Purpose

This WS is designed to validate signed content as a part of registration patient by confidant person process, extract patient data if it is valid and create session token to do further steps

Key points

1. This method must be used only by Auth front-end

2. Validates signed content as well as jwt and patient data inside it

3. Generates session token (jwt) to confirm registration request

Specification

Apiary

Validate signed content

• Check signed_content and signed_content_encoding are submitted

  • in case of error - return 422 ('required property signed_content was not present' or ‘required property signed_content_encoding was not present')

• Check signed content is a valid base64

  • in case of error - return 422 ('Invalid signed content')

• Check signed content encoding is a 'base64' value

  • in case of error - return 422 ('is invalid')

• Check digital signature is valid

  • in case of error - return 400

• Check that the difference in minutes between the current datetime and datetime of signed_content signature timestamp (created_at field, in EET format) is less than the SIGNED_CONTENT_SIGNATURE_TIMESTAMP_VALID_MINUTES config parameter

  • in case of error - return 401 ('Digital signature timestamp is expired')

Validate applicant

• Get drfo value from digital signature of signed_content

• Check that applicant user exists in mithril database, users table, with tax_id = drfo from digital signature and is_active = true

  • in case of error - return 404 ('Applicant user not found.')

• Check that applicant user is not blocked (is_blocked <> true)

  • in case of error - return 401 ('Applicant user is blocked.')

• Check that applicant user has active person in mpi database, persons table, with id = person_id from found applicant user, status = active and is_active = true

  • in case of error - return 404 ('Applicant person not found.')

• Check that applicant user has active person with appropriate age (greater than no_self_auth_age global parameter)

  • in case of error - return 401 ('Incorrect applicant person age for such an action.')

Validate person registration request

• Person registration request itself must contains patient (person) data and some consents as part of PIS authorization

• Validate person data according to https://e-health-ua.atlassian.net/wiki/spaces/PCAB/pages/17599399482/warranty_Rules+to+validate+patient+data#Person-with-confidant

• Check patient_signed field value equals to ‘true’

  • in case of error - return 422 ('value is not allowed in enum')

• Check process_disclosure_data_consent field value equal to ‘true’

  • in case of error - return 422 ('value is not allowed in enum')

Service logic

Generate JWT

1. Fetch JWT TTL value from JWT_LOGIN_TTL env parameter (in minutes).

2. Decode signed_content field and calculate its MD5 hash.

3. Generate JWT with following parameters:

   1. alg = HS512

   2. aud = pis-registration

   3. content_hash = MD5 hash of decoded signed_content field value

   4. exp = iat + JWT_LOGIN_TTL

   5. iat = now()

   6. iss = EHealth

   7. jti = generate uuid of JWT

   8. nbf = now() - 1 second

   9. sub = content_hash

   10. typ = access

Render person data

Render person (patient) data according to specification