Purpose

This process describes deactivation Confidant Person relationship for an existing person by creating Confidant Person relationship request with deactivate action.

Key points

1. Confidant Person relationship data for person can be obtained from following WS: https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17613029420 .

2. Documents that prove relationship deactivation must be submitted as well.

3. In case if person has document that prove legal capacity user must call https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17613193262 and submit this document. This way will deactivate all relationships, so person receives an ability to have personal authentication methods etc.

Specification

Apiary

Authorization

• Verify the validity of access token

  • Return (401, 'Invalid access token') in case of validation fails

• Verify that token is not expired

  • in case of error - return (401, 'Invalid access token')

• Check user scopes in order to perform this action (scope = confidant_person_relationship_request:write)

  • Return (403, 'Your scope does not allow to access this resource. Missing allowances: confidant_person_relationship_request:write') in case of invalid scope(s)

Validation

Validate Person

• Get person_id from URL

• Validate person status is active (status = ‘active' & is_active = 'true’)

  • in case of error - return 404 ('Person is not found')

Validate request

• Check presence of extra parameters

  • In case of error - return 422 ('schema does not allow additional properties')

• Check presence of required parameters

  • In case of error - return 422 ('required property %{property} was not present')

Validate confidant person relationship

• Check that confidant person relationship from $.confidant_person_relationship.id exists in https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17613488166/MPI#confidant_person_relationships with person_id = person_id from URL and is_active = true and active_to > now() or null

  • in case of error - return 422 ('Confidant Person relationship does not belong to this person')

Validate documents relationship

• Validate documents issued_at date

  • Check that issued_at <= now()

    • in case of error - return 422 ('Document issued date should be in the past')

  • Check that issued_at => person.birth_date

    • in case of error - return 422 ('Document issued date should greater than person.birth_date')

• Validate document type according to DOCUMENT_RELATIONSHIP_TYPE dictionary

  • In case of error - return 422 ('value is not allowed in enum')

• Check that there are no duplicated document type values in request

  • in case of error - return 422 ('Values are not unique by 'type'.')

• Validate document number according to regexp (as part of JSON Schema validation)

  • BIRTH_CERTIFICATE - ^((?![ЫЪЭЁыъэё@%&$^#`~:,.*|}{?!])[A-ZА-ЯҐЇІЄ0-9№\\/()-]){2,25}$

    • In case of error - return 422 error ('string does not match pattern') with the corresponding regexp

• Check that document number length < 255

  • in case of error - return 422 ('expected value to have a maximum length of 255 but was <<document_number_length>>')

Validate authorize_with

• If person has at least one active confidant person relationship (using following process https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17667883028 with person_id = person from URL - expected :ok, :approved response) with confidant_person_id != confidant person from deactivated relationship - check that $.authorize_with exists in request

  • in case of error - return 422 ('Deactivation of relationship must verify another Confidant Person')

• Check that $.authorize_with is a valid uuid

  • in case error - return 422 ('string does not match pattern') with uuid regexp

• Check that auth method exists in MPI database, person_authentication_methods table, belongs to person from URL, is active (ended_at > now() or ended_at is null and is_active = true) and type != NA

  • in case error - return 422 ('person has no corresponding authentication method')

• Check that auth method type = THIRD_PERSON and value != confidant_person_id from $.confidant_person_relationship.id that is being deactivated

  • in case of error - return 422 ('Cannot be authorized by this authentication method')

• Check that third person from auth method has OTP auth method

  • in case of error - return 422 ('Deactivation of relationship must verify Person who has active authentication method with type OTP')

Service logic

Search confidant person relationship requests

To prevent overlimit and duplication of requests, search for active requests in https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17613422609/IL#confidant_person_relationship_requests table with person_id = person_id from URL and status = NEW.

If found - cancel them, set values:

• status = CANCELLED

• updated_at = now()

• updated_by = user_id (from token)

Determine authentication method current for request

• If $.authorize_with is existing - set its value as authentication method current for request

• If $.authorize_with is not existing - set authentication method current.type = OFFLINE

Generate upload URL

Depending on the payload system generates list of signed urls for document scan-copies upload.

Signed URLs to be expired after some period of time (according to SECRETS_TTL config parameter). If it has been expired - new confidant person relationship request should be created.

Each link is generated for one one-page document in jpeg format. Document should be no more than 10MB.

• Generate URLs for each document from $.confidant_person_relationship.documents_relationship with following parameters:

  • action: PUT

  • bucket: MEDIA_STORAGE_CONFIDANT_PERSON_RELATIONSHIP_REQUEST_BUCKET

  • resource_id: confidant_person_relationship_request_id

  • resource_name: confidant_person_relationship_request_#{type}.jpeg

Create new deactivation relationship request

Create new record to https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17613422609/IL#confidant_person_relationship_requests table, set values:

• id = autogenerate uuid

• person_id = person_id from URL

• confidant_person_id = confidant_person_id from $.confidant_person_relationship.id that is being deactivated

• confidant_person_relationship = $.confidant_person_relationship

• status = NEW

• action = DEACTIVATE

• channel = MIS

• authentication_method_current

  • type = OTP or OFFLINE

  • phone_number = phone_number from confidant persons active auth method with type = OTP (null if type = OFFLINE)

• inserted_by = user_id (from token)

• inserted_at = now()

• updated_by = user_id (from token)

• updated_at = now()

• confidant_person_relationship_id = $.confidant_person_relationship.id

• documents_relationship = generated links for documents upload

• authorize_with = $.authorize_with

Generate verification code

In case if authentication_method_current.type = OTP, invoke Initialize OTP to generate one time password and send it to confidant persons number that is stored in authentication_method_current.phone_number. At this stage, the person receives an SMS message to confirm this phone and the consent to create confidant person relationship.

Render a response

Render a response according to specification.