...

• GraphQL schema
• Features

Validation

Validate token

• Verify the validity of access token
  • Return 401 in case validation fails
• token is not expired
  • in case error return 401 
• Validate client_id is NHS
  
  1. check client type is NHS
     1. in case of error rerun forbidden error (Client is not allowed to the action')

Validate scopes

• Check user scopes in order to perform this action (scope = 'merge_request:read')
  1. Return forbidden in case invalid scope(s) -"Your scope does not allow to access this resource. Missing allowances: merge_request:read"

Verify user and role

Extract from token:

1. Validate client_id (is_blocked=false)
   1. in case of error return 403 Error ('Client is blocked')
2. Check user_roles by client_id 
   1. check whether exist role NHS_REVIEWER 
      1. in case of error return 403 Error ('User doesn't have required role')
3. Validate client_id is NHS
   
   1. check client type is NHS
      1. in case of error rerun forbidden error (Client is not allowed to the action')

...

• • return limited response by manual_merge_requests.assignee_id=$user_id and manual_merge_requests.status in ('NEW', 'POSTPONEDPOSTPONE')