Login

Purpose

This WS is designed to authenticate user using any of the supported authentication methods.

This method should be reachable only by the eHealth authorization front-end application.
User is authenticated using different grant types: password, digital_signature, change_password, authorize_2fa_access_token, refresh_2fa_access_token, pis_auth.
Each grant type requires its specified set of fields with different validations.
This WS describes only grant types and token generation flows with disabled 2FA for user. Token generation flow for enabled 2FA described separately here: Create Token

Check client_id is submitted
- in case of error - return 422 ('can't be blank')
Check client_id exists in mithril database
- in case of error - return 422 ('Invalid client id.')

Check grant_type is submitted
- in case of error - return 422 ('Request must include grant_type.')
Check grant_type is one of the values: password, change_password, digital_signature, authorize_2fa_access_token, refresh_2fa_access_token
- in case of error - return 401 ('Grant type not allowed.')
Check grant_type is allowed to be issued by client (value exists in allowed_grant_types setting for client)
- in case of error - return 401 ('Client is not allowed to issue login token.')
Perform additional validations for every grant type option

Check email and password and submitted
- in case of error - return 422 ('can't be blank')
Check by email user exists in mithril database
- in case of error - return 401 ('User not found.')
Check by email user is not blocked (is_blocked <> true)
- in case of error - return 401 ('User blocked.')
Check password is correct for user
- in case of error - return 401 ('Identity, password combination is wrong.')
Check password is not expired for user (diffenerce of days between password_set_at value and now() is not more that value of PASSWORD_EXPIRATION_DAYS config parameter)
- in case of error - return 401 ('The password expired for user: user_id')
Check login is enabled for user (count of logins in login_history field between now() and now() - MAX_FAILED_LOGINS_PERIOD in not bigger than value of MAX_FAILED_LOGINS config parameter)
- in case of error - return 401 ('You reached login attempts limit. Try again later')

Check signed_content and signed_content_encoding are submitted
- in case of error - return 422 ('can't be blank')
Check signed_content is a valid base64
- in case of error - return 422 ('Invalid signed content')
Check signed_content_encoding is a ‘base64’ value
- in case of error - return 422 ('is invalid')
Check digital signature is valid
- in case of error - return 401 with digital signature validation error message
Check signed content is a valid JWT with aud = mithril-login
- in case of error - return 401 ('JWT is invalid.')
Check user with tax_id from digital signature of signed content exists in mithril database
- in case of error - return 401 ('Person with tax id not found.')
Check user with tax_id from digital signature of signed content is not blocked (is_blocked <> true)
- in case of error - return 401 ('User blocked.')
Check person exists for user in mpi database
- in case of error - return 401 ('Person not found.')
Check person is in active status in mpi database for user

Check email and password and submitted
- in case of error - return 422 ('can't be blank')
Check by email user exists in mithril database
- in case of error - return 401 ('User not found.')
Check by email user is not blocked (is_blocked <> true)
- in case of error - return 401 ('User blocked.')
Check password is correct for user
- in case of error - return 401 ('Identity, password combination is wrong.')
Check password is not expired for user (diffenerce of days between password_set_at value and now() is not more that value of PASSWORD_EXPIRATION_DAYS config parameter)
- in case of error - return 401 ('The password expired for user: user_id')
Check scope value equals to user:change_password value
- in case of error - return 401 ('Allowed scopes for the token are user:change_password.')

Check signed_content and signed_content_encoding are submitted
- in case of error - return 422 ('can't be blank')
Check signed_content field is a valid base64 string
- in case of error - return 422 ('Invalid signed content')
Check signed_content_encoding field value equals to 'base64'
- in case of error - return 422 ('is invalid')
Check digital signature is valid
- in case of error - return 401 with digital signature validation error message
Check signed content is a valid JWT with aud = mithril-login
- in case of error - return 401 ('JWT is invalid.')

Check requested scope is allowed for client type
- in case of error - return 422 ('Scope is not allowed by client type.')

Generate token with following logic:
1. If grant_type = password, digital_signature, pis_auth and not exists active authentication factor for user, generate token with name = ‘access_token’, scope = ‘app:authorize’ for user_id and client_id,
2. If grant_type = change_password and not exists active authentication factor for user, generate token with name = ‘change_password_token’, scope = ‘user:change_password’ for user_id and client_id,
3. If exists active authentication factor for user, generate token using flow Create Token
Save token to mithil database, tokens table, set:
1. id = token uuid
2. name = token name
3. value = hased token
4. expires_at = date and time when token will be expired in unix-time format
5. details = additional details of token (scope, client_id, grant_type)
6. user_id = uuid of user that requested token
7. inserted_at = now()
8. updated_at = now()
Find all active tokens of the same name for user_id and client_id, if found - expire them in mithril database, tokens table:
1. set expires_at = now()
Calculate next step:
1. if grant_type = password, digital_signature, pis_auth, change_password and not exists active authentication_method for user, then next_step = ‘REQUEST_APPS’
Render a response according to specification.