Purpose

This process describes adding an additional authentication method to an existing person, update authentication method and delete it.

Specification

Apiary

Authorization

• Verify the validity of access token

  • Return (401, 'Invalid access token') in case of validation fails

• Verify that token is not expired

  • in case of error - return (401, 'Invalid access token')

• Check user scopes in order to perform this action (scope = 'authentication_method_request:write')

  • Return (403, 'Your scope does not allow to access this resource. Missing allowances: authentication_method_request:write') in case of invalid scope(s)

• Check that token contains person_id

  • in case of error - return (401, 'Invalid access token')

Validation of the request

Validate Patient

• Get person_id from URL

• Validate id:

  • validate person.id UUID

    • in case of error - return 404 ('not found')

  • search person by person.id in MPI

    • in case of error - return 404 ('Such person doesn't exist')

  • validate that person is active ( person.status = active & is_active = true)

    • in case of error - return 404 ('Such person isn't active')

Validate request

if action = deactivate

if action = update

if action = insert

Search auth requests by person id

To prevent overlimit and duplication of request search in IL | authetication_method_requests requests where

• person_id = person.id (from url) and authentication_method_requests.status = NEW, then

  • change status of all found authentication_method_requests to CANCELED.

Validate by actions

if action = deactivate

• Check if person has active authentication_methods (auth_method_current != null) for authorizing deactivation

  • in case of error - return 422 ('Person can't be authorized with NA authentication method')

• Field type must be THIRD_PERSON (where person_auth_method.id = $authentication_method.id)

  • in case of error - return 422 ('Only THIRD_PERSON authentication method type could be deactivated')

• Check this current_auth_method is not primary (the last record by inserted_at with OTP in priority) & there are more than one authentication method for person

  • in case of error - return 422 ('You can't deactivate the last authentication method')

• validate authentication_methods.id belong to this person. Search auth method of this person where  MPI.person_authentication_method.person_id = $.person.id

  • in case of error - return 422 ('such authentication method does not belong to this person')

• Validate that auth_method is active (person_authentication_methods.ended_at > now())

  • in case of error - return 422 ('Authentication method isn’t active')

if action = update

• alias is required

  • In case of error - return 422 ('required property %{property} was not present')

• Check if person has active authentication_methods (auth_method_current != null) for authorizing updating

  • in case of error - return 422 ('Person can't be authorized with NA authentication method')

• validate authentication_methods.id belong to this person. Search auth method of this person where  MPI.person_authentication_method.person_id = $.person.id

  • in case of error - return 422 ('such authentication method does not belong to this person')

• Validate that auth_method is active (person_authentication_methods.ended_at > now())

  • in case of error - return 422 ('Authentication method isn’t active')

if action = insert

1. if type = OTP

   1. phone_number is required

      1. In case of error - return 422 ('required property %{property} was not present')

   2. value shouldn’t be set

      1. In case of error - return 422 ('schema does not allow additional properties')

   3. alias is optional

   4. check the usage limit of this phone number in table person_authentication_methods  with ended_at іs empty or > now() & type = OTP > N

      1. in case of error - return 422 ('This phone number is present more than #{phone_number_auth_limit.limit} times in the system')

   5. validate that person.age >global_parameters.no_self_auth_age

      1. in case of error - return 422 ('Such person cannot have self authentication method')

   6. check that the phone number is verified

      1. in case of error - return 422 ('The phone number is not verified')

   7. call Check confidant person relationship with person_id = $.person_id (from URL)
      and check if this person does not have confidant persons

      1. in case of error - return 422 ('Only THIRD_PERSON authentication method can be created for person who has confidants')

2. if type = OFFLINE

   1. phone_numberand value shouldn’t be set

      1. In case of error - return 422 ('schema does not allow additional properties')

   2. alias is optional

   3. validate that person.age >global_parameters.no_self_auth_age

      1. in case of error - return 422 ('Such person cannot have self authentication method')

   4. check that current authentication methods (the last record by inserted_at) with type != OFFLINE

      1. In case of error - return 422 ('Person already has auth method OFFLINE')

   5. auth_method_current = OTP (if config AUTH_REQUEST_SECURITY_REDUCTION = false)

      1. In case of error - return 422 ('Person cannot set OFFLINE auth method if person had OTP')

   6. call Check confidant person relationship with person_id = $.person_id (from URL)
      and check if this person does not have confidant persons (so method returns {:error, "Relationship is not found"})

      1. In case of error - return 422 ('Only THIRD_PERSON authentication method can be created for person who has confidants')

   7. call Check confidant person relationship with confidant_person_id = $.person_id (from URL)
      and check if this person does not saved as confidant for other patients (for cases if AUTH_REQUEST_SECURITY_REDUCTION = true)

      1. In case of error - return 422 ('Only OTP authentication method can be created for person who has relationship with other patients as confidant')

3. if type = THIRD_PERSON

   • value, alias are required

     • In case of error - return 422 ('required property %{property} was not present')

   • call Check confidant person relationship with confidant_person_id = $.person_id (from URL)
     and check if this person does not saved as confidant for other patients (for cases if AUTH_REQUEST_SECURITY_REDUCTION = true)

     • In case of error - return 422 ('Only OTP authentication method can be created for person who has relationship with other patients as confidant')

   • Validate value:

     • validate person.id is UUID

       • In case of error - return 422 ('string does not match pattern ^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$')

     • check person by person.id in MPI

       • In case of error - return 422 ('such person doesn't exist')

     • check person by person.id in MPI and validate that is_active = true & status = active, else

       • In case of error - return 422 ('third person must be active')

     • check third_person.age > prm.global_parameters.no_self_auth_age years

       • In case of error - return 422 ('Incorrect person age for such an action')

     • validate third_person.auth_method.type OFFLINE or OTP

       • In case of error - return 422 ('third person must has auth method OTP or OFFLINE')

     • Validate that auth_method is active (person_authentication_methods.ended_at > now())

       • in case of error - return 422 ('Authentication method isn’t active')

     • Check that person from value is an approved confidant of person from URL - call Check confidant person relationship with person_id = person from URL and confidant_person_id = value, expected :ok, :approved response

       • in case of error - return 422 ('Only confidants can be set as third persons')

   • if config THIRD_PERSON_OFFLINE = False - validate that third_person has self method = OTP, else:

     • error THIRD PERSON can't have OFFLINE self auth method type

   • validate if THIRD_PERSON != $.person_id (from URL)

     • in case of error - return 422 ('Person can't add himself as THIRD_PERSON')

   • validate if person’s authentication method with type THIRD_PERSON with the same value

     • in case of error - return 422 ('Such person id is already used in existing person's authorization methods')

   • check if person have authentication method with type THIRD_PERSON less person_with_third_person_limit

     • in case of error - return 422 ('Limit of authentication methods with THIRD_PERSON type is exhausted')

   • Check if person has active authentication_methods (auth_method_current != null) for authorizing updating

     • in case of error - return 422 ('Person can't be authorized with NA authentication method')

   • Set third_person_term - parameter is used for calculation of ended_at data for authentication method type = THIRD_PERSON

Set default auth method

Of person on IL.auth_method_request.auth_method_current - use function in mpi, that return primary auth method.

Generate verification code

For verification use authentication method of new confidant person.
Get phone_number from MPI | person_authentication_methods[hardBreak] where id = auth_method_current.

Invoke Initialize OTP to generate one time password and send it to phone number

Generate upload URL

1. If auth_method_requests.auth_method_current = OFFLINE 

   1. Generate URL's with type person.{$.person.documents.[:].type} (or Generate URL's with type third_person.{$.third_person.documents.[:].type})

2. If action = insert and il.auth_method_request.authentication_method.type = OFFLINE:

   1. Generate URL's with type person.{$.person.documents.[:].type}