feat: step7 auth check

[swaroopAkkineniWorkos]

This change updates the SDK to call the check() endpoint, handled in authorization.controller.ts

[linear]

ENT-5353 Update Go sdk for fga

[swaroopAkkineniWorkos]

@greptile review

[swaroopAkkineniWorkos]

@greptile re-review plz

[greptile-apps]

Greptile Summary

This PR implements the Check() authorization endpoint, replacing the previous stub that returned "not implemented". It builds a POST request to /authorization/organization_memberships/{id}/check, merges the ResourceIdentifier fields into the JSON body, and handles HTTP and decoding errors. As part of the change, the field Resource on AuthorizationCheckOpts is renamed to ResourceIdentifier for clarity. Comprehensive unit tests are added covering both identifier types, authorized and unauthorized paths, HTTP errors, and nil/missing inputs.

Key changes:

• Implements Client.Check() with proper request construction, auth header, and response decoding
• Renames AuthorizationCheckOpts.Resource → ResourceIdentifier (breaking rename — callers using field names will need to update)
• Adds nil guard for ResourceIdentifier, but is missing an equivalent guard for OrganizationMembershipId (empty value produces a malformed URL)
• authorization_test.go mutates the package-level DefaultClient without restoring it via t.Cleanup, risking state leakage to other tests

Confidence Score: 3/5

• Mostly safe to merge, but has a missing input validation that can produce confusing API errors and a test-isolation issue.
• The core implementation is correct and well-tested. The missing validation for OrganizationMembershipId means a caller passing an empty string silently constructs a malformed URL instead of getting a clear local error. The global state mutation in authorization_test.go without cleanup is a test hygiene concern that could cause flaky failures as the test suite grows.
• pkg/authorization/client.go (missing OrganizationMembershipId validation), pkg/authorization/authorization_test.go (global state not cleaned up)

Important Files Changed

Filename	Overview
pkg/authorization/client.go	Implements the Check method (previously a stub), renames AuthorizationCheckOpts.Resource to ResourceIdentifier, and correctly builds the POST request. Missing validation for an empty OrganizationMembershipId, which would produce a malformed URL.
pkg/authorization/client_test.go	Adds comprehensive unit tests for Check, covering both resource identifier types, authorized/unauthorized responses, HTTP errors, missing API key, and nil resource identifier. Helpers are well-structured and reusable.
pkg/authorization/authorization_test.go	Adds an integration-style test for the package-level Check function via DefaultClient, but mutates global state without restoring it via t.Cleanup.

Sequence Diagram

sequenceDiagram
    participant Caller
    participant Client as authorization.Client
    participant API as WorkOS API

    Caller->>Client: Check(ctx, AuthorizationCheckOpts)
    Client->>Client: Validate ResourceIdentifier != nil
    Client->>Client: Build JSON body<br/>{permission_slug, resource_id / resource_external_id + resource_type_slug}
    Client->>API: POST /authorization/organization_memberships/{id}/check<br/>Authorization: Bearer {apiKey}
    API-->>Client: 200 OK {authorized: true/false}<br/>or 4xx/5xx error
    Client->>Client: TryGetHTTPError(res)
    Client->>Client: json.Decode → AccessCheckResponse
    Client-->>Caller: AccessCheckResponse{Authorized}, err

Loading

Comments Outside Diff (2)

1. pkg/authorization/client.go, line 679-681 (link)

   Missing validation for OrganizationMembershipId

   OrganizationMembershipId is not validated before being interpolated into the URL path. If the caller passes an empty string, the resulting URL will be malformed — e.g., .../authorization/organization_memberships//check — which will produce a confusing API error instead of a clear, local validation message. This is inconsistent with the explicit validation already added for ResourceIdentifier.

2. pkg/authorization/authorization_test.go, line 17-21 (link)

   Global state not restored after test

   DefaultClient and the API key are package-level variables. Reassigning them here without a t.Cleanup call to restore the originals can leave stale state for any tests that run after this one in the same package. This is particularly risky as more tests are added to authorization_test.go or client_test.go that rely on the default client.

_{Last reviewed commit: 5174853}