaginationOptions() utility for consistent pagination handling
• Added deprecation notice to FGA module directing users to Authorization module

Implementation Quality:

• All methods follow consistent patterns established in the codebase
• Proper use of TypeScript union types ensures type safety (e.g., parent resource by ID vs external ID)
• Serializers correctly handle optional fields and conditional parameters
• Comprehensive test coverage with 1,390+ lines of tests covering success cases, edge cases, null handling, and pagination scenarios
• No security issues detected - no sensitive field logging, SQL injection risks, or insecure configurations

Confidence Score: 5/5

• This PR is safe to merge with minimal risk.
• All implementations follow established patterns in the codebase, comprehensive test coverage validates behavior including edge cases, proper serialization/deserialization, no security vulnerabilities detected, and the new deleteWithBody method is correctly implemented with retry logic.
• No files require special attention

Important Files Changed

Filename	Overview
src/authorization/authorization.ts	Added 8 new methods for authorization resources and role assignments. All methods follow consistent patterns and correctly use serializers/deserializers.
src/authorization/authorization.spec.ts	Comprehensive test coverage for all new endpoints with edge cases, null handling, and pagination scenarios.
src/common/net/fetch-client.ts	Added deleteWithBody method to support DELETE requests with request bodies, properly handles retry logic.
src/workos.ts	Added deleteWithBody wrapper method with proper API key validation and error handling.
src/authorization/serializers/list-resources-for-membership-options.serializer.ts	Serializes pagination and parent resource options (by ID or external ID), properly handles conditional fields.
src/user-management/interfaces/organization-membership.interface.ts	Refactored to use base interface and added AuthorizationOrganizationMembership type without role/organizationName fields.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Authorization
    participant WorkOS
    participant FetchClient
    participant API

    Note over Client,API: Resource Management Flow (Internal ID)
    Client->>Authorization: getResource(resourceId)
    Authorization->>WorkOS: get(/authorization/resources/{id})
    WorkOS->>FetchClient: get(url, options)
    FetchClient->>API: GET /authorization/resources/{id}
    API-->>FetchClient: AuthorizationResourceResponse
    FetchClient-->>WorkOS: response
    WorkOS-->>Authorization: response data
    Authorization->>Authorization: deserializeAuthorizationResource()
    Authorization-->>Client: AuthorizationResource

    Note over Client,API: Role Assignment Flow
    Client->>Authorization: assignRole(options)
    Authorization->>Authorization: serializeAssignRoleOptions()
    Authorization->>WorkOS: post(/om/{id}/role_assignments, body)
    WorkOS->>FetchClient: post(url, body, options)
    FetchClient->>API: POST /om/{id}/role_assignments
    API-->>FetchClient: RoleAssignmentResponse
    FetchClient-->>WorkOS: response
    WorkOS-->>Authorization: response data
    Authorization->>Authorization: deserializeRoleAssignment()
    Authorization-->>Client: RoleAssignment

    Note over Client,API: Remove Role Flow (with body)
    Client->>Authorization: removeRole(options)
    Authorization->>Authorization: serializeRemoveRoleOptions()
    Authorization->>WorkOS: deleteWithBody(/om/{id}/role_assignments, body)
    WorkOS->>FetchClient: deleteWithBody(url, body, options)
    FetchClient->>API: DELETE /om/{id}/role_assignments (with body)
    API-->>FetchClient: 204 No Content
    FetchClient-->>WorkOS: response
    WorkOS-->>Authorization: void
    Authorization-->>Client: void

    Note over Client,API: List Resources for Membership
    Client->>Authorization: listResourcesForMembership(options)
    Authorization->>Authorization: serializeListResourcesForMembershipOptions()
    Authorization->>WorkOS: get(/om/{id}/resources, query)
    WorkOS->>FetchClient: get(url, options)
    FetchClient->>API: GET /om/{id}/resources?permission_slug=...
    API-->>FetchClient: AuthorizationResourceListResponse
    FetchClient-->>WorkOS: response
    WorkOS-->>Authorization: response data
    Authorization->>Authorization: deserializeAuthorizationResource() for each
    Authorization-->>Client: AuthorizationResourceList

Loading

_{Last reviewed commit: bfc197d}

[greptile-apps]

_{45 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[atainter]

Not blocking, but can you follow with an update to change these test fixtures to use workspace -> project instead of folder/document?

[swaroopAkkineniWorkos]

oh sorry, i forgot about that