ЕСОЗ - публічна документація

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Purpose

This WS is designed to validate signed content as a part of registration patient by confidant person process, extract patient data if it is valid and create session token to do further steps

Key points

  1. This method must be used only by Auth front-end

  2. This method requires confidant person to be authenticated already

  3. Validates signed content as well as jwt and patient data inside it

  4. Generates session token (jwt) to confirm registration request

Specification

Apiary

Authorization

  • Verify the validity of access token

    • in case of error - return 401 (“Invalid access token”)

  • Verify that token is not expired

    • in case of error - return 401 (“Invalid access token”)

  • Check user scopes in order to perform this action (scope = confidant_person:sign_up)

    • return 403 (“Your scope does not allow to access this resource. Missing allowances: confidant_person:sign_up”) in case of invalid scope(s)

Validate signed content

  • Check signed_content and signed_content_encoding are submitted

    • in case of error - return 422 ('required property signed_content was not present' or ‘required property signed_content_encoding was not present')

  • Check signed content is a valid base64

    • in case of error - return 422 ('Invalid signed content')

  • Check signed content encoding is a 'base64' value

    • in case of error - return 422 ('is invalid')

  • Check digital signature is valid

    • in case of error - return 400

  • Check that signer of the request relates to the authenticated person. Get person from MPI using x-person-id and ensure that person.tax_id or person.documents is equal to signer drfo (from digital signature)

    • if drfo value equals to tax_id regexp (^[0-9]{10}$) - compare with person.tax_id

    • if drfo value equals to national_id number regexp (^[0-9]{9}$) - compare with document with type 'NATIONAL_ID'

    • if drfo value contains at least one letter, perform reverse transliteration of field using existing algorithm (described here), then check that value equals to passport number regexp (^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$) - compare with document with type 'PASSPORT'

      • in case of error - return 401 ('Unable to authenticate signer')

Validate person registration request

Service logic

Generate JWT

  1. Fetch JWT TTL value from JWT_LOGIN_TTL env parameter (in minutes).

  2. Decode signed_content field and calculate its MD5 hash.

  3. Generate JWT with following parameters:

    1. alg = HS512

    2. aud = pis-registration

    3. content_hash = MD5 hash of decoded signed_content field value

    4. exp = iat + JWT_LOGIN_TTL

    5. iat = now()

    6. iss = EHealth

    7. jti = generate uuid of JWT

    8. nbf = now() - 1 second

    9. sub = content_hash

    10. typ = access

Render person data

Render person (patient) data according to specification

  • No labels