Purpose

This WS is designed to validate signed content as a part of registration process, extract patient data if it is valid and create session token to do further steps

Key points

1. This method must be used only by Auth front-end

2. Validates signed content as well as jwt and patient data inside it

3. Generates session token (jwt) to confirm registration request

Specification

Apiary

Validate signed content

• Check signed_content and signed_content_encoding are submitted

  • in case of error - return 422 ('required property signed_content was not present' or ‘required property signed_content_encoding was not present')

• Check signed_content field is a valid base64 string

  • in case of error - return 422 ('Invalid signed content')

• Check signed_content_encoding field value equals to 'base64'

  • in case of error - return 422 ('value is not allowed in enum')

• Check digital signature is valid

  • in case of error - return 401 with digital signature validation error message

• Check that drfo from digital signature belongs to person in registration request, based on field format:

  • if value equals to tax_id regexp (^[0-9]{10}$), field contains tax_id, use tax_id field from registration request to compare;

  • if value equals to national_id number regexp (^[0-9]{9}$), field contains national_id number, use documents.number field with documents.type = 'NATIONAL_ID' to compare;

  • if value contains at least one letter, perform reverse transliteration of field using existing algorithm (described here), then check that value equals to passport number regexp (^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$), in case equals, field contains passport number, use documents.number field with documents.type = 'PASSPORT' to compare;

    • in case of error - return 409 ('Registration person and person that sign should be the same')

• Check that last_name from digital signature belongs to person in registration request, last_name field

  • in case of error - return 422 ('Input name doesn't match name from digital signature')

• Check that first_name from registration request is present in string given_name from digital signature

  • in case of error - return 422 ('Input name doesn't match name from digital signature')

Validate person registration request

• Person registration request itself must contains patient (person) data, some consents and valid JWT as part of PIS authorization

• Validate person data according to Rules to validate patient data | Regular person

• Check patient_signed field value equals to ‘true’

  • in case of error - return 422 ('value is not allowed in enum')

• Check process_disclosure_data_consent field value equal to ‘true’

  • in case of error - return 422 ('value is not allowed in enum')

Validate JWT

• validate JWT signature

• validate issuer (iss = Ehealth)

• validate expiration (exp in the future)

  • in case of any error - return 401 ('JWT is invalid.')

Service logic

Generate JWT

1. Fetch JWT TTL value from JWT_LOGIN_TTL env parameter (in minutes).

2. Get signed_content field and calculate its MD5 hash.

3. Generate JWT with following parameters:

   1. alg = RS512

   2. aud = pis-registration

   3. content_hash = MD5 hash of signed_content field value

   4. exp = iat + JWT_LOGIN_TTL

   5. iat = now()

   6. iss = EHealth

   7. jti = generate uuid of JWT

   8. nbf = now() - 1 second

   9. sub = content_hash

   10. typ = access

Render person data

Render person (patient) data according to specification