...

• GraphQL schema
• Features

Validation

Validate token

• Verify the validity of access token
  • Return 401 in case validation fails
• token is not expired
  • in case error return 401 
• Validate client_id is NHS
  
  1. check client type is NHS
     1. in case of error rerun forbidden error (Client is not allowed to the action')

Validate scopes

• Check user scopes in order to perform this action (scope = 'merge_request:read')
  1. Return forbidden in case invalid scope(s) -"Your scope does not allow to access this resource. Missing allowances: merge_request:read"

Validate context

Return response to user limited by context from user's token

...