Purpose
This WS is designed to validate signed content as a part of registration patient by confidant person process, extract patient data if it is valid and create session token to do further steps
Key points
This method must be used only by Auth front-end
This method requires confidant person to be authenticated already
Validates signed content as well as jwt and patient data inside it
Generates session token (jwt) to confirm registration request
Specification
Authorization
Verify the validity of access token
in case of error - return 401 (“Invalid access token”)
Verify that token is not expired
in case of error - return 401 (“Invalid access token”)
Check user scopes in order to perform this action (scope =
confidant_person:sign_up
)return 403 (“Your scope does not allow to access this resource. Missing allowances: confidant_person:sign_up”) in case of invalid scope(s)
Validate signed content
Check
signed_content
andsigned_content_encoding
are submittedin case of error - return 422 ('required property signed_content was not present' or ‘required property signed_content_encoding was not present')
Check signed content is a valid base64
in case of error - return 422 ('Invalid signed content')
Check signed content encoding is a 'base64' value
in case of error - return 422 ('is invalid')
Check digital signature is valid
in case of error - return 400
Check that signer of the request relates to the authenticated person. Get person from MPI using
x-person-id
and ensure thatperson.tax_id
orperson.documents
is equal to signer drfo (from digital signature)if drfo value equals to tax_id regexp (
^[0-9]{10}$
) - compare with person.tax_idif drfo value equals to national_id number regexp (
^[0-9]{9}$
) - compare with document with type 'NATIONAL_ID'if drfo value contains at least one letter, perform reverse transliteration of field using existing algorithm (described here), then check that value equals to passport number regexp (
^((?![ЫЪЭЁ])([А-ЯҐЇІЄ])){2}[0-9]{6}$
) - compare with document with type 'PASSPORT'in case of error - return 401 ('Unable to authenticate signer')
Validate person registration request
Person registration request itself must contains patient (person) data and some consents as part of PIS authorization
Validate person data according to https://e-health-ua.atlassian.net/wiki/spaces/PCAB/pages/17415143598/Rules+to+validate+patient+data#Person-with-confidant
Check
patient_signed
field value equals to ‘true’in case of error - return 422 ('value is not allowed in enum')
Check
process_disclosure_data_consent
field value equal to ‘true’in case of error - return 422 ('value is not allowed in enum')
Service logic
Generate JWT
Fetch JWT TTL value from
JWT_LOGIN_TTL
env parameter (in minutes).Decode
signed_content
field and calculate its MD5 hash.Generate JWT with following parameters:
alg =
HS512
aud =
pis-registration
content_hash = MD5 hash of decoded
signed_content
field valueexp = iat +
JWT_LOGIN_TTL
iat = now()
iss =
EHealth
jti = generate uuid of JWT
nbf = now() - 1 second
sub = content_hash
typ =
access
Render person data
Render person (patient) data according to specification