RC_(CSI-2483,CR-441)_Cancel approval

Purpose

This WS intended to cancel of the patient approval.

Specification

Apiary

Authorization

• Verify the validity of access token

  • Return (401, 'Invalid access token') in case of validation fails

• Verify that token is not expired

  • in case of error - return (401, 'Invalid access token')

• Check user scopes in order to perform this action (scope = 'approval:cancel')

  • Return (403, 'Your scope does not allow to access this resource. Missing allowances: approval:cancel') in case of invalid scope(s)

Validate Patient

• Get Patient identifier from the URL

• Check it exists in DB

  • Return 404 ('Person is not found') in case of error

Validate Approval

• Get Approval identifier from the URL

• Check it exists in DB

  • Return 404 ('not found') in case of error

• Check approval is not expired (expires_at > now() )

  • Return 409 ('Approval can be cancelled only if it is not expired') in case of error

Validate User

• Extract user_id from token.

• Check user has an active declaration with a patient from URL (can cancel all approvals) or approval is granted to user (can cancel own approval):

  • Return 403 ('No active declaration with patient found or declaration is not from the same MSP') in case the employee doesn't have an active declaration with the patient

Service logic

Service allow to cancel of the patient approval:

• Get approval by patient_id and approval id from approvals collection (MongoDB)

• Update for approvals: updated_at, updated_by, expired_at = now()

• Send SMS to patient with info about cancelling based on logic:

  • If authorize_with exists in approval and is not empty, check:

    • Authentication method exists in person_authentication_methods table in MPI DB (with is_active=true), is active (ended_at > now() or null)

    • Get value of THIRD_PERSON_CONFIDANT_PERSON_RELATIONSHIP_CHECK config parameter, if it is set to true - for authentication method with type = THIRD_PERSON check that person from value is an approved confidant for a person from approval – exists active and approved confidant person relationship between person from request and confidant_person_id from authentication method value (using following logic: https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17667883028 with person_id = person from request and confidant_person_id = value from auth method) - expected :ok, :approved response)

      • in case any validation failed - do not send SMS

      • else - send SMS to OTP from authorize_with

    • If authorize_with does not exist in approval or is empty - get patient's default authentication method using https://e-health-ua.atlassian.net/wiki/spaces/CSI/pages/17613029453 if it is OTP or third_person.OTP, send SMS to that patient with info about cancelling.

• Render a response according to specification.