/
RC_(CSI-2483,CR-441)_Create auth method request

ЕСОЗ - публічна документація

RC_(CSI-2483,CR-441)_Create auth method request

Purpose

This process describes adding an additional authentication method to an existing person, update authentication method and delete it.

Specification

Apiary

Authorization

  • Verify the validity of access token

    • Return (401, 'Invalid access token') in case of validation fails

  • Verify that token is not expired

    • in case of error - return (401, 'Invalid access token')

  • Check user scopes in order to perform this action (scope = 'authentication_method_request:write')

    • Return (403, 'Your scope does not allow to access this resource. Missing allowances: authentication_method_request:write') in case of invalid scope(s)

  • Check that token contains person_id

    • in case of error - return (401, 'Invalid access token')

Validation of the request

Validate Patient

  • Get person_id from URL

  • Validate id:

    • validate person.id UUID

      • in case of error - return 404 ('not found')

    • search person by person.id in MPI

      • in case of error - return 404 ('Such person doesn't exist')

    • validate that person is active ( person.status = active & is_active = true)

      • in case of error - return 404 ('Such person isn't active')

Validate request

if action = deactivate

{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "properties": { "action": "deactivate", "authentication_method": { "id": "057413fb-2c2e-4f33-b2d6-433469212744" } } }

if action = update

{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "properties": { "action": "update", "authentication_method": { "id": "057413fb-2c2e-4f33-b2d6-433469212744", "alias": "roksolana" } } }

if action = insert

{ "$schema": "http://json-schema.org/draft-04/schema#", "type": "object", "properties": { "action": "insert", "authentication_method": { "type": "THIRD_PERSON", "value": "d12888c0-1159-4296-8f03-a592c136f673", "phone_number" : "+380656779678", "alias": "roksolana" } } }

Search auth requests by person id

To prevent overlimit and duplication of request search in IL | authetication_method_requests requests where

  • person_id = person.id (from url) and authentication_method_requests.status = NEW, then

    • change status of all found authentication_method_requests to CANCELED.

Validate by actions

if action = deactivate

  • Check if person has active authentication_methods (auth_method_current != null) for authorizing deactivation

    • in case of error - return 422 ('Person can't be authorized with NA authentication method')

  • Field type must be THIRD_PERSON (where person_auth_method.id = $authentication_method.id)

    • in case of error - return 422 ('Only THIRD_PERSON authentication method type could be deactivated')

  • Check this current_auth_method is not primary (the last record by inserted_at with OTP in priority) & there are more than one authentication method for person

    • in case of error - return 422 ('You can't deactivate the last authentication method')

  • validate authentication_methods.id belong to this person. Search auth method of this person where  MPI.person_authentication_method.person_id = $.person.id

    • in case of error - return 422 ('such authentication method does not belong to this person')

  • Validate that auth_method is active (person_authentication_methods.ended_at > now())

    • in case of error - return 422 ('Authentication method isn’t active')

if action = update

  • alias is required

    • In case of error - return 422 ('required property %{property} was not present')

  • Check if person has active authentication_methods (auth_method_current != null) for authorizing updating

    • in case of error - return 422 ('Person can't be authorized with NA authentication method')

  • validate authentication_methods.id belong to this person. Search auth method of this person where  MPI.person_authentication_method.person_id = $.person.id

    • in case of error - return 422 ('such authentication method does not belong to this person')

  • Validate that auth_method is active (person_authentication_methods.ended_at > now())

    • in case of error - return 422 ('Authentication method isn’t active')

if action = insert

  1. if type = OTP

    1. phone_number is required

      1. In case of error - return 422 ('required property %{property} was not present')

    2. value shouldn’t be set

      1. In case of error - return 422 ('schema does not allow additional properties')

    3. alias is optional

    4. check the usage limit of this phone number in table person_authentication_methods  with ended_at іs empty or > now() & type = OTP > N

      1. in case of error - return 422 ('This phone number is present more than #{phone_number_auth_limit.limit} times in the system')

    5. validate that person.age >global_parameters.no_self_auth_age

      1. in case of error - return 422 ('Such person cannot have self authentication method')

    6. check that the phone number is verified

      1. in case of error - return 422 ('The phone number is not verified')

    7. call Check confidant person relationship with person_id = $.person_id (from URL)
      and check if this person does not have confidant persons

      1. in case of error - return 422 ('Only THIRD_PERSON authentication method can be created for person who has confidants')

  2. if type = OFFLINE

    1. phone_numberand value shouldn’t be set

      1. In case of error - return 422 ('schema does not allow additional properties')

    2. alias is optional

    3. validate that person.age >global_parameters.no_self_auth_age

      1. in case of error - return 422 ('Such person cannot have self authentication method')

    4. check that current authentication methods (the last record by inserted_at) with type != OFFLINE

      1. In case of error - return 422 ('Person already has auth method OFFLINE')

    5. auth_method_current = OTP (if config AUTH_REQUEST_SECURITY_REDUCTION = false)

      1. In case of error - return 422 ('Person cannot set OFFLINE auth method if person had OTP')

    6. call Check confidant person relationship with person_id = $.person_id (from URL)
      and check if this person does not have confidant persons (so method returns {:error, "Relationship is not found"})

      1. In case of error - return 422 ('Only THIRD_PERSON authentication method can be created for person who has confidants')

    7. call Check confidant person relationship with confidant_person_id = $.person_id (from URL)
      and check if this person does not saved as confidant for other patients (for cases if AUTH_REQUEST_SECURITY_REDUCTION = true)

      1. In case of error - return 422 ('Only OTP authentication method can be created for person who has relationship with other patients as confidant')

  3. if type = THIRD_PERSON

    • value, alias are required

      • In case of error - return 422 ('required property %{property} was not present')

    • call Check confidant person relationship with confidant_person_id = $.person_id (from URL)
      and check if this person does not saved as confidant for other patients (for cases if AUTH_REQUEST_SECURITY_REDUCTION = true)

      • In case of error - return 422 ('Only OTP authentication method can be created for person who has relationship with other patients as confidant')

    • Validate value:

      • validate person.id is UUID

        • In case of error - return 422 ('string does not match pattern ^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$')

      • check person by person.id in MPI

        • In case of error - return 422 ('such person doesn't exist')

      • check person by person.id in MPI and validate that is_active = true & status = active, else

        • In case of error - return 422 ('third person must be active')

      • Validate that auth_method is active (person_authentication_methods.ended_at > now())

        • in case of error - return 422 ('Authentication method isn’t active')

      • Check that person from value is an approved confidant of person from URL - call Check confidant person relationship with person_id = person from URL and confidant_person_id = value, expected :ok, :approved response

        • in case of error - return 422 ('Only confidants can be set as third persons')

    • validate if person’s authentication method with type THIRD_PERSON with the same value

      • in case of error - return 422 ('Such person id is already used in existing person's authorization methods')

    • check if person have authentication method with type THIRD_PERSON less person_with_third_person_limit

      • in case of error - return 422 ('Limit of authentication methods with THIRD_PERSON type is exhausted')

    • Check if person has active authentication_methods (auth_method_current != null) for authorizing updating

      • in case of error - return 422 ('Person can't be authorized with NA authentication method')

    • Set third_person_term - parameter is used for calculation of ended_at data for authentication method type = THIRD_PERSON

Set default auth method

Define auth method for request:

  • If action = insert and type = THIRD_PERSON - use primary auth method of person from value as auth method current for request.

  • For all other cases - use function in mpi, that return primary auth method of person from URL.

Set auth method current to authentication_method_current field of request.

Generate verification code

For verification use authentication method of new confidant person.
Get phone_number from MPI | person_authentication_methods[hardBreak] where id = auth_method_current.

Invoke Initialize OTP to generate one time password and send it to phone number

Generate upload URL

  1. If auth_method_requests.auth_method_current = OFFLINE 

    1. Generate URL's with type person.{$.person.documents.[:].type} (or Generate URL's with type third_person.{$.third_person.documents.[:].type})

  2. If action = insert and il.auth_method_request.authentication_method.type = OFFLINE:

    1. Generate URL's with type person.{$.person.documents.[:].type}

ЕСОЗ - публічна документація