PIS. Deactivate Authentication method

1 Purpose
2 Specification
3 Authorization
4 Validate person
5 Validate confidant person and relationship (optional)
6 Validate request
7 Service logic

Purpose

This WS designed to deactivate Authentication method

Specification

Apiary

Authorization

Verify the validity of access token
- Return (401, 'Invalid access token') in case of validation fails
Verify that token is not expired
- in case of error - return (401, 'Invalid access token')
Check user scopes in order to perform this action (scope = 'authentication_method_request:deactivate_pis')
- Return (403, 'Your scope does not allow to access this resource. Missing allowances: authentication_method:deactivate_pis') in case of invalid scope(s)
Check that token contains person_id
- in case of error - return (401, 'Invalid access token')

Validate person

Get person_id from token (x-person-id header)
Validate patient status is active (status = ‘active' & is_active = 'true’)
- in case of error - return 404 ('not found')

Validate confidant person and relationship (optional)

If person is not legally capable - system must ensure that Person authentication method request deactivated by confidant person and there is registered and verified their relationship

Get applicant_person_id from token, compare it to person_id from token:

If equals - check that person must not be authorized by confidant person, so it doesn’t correspond to following rules:
- persons age < no_self_registration_age global parameter;
- persons age between no_self_registration_age and person_full_legal_capacity_age global parameters and person does not have document with type from PIS_PERSON_LEGAL_CAPACITY_DOCUMENT_TYPES config parameter;
- persons age > person_full_legal_capacity_age global parameter and exists at least one active and approved confidant person relationship for person (using following process Check confidant person relationship with person_id = person from request - expected :ok, :approved response)
  - In case of error - return 409 (‘Request must be authorized by confidant person’)
If not equal - validate relationship with following steps:
- Check that there is registered relationship between person_id and applicant_person_id(MPI.confidant_person_relationships)
- Check that relationship is VERIFIED
  - In case of error - return 409 (‘Can’t confirm relationship’)
- Check that applicant_person_id exists (status = 'active' & is_active = 'true') and has verification_status any but NOT_VERIFIED
  - In case of error - return 409 (‘Confidant person not found or is not verified’)

Validate request

Validate auth method. il.authentication_method_request.auth_method.type = THIRD_PERSON
- in case of error - return 403 ('Only THIRD_PERSON authentication method type could be deactivated')
Validate auth method belongs to the person
1. In case of error - return 404 ('Such authentication method does not belong to this person')
Check that person has other active methods in mpi.person_authentication_methods
- in case of error - return 403 ('You can't deactivate the last authentication method')
Check person in request don't has confidant_person_relationship with person
- in case of error - return 403 ('Person in request is the confidant person')
Validate that auth_method is active (person_authentication_methods.ended_at > now())
- in case of error - return 422 ('Authentication method isn’t active')

Service logic

Get person_id from token (x-person-id header).
Deactivate person authentication method
1. person’s auth method that was before becomes inactive - set ended_at = now() (Get current date-time) and is_active = false
Render response according to specification.