Purpose
This WS designed to create authentication method request for Patient
Specification
Authorization
Verify the validity of access token
Return (401, 'Invalid access token') in case of validation fails
Verify that token is not expired
in case of error - return (401, 'Invalid access token')
Check user scopes in order to perform this action (scope = 'authentication_method_request:write_pis')
Return (403, 'Your scope does not allow to access this resource. Missing allowances: 'authentication_method_request:write_pis') in case of invalid scope(s)
Check that token contains person_id
in case of error - return (401, 'Invalid access token')
Validate person
Get person_id from token (x-person-id header)
Validate patient status is active (status = ‘active' & is_active = 'true’)
in case of error - return 404 ('not found')
Validate confidant person and relationship (optional)
If person is not legally capable - system must ensure that Person authentication method request created by confidant person and there is registered and verified their relationship
Get applicant_person_id from token, compare it to person_id from token:
If equals - check that person must not be authorized by confidant person, so it doesn’t correspond to following rules:
persons age < no_self_registration_age global parameter;
persons age between no_self_registration_age and person_full_legal_capacity_age global parameters and person does not have document with type from PIS_PERSON_LEGAL_CAPACITY_DOCUMENT_TYPES config parameter;
persons age > person_full_legal_capacity_age global parameter and exists at least one active and approved confidant person relationship for person (using following process Check confidant person relationship with person_id = person from request - expected
:ok, :approvedresponse)In case of error - return 409 (‘Only THIRD_PERSON authentication method is allowed')
If not equal -
error - return 409 (‘Only THIRD_PERSON authentication method is allowed’)
Validate request
Validate auth method. il.authentication_method_request.auth_method.type = OTP
in case of error - return 403 ('Only for OTP authentication method is allowed')
phone_numberis requiredIn case of error - return 422 ('required property %{property} was not present')
Check if Person should be sent for OTP verification
check the usage limit of this phone number in table person_authentication_methods with
ended_atіs empty or > now() & type =OTP> Nin case of error - return 422 ('This phone number is present more than #{
phone_number_auth_limit.limit} times in the system')
Get value of PIS_VALIDATE_ALL_PHONES config parameter
if it set to false - check that phone from authentication_methods field must be verified (number does not exists in
verified_phonestable in verifications database)if it set to true - verified phone number by OTP
Service logic
Create authentication method request in il.authentication_method_request with
status = NEW
action = INSERT
authentication_method = $authentication_method
authentication_method_current =
authentication_method_id = $authentication_method_id
channel = PIS
If OTP verification needed
Invoke Initialize OTP to generate one-time password and send it to the client number.
Search requests where person_id = person.id and authentication_method_requests.status = NEW, then
Change the status of all found authentication_method_requests to CANCELED.
If OTP verification is not needed
Search requests where person_id = person.id and authentication_method_requests.status = NEW, then
Change the status of all found authentication_method_requests to CANCELED.
Update mpi.person_authentication_methods
person’s auth method that was before becomes inactive - set
ended_at= now() (Get current date-time) and is_active = falseset new auth_method in person_auth_methods. Set fields -
type,phone_numer,alias(if it is in request)
Update authentication method request
Change entity status in il.authentication_method_request to COMPLETED
Set updated_at - now() (Get current date-time)
Render response according to specification.