Purpose

This WS allows to create or update person.

Specification

Apiary

Authorisation

• Verify the validity of access token

  • Return (401, 'Invalid access token') in case of validation fails

• Verify that token is not expired

  • in case of error - return (401, 'Invalid access token')

• Check user scopes in order to perform this action (scope = 'person_request:write')

  • Return (403, 'Your scope does not allow to access this resource. Missing allowances: person_request:write') in case of invalid scope(s)

• Validate client_id belongs to legal_entity with type in ('MSP', 'OUTPATIENT', 'EMERGENCY', 'PRIMARY_CARE')

  • Return (401, 'Invalid legal entity type') in case of validation fails

• If BLOCK_UNVERIFIED_PARTY_USERS is true, then check party's data match following condition: verification_status != NOT_VERIFIED or (verification_status = NOT_VERIFIED and updated_at <= current_date - UNVERIFIED_PARTY_PERIOD_DAYS_ALLOWED):

  • in case not match - return 403 ("Access denied. Party is not verified")

Validate request

Validate request according to JSON Schema

• Check presence of extra parameters

  • In case of error - return 422 ('schema does not allow additional properties')

• Check presence of required parameters

  • In case of error - return 422 ('required property %{property} was not present')

Create person request

Get global parameters

Invoke Global parameters to get following parameters:

• Validate that person_authentication_methods records with type = OTP > phone_number_auth_limit

  • Return (422, 'Quantity of existing authentication methods with type of THIRD_PERSON for this Person exceeds allowed') in case of validation fails

• Validate that person_authentication_methods records with type = OTP > third_person_limit

  • Return (422, 'This phone number is present more than N times in the system') in case of validation fails

Validate confidant person

• Verify that person age < prm.global_parameters.no_self_auth_age check existence of confidant_person

  • Return (422, 'Confidant person is mandatory for children') in case of validation fails

• Validate confidant person age >= prm.global_parameters.no_self_auth_age

  • Return (422, 'Incorrect person age for such an action') in case of validation fails

Validate tax_id

• Check that tax_id has validation pattern `^([0-9]{9}|[А-ЯЁЇIЄҐ]{2}\d{6})$`

  • Return (422, 'Person's tax ID is not valid.') in case of validation fails

Validate "no_tax_id" flag

• Check that "no_tax_id"= true, tax_id field should be empty

  • Return (422, 'Persons who refused the tax_id should be without tax_id') in case of validation fails

• Check that "no_tax_id"=false and age>14, tax_id should be present

  • Return (422, 'Only persons who refused the tax_id could be without tax_id') in case of validation fails

Validate "patient_signed" flag

• Check "patient_signed" is not present in request

  • Return (422, 'required property patient_signed was not present') in case of validation fails

• Check that "patient_signed"=true in request

  • Return (422, 'value is not allowed in enum') in case of validation fails

Validate person documents

1. Validate dates

   1. issued_at <= now() and issued_at => birth_date

      1.  in case `issued_at > now()` show error 422, "Document issued date should be in the past"

      2.  in case `issued_at < person.birth_date` show error 422, "Document issued date should greater than person.birth_date"

   2. expiration_date > now()

      1.  in case error show 422, "Document expiration_date should be in future"

      2. expiration_date is mandatory for document_type

         • NATIONAL_ID

      3. in case error return 422, "expiration_date is mandatory for document_type $.documents.type"

2. Validate documents_type.number according to json schema 

   1. PASSPORT - `^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$`

   2. NATIONAL_ID - `^[0-9]{9}$`

   3. BIRTH_CERTIFICATE - `^((?![ЫЪЭЁыъэё@%&$^#`~:,.*|}{?!])[A-ZА-ЯҐЇІЄ0-9№\\/()-]){2,25}$`

   4. COMPLEMENTARY_PROTECTION_CERTIFICATE - `^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$`

   5. REFUGEE_CERTIFICATE - `^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$`

   6. TEMPORARY_CERTIFICATE - `^(((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{4,6}|[0-9]{9}|((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{5}\\/[0-9]{5})$`

   7. TEMPORARY_PASSPORT - `^((?![ЫЪЭЁыъэё@%&$^#`~:,.*|}{?!])[A-ZА-ЯҐЇІЄ0-9№\\/()-]){2,25}$`

3. if unzr exists and is not null, check pattern match "^[0-9]{8}-[0-9]{5}$"

   1. in case error return 422, msg 'string does not match pattern \"%{pattern}\"'

4. if documents.type=NATIONAL_ID

   1. check if unzr exists in request, in case error return 422, msg "unzr is mandatory for document type NATIONAL_ID"

5. Document numbersmaxLength < 25 

Search pending person requests

Search persons request  in IL_DB.person_requests to prevent requests duplication:

• if tax_id is null

Cancel person request

Change status of all found person requests:

Search pending declaration requests

Search declarations in IL_DB.declaration_requests to prevent requests duplication:

• if tax_id is not null

• if tax_id is null

If found declaration request - don't create person request. Return error "This person already has a declaration request"

Search person

We are looking for a person to prevent duplication of a person:

• We create pairs of new person with people from clusters(tax_id, phone_number and number of the document) and send to the model.

  • in case deduplication model gave score <  PERSON_ONLINE_DEDUPLICATION_MATCH_SCORE, create new person

    • Return (409, 'such person exists. Update this person') in case of validation fails

Validate phone number limit

USE_PHONE_NUMBER_AUTH_LIMIT is a flag in ehealth.charts that shows whether we count phones or not.

• in case person is found

  • person_id will be saved to person_request, and person has the same authentication_methods.phone_number, we do not count phone numbers and do not compare the phone number with global_parameters.phone_number_auth_limit. So that we can update person, but still can not use phone over limit.

• In case person is not found

  • Check if (SELECT count(*) from persons where authentication_methods::json->0->>'phone_number'='$.phone_number' and persons.status='active' and is_active=true)<global_parameters.phone_number_auth_limit

    • Return (409, 'This phone number is present more then $.global_parameters.phone_number_auth_limit times in the system') in case of validation fails

Validate person authentication methods/phone

1. If person <prm.global_parameters.no_self_auth_age years, then person.auth_methods.type = third_person. Validate that third_person has auth method.type = OTP

2. if third_person.auth_method.type = OFFLINE - error `THIRD PERSON can't have OFFLINE self auth method type`

3. if third_person.auth_method.type doesn't have active auth method - error `THIRD PERSON doesn't have active valid authentication methods`

4. If third person >= prm.global_parameters.no_self_auth_age years

   1. Return (422, 'Incorrect person age for such an action') in case of validation fails

Person.auth_methods.type = third_persont.id. But on get Person request or Person display third_person.auth_method.phone_number.

1. If person > prm.global_parameters.no_self_auth_age and he must have one of auth.method.type (OTP OR OFFLINE). Also person may use new endpoint Append auth methods to add additional auth_methods.type = third_person.

Don't validate auth_method.phone_number exists in verification.verified_phone.

Save person request

Insert record to IL.person_requests in status 'NEW'

Generate upload URL

Depending on the payload system generates list of signed urls for document scan-copies upload.

Signed URLs to be expired after some period of time (configurable `SECRETS_TTL`). If it has been expired - new person request should be created.

Each link is generated for one one-page document in jpeg format. Document should be no more than 10MB. For each type of documents, if couple of rules worked - only one single link is generated.

1. Validate flag no_tax_id, if $.person_request.person.no_tax_id = true:

   1. Generate URL with type person.no_tax_id

2. Validate if $.person_request.person.tax_id is not empty and $.person_request.person.no_tax_id = false then

   1. If ( (GetBirthDateFromTaxId($.tax_id) != $.birth_date) or (GetGenderFromTaxId($.tax_id) != $.gender) or CheckValidity($.tax_id) = false (i.e. invalid checksum) ) and age >= no_self_auth_age then

      • Generate URL with type person.tax_id

3. Validate block confidant person. If person.confidant is not null:

   1. Generate URL's with type confidant_person.{confidant_person.type}.{$.person_request.person.confidant_person.[:].documents_relationship.[:].type}

   2. Generate URL's with type confidant_person.{confidant_person.type}.{$.person_request.person.confidant_person.[:].documents_person.[:].type}

4. Validate block of person documents. If one of the documents has document.type = BIRTH_CERTIFICATE_FOREIGN and there is no same document in {$.person_request.person.confidant_person.[:].documents_relationship.[:]}

   and age < no_self_auth_age then

   1. Generate URL with type person.{$.person_request.person.documents.[with type BIRTH_CERTIFICATE_FOREIGN].type}

5. Validate block of person documents. If one of the documents has document.type = PERMANENT_RESIDENCE_PERMIT and age >= no_self_auth_age then

   1. Generate URL with type person.{$.person_request.person.documents.[with type PERMANENT_RESIDENCE_PERMIT].type}

6. Validate authentication_method. If authentication method = OFFLINE or third_person (and this third_person.auth_method = OFFLINE) - 

   1. Generate URL's with type person.{$.person_request.person.documents.[:].type} (or Generate URL's with type third_person.{$.third_person.documents.[:].type})

7. Validate unzr. If $.person_request.person.unzr is not empty and first 8 digits of $.person_request.person.unzr != $.person_request.person.birth_date and none of the documents has document.type = NATIONAL_ID then

   1. Generate URL with type person.{$.person_request.person.unzr}

Invoke Media Content Storage to generate upload URL for each document obtained by executing logic above and save documents to DB.

Generate verification code

Invoke Initialize OTP to generate one time password and send it to client number. At this stage, the person receives an SMS message to confirm this phone and the consent to create a person.

Phone_number: ILperson_request.authentication_method_current.$.authentication_number

Update person request

To update the data of an existing person use an endpoint `Create/Update person request`.

It is necessary to transfer the same json as when creating person, only to transfer the id of an existing person and do not transfer the block with the authentication methods.

If person.id is in request then 

• validate person.id is UUID

  • in case error return 422

• search person by person.id in MPI 

  • in case error return 422, "such person doesn't exist"

• search persons in mpi (Пошук персон. Версія 3)

  • validate person be deduplication model (if score >  PERSON_ONLINE_DEDUPLICATION_UPDATE_SCORE, then add mpi_id to person request)

    • else return error 409, "such person can't be updated. New person should be created instead" 

Update person’s data with empty value of the second name is possible by setting second_name = null.

Validate documents, confidant_person, flag no_tax_id

Validate documents, flag `no_tax_id`, confidant_person as on Create person request 

Validate authorize_with

The person can pass the id of his auth_method which he wants to confirm the update of the request. The necessary auth method can be found by making Get person's auth methods

1. validate auth_method.id is UUID

   1. in case error return 422

2. search auth method in MPI.person_authentication_method

   1. in case error return 422, "such authentication method doesn't exist"

3. search auth method of this person where  MPI.person_authentication_method.person_id = $.person.id

   1. in case error return 422, "such authentication method does not belong to this person"

4. validate that auth_method.type = NA

   1. in case error return 422, "Сannot be confirmed by a method with type= NA. Use a different method."

5. validate that this method is active ( authentication_method.ended_at > now() and is_active = true)

This field is optional and set in il.person_reques.authentication_method_current.

If person request doesn't have this field, then choose that method which is returned from mpi as person's default method

Save person request

Insert record to IL.person_request in status 'NEW'. Person_id from request save in field mpi_id in IL.person_request

Search pending person requests

Search persons request  in IL_DB.person_requests to prevent requests duplication:

Cancel person requests

Change status of all found person requests:

Validate parameters

Person can't update tax_id. (He can update tax_id from null to tax_id or from null to null). Also person can update birth_date.

Validate auth_method_current

Set default auth method of person on IL.auth_method_request.auth_method_current - use function in mpi, that return default auth method

Validate that auth_method_current !=NA

Generate upload URL

Depending on the payload system generates list of signed urls for document scan-copies upload.

Signed URLs to be expired after some period of time (configurable `SECRETS_TTL`). If it has been expired - new person request should be created.

Each link is generated for one one-page document in jpeg format. Document should be no more than 10MB. For each type of documents, if couple of rules worked - only one single link is generated.

1. Validate flag no_tax_id, if $.person_request.person.no_tax_id = true:

   1. Generate URL with type person.no_tax_id

2. Validate if $.person_request.person.tax_id is not empty and $.person_request.person.no_tax_id = false then

   1. If ( (GetBirthDateFromTaxId($.tax_id) != $.birth_date) or (GetGenderFromTaxId($.tax_id) != $.gender) or CheckValidity($.tax_id) = false (i.e. invalid checksum) ) and age >= no_self_auth_age then

      • Generate URL with type person.tax_id

3. Validate block confidant person. If person.confidant is not null:

   1. Generate URLs with type confidant_person.{confidant_person.type}.{$.person_request.person.confidant_person.[:].documents_relationship.[:].type}

   2. Generate URLs with type confidant_person.{confidant_person.type}.{$.person_request.person.confidant_person.[:].documents_person.[:].type}

4. Validate block of person documents. If one of the documents has document.type = BIRTH_CERTIFICATE_FOREIGN and there is no same document in {$.person_request.person.confidant_person.[:].documents_relationship.[:]}

   and age < no_self_auth_age then

   1. Generate URL with type person.{$.person_request.person.documents.[with type BIRTH_CERTIFICATE_FOREIGN].type}

5. Validate block of person documents. If one of the documents has document.type = PERMANENT_RESIDENCE_PERMIT and age >= no_self_auth_age then

   1. Generate URL with type person.{$.person_request.person.documents.[with type PERMANENT_RESIDENCE_PERMIT].type}

6. Validate authentication_method. If authentication method = OFFLINE or third_person (and this third_person.auth_method = OFFLINE) - 

   1. Generate URLs with type person.{$.person_request.person.documents.[:].type} (or Generate URL's with type third_person.{$.third_person.documents.[:].type})

7. Validate unzr. If $.person_request.person.unzr is not empty and first 8 digits of $.person_request.person.unzr != $.person_request.person.birth_date and none of the documents has document.type = NATIONAL_ID then

   1. Generate URL with type person.{$.person_request.person.unzr} 

Save documents to DB.

Generate verification code

Invoke Initialize OTP to generate one time password and send it to client number. At this stage, the person receives an SMS message to confirm updating a person's data.

Phone_number: MPI.person_authentication_method where person_id = $person_request.persin_id and is_primary = true