Skip to content
This repository has been archived by the owner on Apr 13, 2023. It is now read-only.

feat: implement new interface #4

Merged
merged 7 commits into from
Nov 25, 2020
Merged

feat: implement new interface #4

merged 7 commits into from
Nov 25, 2020

Conversation

rsmayda
Copy link
Contributor

@rsmayda rsmayda commented Nov 18, 2020
edited
Loading

Description of changes:

verifyAccessToken changes

  • Expected fhirUser regex is now a constant FHIR_USER_REGEX
    • fhirUser is expected to be an absolute url
    • If fhirUser claim is not in the right format we reject
  • metadata & .well_known changed to pass authorization
  • return the userIdentity found by the call to userInfo

authorizeAndFilterReadResponse changes

  • For searching filter out resources user does not have access to, does NOT throw error
    • Thought here is if all elements are filtered out the router should call for the next page of search results and try again
  • For single reads, throw error if user is not authorized
  • For external users (ie their resource is not from our FHIR server) they must use the fully qualified reference to have access
  • To check if user is a reference I am converting the JSON to a string then checking for the fhirUser claim
  • Internal Practitioners can access anything

isWriteRequestAuthorized changes

  • Make this Practitioner only action

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@rsmayda rsmayda self-assigned this Nov 18, 2020
@rsmayda rsmayda marked this pull request as ready for review November 20, 2020 23:48
@rsmayda rsmayda added the enhancement New feature or request label Nov 20, 2020
nguyen102
nguyen102 reviewed Nov 24, 2020
View reviewed changes
src/smartHandler.ts Outdated Show resolved Hide resolved
nguyen102
nguyen102 reviewed Nov 24, 2020
View reviewed changes
src/smartHandler.ts
const { hostname, resourceType, id } = match.groups!;
return { hostname, resourceType, id };
}
throw new UnauthorizedError("Requester's identity is in the incorrect format");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to pass along the userIdentity in the error message for context?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am hesitant as it may contain PII -- I think better to log/return less

nguyen102
nguyen102 previously approved these changes Nov 24, 2020
View reviewed changes
Copy link
Contributor

@nguyen102 nguyen102 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Some minor comments.

@rsmayda rsmayda merged commit a41cdc6 into mainline Nov 25, 2020
@rsmayda rsmayda deleted the new-interface branch November 25, 2020 04:09
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@nguyen102 nguyen102 nguyen102 approved these changes

@carvantes carvantes Awaiting requested review from carvantes

Assignees

@rsmayda rsmayda

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rsmayda @nguyen102