Purpose

This WS is designed to validate signed content as a part of registration patient by confidant person process, extract patient data if it is valid and create session token to do further steps

Key points

1. This method must be used only by Auth front-end

2. This method requires confidant person to be authenticated already

3. Validates signed content as well as jwt and patient data inside it

4. Generates session token (jwt) to confirm registration request

Specification

Apiary

Authorization

• Verify the validity of access token

  • in case of error - return 401 (“Invalid access token”)

• Verify that token is not expired

  • in case of error - return 401 (“Invalid access token”)

• Check user scopes in order to perform this action (scope = confidant_person:sign_up)

  • return 403 (“Your scope does not allow to access this resource. Missing allowances: confidant_person:sign_up”) in case of invalid scope(s)

Validate signed content

• Check signed_content and signed_content_encoding are submitted

  • in case of error - return 422 ('required property signed_content was not present' or ‘required property signed_content_encoding was not present')

• Check signed content is a valid base64

  • in case of error - return 422 ('Invalid signed content')

• Check signed content encoding is a 'base64' value

  • in case of error - return 422 ('is invalid')

• Check digital signature is valid

  • in case of error - return 400

• Check that signer of the request relates to the authenticated person. Get person from MPI using x-person-id and ensure that person.tax_id or person.documents is equal to signer drfo (from digital signature)

  • if drfo value equals to tax_id regexp (^[0-9]{10}$) - compare with person.tax_id

  • if drfo value equals to national_id number regexp (^[0-9]{9}$) - compare with document with type 'NATIONAL_ID'

  • if drfo value contains at least one letter, perform reverse transliteration of field using existing algorithm (described here), then check that value equals to passport number regexp (^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$) - compare with document with type 'PASSPORT'

    • in case of error - return 401 ('Unable to authenticate signer')

Validate person registration request

• Person registration request itself must contains patient (person) data and some consents as part of PIS authorization

• Validate person data according to Rules to validate patient data | Person with confidant

• Check patient_signed field value equals to ‘true’

  • in case of error - return 422 ('value is not allowed in enum')

• Check process_disclosure_data_consent field value equal to ‘true’

  • in case of error - return 422 ('value is not allowed in enum')

Service logic

Generate JWT

1. Fetch JWT TTL value from JWT_LOGIN_TTL env parameter (in minutes).

2. Decode signed_content field and calculate its MD5 hash.

3. Generate JWT with following parameters:

   1. alg = HS512

   2. aud = pis-registration

   3. content_hash = MD5 hash of decoded signed_content field value

   4. exp = iat + JWT_LOGIN_TTL

   5. iat = now()

   6. iss = EHealth

   7. jti = generate uuid of JWT

   8. nbf = now() - 1 second

   9. sub = content_hash

   10. typ = access

Render person data

Render person (patient) data according to specification