smart-on-fhir / bdt Goto Github PK

Per https://datatracker.ietf.org/doc/html/rfc6750#section-2.1, the Bearer token is expected to be capitalized Bearer.

     b64token    = 1*( ALPHA / DIGIT /
                       "-" / "." / "_" / "~" / "+" / "/" ) *"="
     credentials = "Bearer" 1*SP b64token

Verify that this is the case in all requests sent by the built-in bulk data client.

See https://chat.fhir.org/#narrow/stream/179250-bulk-data/topic/Expected.20scope.20negotiation.20behavior

This is regarding test Auth-14 - Supports wildcard action scopes.

The test could be modified to request system/*.read instead of system/Patient.*. That would make the test itself correct enough, but in my opinion it is better to remove the test altogether. Turns out a server might reject system/*.read without violating any spec, so we just cannot test for this reliably.

Test Auth-01 - Requires authorization header verifies that the server replies with an error if authorization header is not sent. However, it also expects that the server will reply with an error as an OperationOutcome.

The OperationOutcome part should be optional though. If the server replies with JSON, then the payload must be an OperationOutcome. Otherwise, the server should also be able to respond with text or even an empty body (as long as it sends an error HTTP status code).

According to the spec:

A client MAY repeat kick-off parameters that accept comma delimited values multiple times in a kick-off request. The server SHALL treat the values provided as if they were comma delimited values within a single instance of the parameter.

The test server gives message "This server does not require authorization". could you please help me , how the test server comes to the conclusion.

if you could help me which endpoint it is looking for.

Thanks

Currently this is done via special check that decorates the test as not supported, but tat forces the tests to use various if, else or return statements. Instead, it should be done by throwing a dedicated type of Error which is later caught and handled appropriately.

The prefer header used to be set as ["respond-async", "handling=lenient"] which is internally converted to comma-separated list. Should switch to a string, which is safer and library-independent.

The current architecture uses a single instance, which works fine in CLI but is very inconvenient if BDT needs to be used on the server side where multiple clients could use it at the same time.

Hi Vladimir. I was looking at the part of BDT that checks the capabilities statement for security

specifically https://github.com/smart-on-fhir/bdt/blob/master/testSuite/metadata.test.js
line 70-100

I think there might be an error here

when I run BDT on my server, I get: Includes the token endpoint in the CapabilityStatement

! Unable to find security extensions at "https://sandbox.bcda.cms.gov/api/v1/metadata"

rest.security does not have an extensions object in r4

https://www.hl7.org/fhir/capabilitystatement-definitions.html#CapabilityStatement.rest.security

in fact it hasn't since stu2.

the metadata test should be changed to address the r4 spec for Capability Stmt.

According to Mozilla the user-agent should have the following structure:

User-Agent: <product> / <product-version> <comment>

It currently is BDT (https://github.com/smart-on-fhir/bdt) and should be modified to match the spec. The "product-version" can be extracted from the package.json file.

While using the latest bdt, I got an warning for test 0.3.0

{
    "type": "testEnd",
    "data": {
        "id": "Auth-02",
        "name": "Requires \"application/x-www-form-urlencoded\" POSTs",
        "description": "After generating an authentication JWT, the client requests a new access token via HTTP POST to the FHIR authorization server's token endpoint URL, using content-type `application/x-www-form-urlencoded`.",
        "type": "test",
        "path": "0.3.0",
        "startedAt": 1597949641886,
        "status": "not-supported",
        "decorations": {},
        "warnings": [
            "This test is only applicable for servers that support SMART Backend Services authorization"
        ],
        "error": null,
        "endedAt": 1597949641886
    }
}

Here is settings for bdt runner

{
    "baseURL": "https://bulk-data.smarthealthit.org/eyJlcnIiOiIiLCJwYWdlIjoxMDAwMCwiZHVyIjoxMCwidGx0IjoxNSwibSI6MSwic3R1IjozfQ/fhir",
    "tokenEndpoint": "https://bulk-data.smarthealthit.org/auth/token",
    "clientId": "...",
    "systemExportEndpoint": "",
    "patientExportEndpoint": "/Patient/$export",
    "groupExportEndpoint": "",
    "fastestResource": "",
    "requiresAuth": false,
    "sinceParam": "_since",
    "jwksUrlAuth": true,
    "jwksAuth": true,
    "jwksUrl": "",
    "strictSSL": false,
    "publicKey": {...},
    "privateKey": {... }
  }