ЕСОЗ - публічна документація
Create authentication method request
- Aleksandra Novokhatnia (Deactivated)
- Yuliia Mazur (UA SoE eHealth)
- Nickolay Kolotov (SoE eHealth)
Purpose
This process describes adding an additional authentication method to an existing person, update authentication method and delete it.
Use GET persom/{id}/ authentication_method to find authentication method' id of person.
Specification
Link | |
Resource | /api/persons/{{id}}/authentication_method_requests |
Scope | authentication_method_request:write |
Components | Patient registry |
Microservices | mpi/api fe/admin-web |
Protocol type | REST |
Request type | POST |
Sync/Async | Sync |
Public/Private/Internal | Public |
Global and configurable parameters
Variable | Values | Description |
|---|---|---|
phone_number_auth_limit |
| Check if in table person_authentication_methods with |
third_person_limit |
| In table person_auth_methods with type = |
third_person_term |
| parameter is used for calculation of ended_at data for authentication method type = THIRD_PERSON |
person_with_third_person_limit |
| In table person_auth_methods with type = THIRD_PERSON >N, then error 422 |
no_self_auth_age |
| In table person now()-birth_date <=N & person_auth_methods with type = |
cURL example
Input parameters
Input parameter | Values | Type | Description | Example |
|---|---|---|---|---|
id |
| String | Person identifier. Required |
|
Dictionaries
AUTHENTICATION_METHOD
DOCUMENT_TYPE
Request structure
See on Apiary
Example:
Authorize
Verify the validity of access token
Check user scope authentication_method_request:write in order to perform this action
Headers
Content-Type:application/json
Authorization:Bearer {{access_token}}
api-key:{{secret}}
Request data validation
Validate Patient
Get person_id from URL
Validate id:
validate person.id UUID
in case error return
404
search person by person.id in MPI
in case error return
404, "Such person doesn't exist"
validate that person is active ( person.status = active & is_active = true)
in case error return
409, "Such person isn't active"
Validate request
if action = deactivate
{
"$schema": "http://json-schema.org/draft-04/schema#",
"type": "object",
"properties": {
"action": "deactivate",
"authentication_method": {
"id": "057413fb-2c2e-4f33-b2d6-433469212744"
}
}
}if action = update
if action = insert
Search auth requests by person id
To prevent requests duplication search in il.auth_method_requests.person_id = $.person_id and il.authentication_method_requests.status = NEW, then
Change status of all found person requests:
Validate by actions
if action = deactivate
Field
typemust beTHIRD_PERSON(where person_auth_method.id = $authentication_method.id), else return error 422“Only THIRD_PERSON authentication method type could be deactivated"Check this auth_method is not primary & there are more than one authentication method for person:
in case of error return 422, “
You can't deactivate the last authentication method“
Check if authentication_method_current != NA, else return error 422 “
Person can't be authorized with NA authentication method"Validate that auth_method is active ( person_authentication_methods.ended_at > now())
in case error return
422, “Authentication method isn’t active”
if action = update
validate authentication_methods.id belong to this person. Search auth method of this person where MPI.person_authentication_method.person_id = $.person.id
in case error return 422, "such authentication method does not belong to this person"
aliasis required.Check if authentication_method_current != NA, else return error 422 “
Person can't be authorized with NA authentication method"
if action = insert
if type = OTP ,
phone_numberis required andvalueshouldn’t be set. And fieldaliasis optional.validate that person.age >global_parameters.no_self_auth_age
validate that il.authentication_method_request.authentication_method.phone_number is in DB.VERIFICATION.VERIFIED_PHONES
if type = OFFLINE
phone_numberandvalueshouldn’t be set . And fieldaliasis optional.validate that person.age > global_parameters.no_self_auth_age
auth_method_current != OFFLINE
error - "
Person already has auth method OFFLINE"
auth_method_current = OTP ( if config AUTH_REQUEST_SECURITY_REDUCTION = false)
error -
Person cannot set OFFLINE auth method if person had OTP
if type = THIRD_PERSON
value,phone_number,aliasare requiredValidate value:
validate person.id is UUID
in case error return
422
search person by person.id in MPI
in case error return
404, "such person doesn't exist"
search person by person.id in MPI and validate that is_active = true & status = active, else:
in case error return 422, "third person must be active"
search third_person.age > prm.global_parameters.no_self_auth_age years:
in case error return 422, "
Incorrect person age for such an action"
validate third_person.auth_method != (MPI.person_auth_methods.ended_at <= now())
in case error return 422, "third person must has auth method OTP or OFFLINE"
Validate
phone_numberwith mpi.person_auth_method.phone_number where mpi.person_auth_method.person_id = auth_method_request.authentication_method.valueauth_method_current != null (null is set if MPI.person_auth_methods.ended_at <= now())
if config
THIRD_PERSON_OFFLINE= False - validate that third_person has self method = OTP, else:error
THIRD PERSON can't have OFFLINE self auth method type
validate if THIRD_PERSON != person, else return error 422
Person can't add himself as THIRD_PERSONvalidate if person’s authentication method with type THIRD_PERSON with the same value, else return error 422
Such person id is already used in existing person's authorization methodscheck if person have authentication method with type THIRD_PERSON less
person_with_third_person_limittimes, else return error 422,Limit of authentication methods with THIRD_PERSON type is exhausted
Processing
Set auth_method_current
Set default auth method of person on IL.auth_method_request.auth_method_current - use function in mpi, that return primary auth method.
Validate that auth_method_current != null (null is set if MPI.person_auth_methods.ended_at <= now()) if
action = deactivate
action = update
action = insert and type= THIRD_PERSON and person.age>no_self_auth_method
else error - “
Person can't be authorized with NA authentication method“
Generate verification code
If auth_method_requests.auth_method_current = OTP
Invoke Initialize OTP to generate one time password and send it where auth_method_requests.auth_method_current = OTP.
cURL example
Generate upload URL
If auth_method_requests.auth_method_current = OFFLINE
Generate URL's with type person.{$.person.documents.[:].type} (or Generate URL's with type third_person.{$.third_person.documents.[:].type})
If action = insert and il.auth_method_request.authentication_method.type = OFFLINE:
Generate URL's with type person.{$.person.documents.[:].type}
Response structure
See on Apiary
Example:
HTTP status codes
HTTP status code | Message | What caused the error |
|---|---|---|
201 | Response |
|
404 | Such person doesn't exist | Validation error |
409 | Such person isn't active | Validation error |
422 | Such a phone already exists more N times This fiduciary person is present more than N times in the system Limit of authentication methods with THIRD_PERSON type is exhausted Such person cannot have self authentication method Only THIRD_PERSON authentication method type could be deactivated You can't deactivate the last authentication method Person can't be authorized with NA authentication method Authentication method isn’t active Such authentication method does not belong to this person Third person must be active Incorrect person age for such an action Third person must has auth method OTP or OFFLINE Person can't add himself as THIRD_PERSON Such person id is already used in existing person's authorization methods Unverified phone number | Validation error |
ЕСОЗ - публічна документація