Comments (4)
👍 This context helps for sure. I will add it to our backlog on our side. Rough work required:
- change interface from returning a boolean to void and the contract is to throw an AuthZ error if validation fails
- The thrown error should be caught within the errorHandling but there may need to be some additions here too: https://github.com/awslabs/fhir-works-on-aws-routing/blob/mainline/src/router/routes/errorHandling.ts
from fhir-works-on-aws-routing.
Forgot to tag this issue; we completed this on Nov 12th; for code see: https://github.com/awslabs/fhir-works-on-aws-routing/blob/mainline/src/router/routes/errorHandling.ts#L33 or commit: 4c5c310#diff-86a044095555cf0881c9677d5b42481ee07a05d2f394e442d57984966e08ce91
from fhir-works-on-aws-routing.
Hey Dunmail! Thanks for opening this -- good callout. Looking at the FHIR spec the part we are hung up with is:
On the RESTful interface, operation outcome resources are only relevant when a level of computable detail is required that is more granular than that provided by the HTTP response codes. This granularity could include:
- more detail about the location of an issue
- the ability to identify multiple distinct issues
- provision of finer error codes that connect to known business failure states
https://www.hl7.org/fhir/operationoutcome.html#using
The "computable detail is required that is more granular than that provided by the HTTP response codes" does not seem relevant for 403 errors as we would want to maintain a generic 403 for all possible 403 permutations (for security reasons).
Though there is probably a benefit for a consistent 'error' experience from a client perspective. Out of curiosity do you have clients that require errors to produce OperationOutcome
s?
from fhir-works-on-aws-routing.
Hi Robert,
I do agree with the principle that opaque security errors are a good thing for production systems. However, we have production use cases where limited supplementary information can help the users distinguish different modes of failure.
For example, we have a service providing patient search on the NHS MPI. Requests can generate a 403 response for different business reasons:
- Your role isn't allowed to search for Patients
- Your organization isn't allowed to use the NHS PDS service
It's also really useful to share information in development systems so that the client can be given detailed information about why their request has been rejected.
From a client perspective the consistent error experience is important. Our current apps and services use either UI controls to render an OperationOutcome or write to logs in a known format.
from fhir-works-on-aws-routing.
Related Issues (20)
- Support Patient Everything HOT 2
- Support Bulk Upload HOT 1
- Validation Errors on CapabilityStatement HOT 2
- [Bug] Aegis Touchstone Validation Errors on CapabilityStatement with IGs HOT 6
- GET returns 404 unless id param matches the case of the stored resource HOT 4
- [Bug] When using $docref and having multiple documents in period it does not return the latest HOT 1
- [Feature Request] Log cloudfront request headers for downstream (Goelocation) analytics HOT 2
- [Feature Request] MIME type application/fhir+json HOT 3
- Getting error "Cannot read property 'lookup' of undefined at ServerResponse.header" HOT 1
- change content-type to accept header HOT 2
- [Feature Request] Support resolving temporary bundle references in URI fields HOT 2
- [Feature Request] Support multi tenant Authorization services HOT 2
- [Feature Request] Use the URLPattern API instead of Regular Expressions for Subscriptoin Endpoint Whitelisting HOT 1
- Bundle filtering for global operations HOT 1
- Adding custom logic, validation etc. HOT 3
- Create interaction without response causes runtime error HOT 1
- Incorrect REST Security ValueSet in CapabilityStatement HOT 1
- Support for PATCH HOT 5
- [Bug] Resource Type in Reference Changed to Parent's Resource Type HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fhir-works-on-aws-routing.