PIS. Confidant patient login

Purpose

This WS is designed to process authentication request from confidant person in a context of related person

Key points

1. This method must be used only by Auth front-end

2. Creates user if there is no such user in the system

3. Generates authorization token for further actions

Specification

Apiary

Validate request

Authorization

• Verify the validity of access token

  • in case of error - return 401 (“Invalid access token”)

• Verify that token is not expired

  • in case of error - return 401 (“Invalid access token”)

• Check user scopes in order to perform this action (scope = confidant_person:sign_in)

  • return 403 (“Your scope does not allow to access this resource. Missing allowances: confidant_person:sign_in”) in case of invalid scope(s)

Validate client

• Check client_id is submitted

  • in case of error - return 422 ('required property client_id was not present')

• Check client_id exists in mithril database

  • in case of error - return 401 ('Invalid client id.')

• Check client_id is not blocked in mithril database (is_blocked <> true)

  • in case of error - return 401 ('Client is blocked.')

• Check client_id belongs to Auth app (CABINET_CLIENT_ID env variable)

  • in case of error - return 403 ('Forbidden')

Validate scope

• Check scope is submitted and is not null

  • in case of error - return 422 ('required property scope was not present')

• Check requested scope = 'app:authorize'

  • in case of error - return 422 ('Scope is not allowed')

Validate grant type

• Check grant_type is submitted

  • in case of error - return 422 ('required property grant_type was not present')

• Check grant_type is one of the values: pis_auth

  • in case of error - return 401 ('Grant type not allowed.')

• Check grant_type is allowed to be issued by client (value exists in allowed_grant_types setting for client)

  • in case of error - return 401 ('Client is not allowed to issue access token.')

Validate signed content

• Check signed_content and signed_content_encoding are submitted

  • in case of error - return 422 ('required property signed_content was not present' or ‘required property signed_content_encoding was not present')

• Check signed content is a valid base64

  • in case of error - return 422 ('Invalid signed content')

• Check signed content encoding is a 'base64' value

  • in case of error - return 422 ('is invalid')

• Check digital signature is valid

  • in case of error - return 401

• Check that signer of the request relates to the authenticated person. Get person from MPI using x-person-id and ensure that person.tax_id or person.documents is equal to signer drfo (from digital signature)

  • if drfo value equals to tax_id regexp (^[0-9]{10}$) - compare with person.tax_id

  • if drfo value equals to national_id number regexp (^[0-9]{9}$) - compare with document with type 'NATIONAL_ID'

  • if drfo value contains at least one letter, perform reverse transliteration of field using existing algorithm (described here), then check that value equals to passport number regexp (^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$) - compare with document with type 'PASSPORT'

    • in case of error - return 401 ('Unable to authenticate signer')

Service logic

Search patient

Search for a patient in MPI using received patient data

Generic algorithm must be used Active person search algorithm

1. If no records found - return 401 ('User and patient with such data not found')

2. If more than one record found - return 401 ('Unable to identify')

3. If one record found - set id as patient_id and proceed to further steps

Check confidant person relationship

Get confidant_person_id from token (new header x-person-id)

Check relationship using Check confidant person relationship and having confidant_person_id and patient_id

1. If relationship doesn’t exist - return 403 ('Relationship not confirmed.')

Search user in Mithril

1. Search for existing user in mithril database, users table, with person_id = patient_id and is_active = true

   1. If user is found - check it is not blocked (is_blocked <> true)

      1. in case blocked - return 401 ('User is blocked.').

      2. in case not blocked - save its user_id and proceed to PIS. Confidant patient login | Generate access token

   2. If user is not found - proceed to PIS. Confidant patient login | Create user if not exists

Create user if not exists

1. Create user for active patient in mithril database, users table, set:

   1. id = autogenerate uuid

   2. settings = ‘{“trusted_source”: false}’

   3. priv_settings = ‘{"login_hstr": [], "otp_error_counter": 0}’

   4. inserted_at = now()

   5. updated_at = now()

   6. password_set_at = now()

   7. tax_id = tax_id or document.number from payload (if both where passed - then tax_id must be used)

   8. person_id = person_id of person that was found on Search patient step

2. Create global role for created user in mithril database, global_user_roles table, set:

   1. id = autogenerate uuid

   2. user_id = user_id of user created on earlier

   3. role_id = id of role with name ‘PATIENT’

   4. inserted_at = now()

   5. updated_at = now()

Generate access token

1. Generate auth_token with scope app:authorize for user_id and client_id of Auth UI (from env)

2. Save tokens to mithil database, tokens table, set:

   1. id = token uuid

   2. name = token name (‘access_token’)

   3. value = hashed token

   4. expires_at = date and time when token will be expired in unix-time format

   5. details = additional details of token (scopes, client_id, grant_type)

   6. user_id = id of user

   7. inserted_at = now()

   8. updated_at = now()

3. Render a response according to specification.