When a incoming request is received it is sent out to 1 or more routes. Currently we only store the result from the primary route in the transaction metadata. We should also store the responses from other routes. In the transaction metadata, there is a 'routes' property that should contain the request and response information for these other routes.

A good way to implement this would be to store the responses in the koa context, then in the messageStore middleware store these to mongo.

The current implementation of the channel and applications about requires us to refer to then by the channelName and applicationID respectively. We should rather key of the _id properly that mongo gives us as we run into problems where we can't update these fields as they are used to fetch the object to update. Using IDs that never change like the _id would solve this.

This is related to #28

The design of the API can be found at the bottom of this page: https://wiki.ohie.org/display/SUB/Design+of+the+Interoperability+Layer+core+using+Node.js

This links to a console that shows what the API should look like, you can also find this here: http://api-portal.anypoint.mulesoft.com/jembi-health-systems-npc/api/openhim-api/docs/raml?ref=apihub

See the proposed structure of this object here.

For this issue, the storeRequest method in the messageStore.coffee file need to be implemented. This method should take the req parameter and store all relevant information about the request in a javascript object as defined in transaction.json here: https://wiki.ohie.org/display/SUB/Design+of+the+Interoperability+Layer+core+using+Node.js

The transaction object should be stored in a mongodb database.

Because of this: Automattic/mongoose#1338. In anything > [email protected] the schema will not compile. We will have to not user the property 'domain' on the client mongoose schema. This could be changed to 'clinetDomain' or something similar.

Because we are updating a channel by channelname, the channelname on the update json must match the channelname in the db. THis means we cannot update the channelname. Should we be able to update it?

Grunt has a lot more flexibility and power, cake is simple and has worked well however we may want to include linting features etc. into the build in the future and grunt will be better for this.

Currently the user login authentication does not validate the users' supplied password. Any password is currently being accepted

This functionality requires Koa middleware so be developed that ensures that application are authenticated using basic auth when they make a request of the OpenHIM. If they are not, then the request should be denied.

The user should be able to choose if they want to enable basic auth (see #12) or the PKI functionality or both.

More details about how this should work can be found here

See https://github.com/jembi/openhim-core-js/blob/master/src/middleware/messageStore.coffee#L38-L41

We should be using the Koa response to set these properties rather than the node response referenced in the koa context.

ie. ctx.res should rather be ctx.response

To do this, we should provide a new API endpoint that a list of transaction to re-run. We should also be able to see the results of the re-run transactions.

One way to do this is the expose an endpoint like /reruntasks

POST - a JSON object to this endpoint containing a list of transaction IDs to re-run.
GET - a list of past and current reruntasks
GET - /reruntasks/:taskID - return the details of a single task

The OpenHIM core should use the details in transaction.request property to reconstruct each request and resent it.

The OpenHIM-core API does not support cross-origin resource sharing so the API could not be used from the openhim-console frontend if they were hosted on different domains.

See legacy OpenHIM issue 225: jembi/openhim-legacy#225

For this issue, the storeResponse method in the messageStore.coffee file need to be implemented. This method should lookup the transaction object that was stored for the corresponding request and updated this object to store all relevant information about the response as defined in transaction.json here: https://wiki.ohie.org/display/SUB/Design+of+the+Interoperability+Layer+core+using+Node.js

The transaction object should be updated in a mongodb database.

The router.coffee file contains the channels model. This should be changed to use Mongoose as with applications and transactions. The channels model should also be split out from the router.

Requirements:

• A user should be able to log into the OpenHIM console.
• When a user is logged in, the web console should be able to authenticate and communicate with the OpenHIM-core REST API (backend).
• The console cannot be pre-configured with any secrets as it is an Angular app so everything can be visible client side, if would have to request these only once the user is authenticated and authorised.

Message store should use the transactions API to store transactions and requests. Otherwise we are duplicating functionality. These to should be integrated so that they perform the same functionality.

Changes to the Transaction API to allow results to be filtered by date range,
Results should be limited in increments of ?500?

Currently it seems as though the request parameters are not being set or not being added to the API return object

Matching multiple channels causes problems when thinking about authorisation. Each channel can allow certain people to have access. If one matched channel allows the request but another matched channel denies the request then how should we proceed? Do we just fail with unauthorised or do we send requests on to only the authorised channels?

I get the following error when trying to send to requests to the HIM in close succession:

/home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/base.js:242
        throw message;      
              ^
Error: E11000 duplicate key error index: openhim.transaction.$_id_  dup key: { : ObjectId('5322ff1b14070a662c094092') }
    at Object.toError (/home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/utils.js:110:11)
    at /home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/collection/core.js:212:24
    at Server.Base._callHandler (/home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/base.js:442:41)
    at /home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/server.js:485:18
    at MongoReply.parseBody (/home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5)
    at null.<anonymous> (/home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/server.js:443:20)
    at EventEmitter.emit (events.js:104:17)
    at null.<anonymous> (/home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/connection_pool.js:191:13)
    at EventEmitter.emit (events.js:107:17)
    at Socket.<anonymous> (/home/ryan/git/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/connection.js:418:22)

An authentication middleware must be developed that allows applications to be authenticated using mutual TLS (ie. client and server certificates).

The user should be able to choose if they want to enable basic auth (see #11) or the PKI functionality or both.

More details about how this should work can be found here

We should restrict which user can edit and view to various API resources. Here is how these could be restricted:

• Channels: Only the user in the 'admin' group can view, add and edit channels.
• Transactions: Users can only view or re-run transaction for the channels which they are allowed to view.
• Client: Only the user in the 'admin' group can view, add and edit clients.
• Users: Only the user in the 'admin' group can view, add and edit users.
• Monitoring data: Users can only view monitoring data for the channels which they are allowed to view.

In order to enable this, we will need to add two properties to both the channels model:

• txRerunable - an array of usernames or group names, with a special value of * to allow anyone
• txViewable - an array of usernames or group names, with a special value of * to allow anyone

We will also need user to have a 'groups' property which contains an array of groups that they are a part of.

The 'admin' is a special group which designated that those user have access to anything.

After an application is authenticated, authorisation middleware must be introduced that determines if they have the correct authority to make this request. This authority is determined by inspecting the path of the request and the channel's details of who is allowed to invoke that channel.

If an application is not authorised a 401 status should be returned else the request should carry on as usual.

More details about how this should work can be found here

The OpenHIM needs to use a separate http endpoint for it REST API so that we can avoid collisions with http request that actually need to be routed. For this issue a new module should be developed that creates a new http server and provides the stub where the API can be configured and REST API functionality can be developed.

The functions from #30 need to exist first before this can be done.

Channels should have two extra options, path and pathTransform:

• path should specify a target path for the channel, e.g. if path is /target, transactions should be routed to the path /target.
• pathTransform should allow for a sed-like substitution of the path, e.g. if the transform is s/foo/bar and the request's endpoint is /endpoint/foo, transactions should be routed to /endpoint/bar.

The options are mutually exclusive.

See the original HIM issue: jembi/openhim-legacy#211

Client application details should be able to be added and removed via this API. See the application.json description here for more details.

When a request is being routed to a specific route in a channel, the ability to forward that request with basic auth should be supported. The route config (in a channel object) should contain the basic auth username and password to use.

How to repeat:

From the openhim-core-js directory run:

curl -v --insecure --key test/resources/client-tls/key.pem --cert test/resources/client-tls/cert.pem https://openhim-preprod.jembi.org:5000/sample/api -H "JsonStub-User-Key: 0582582f-89b8-436e-aa76-ba5444fc219d" -H "JsonStub-Project-Key: 1a841ebc-405e-474e-a8fa-9c401c823ae6"

You should see the following error appear in the logs:

info: Storing request metadata for inbound transaction

/root/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/base.js:242
        throw message;      
              ^
TypeError: Object PoC has no method 'filter'
    at /root/openhim-core-js/lib/middleware/authorisation.js:18:38
    at /root/openhim-core-js/lib/middleware/router.js:107:16
    at /root/openhim-core-js/node_modules/mongodb/lib/mongodb/cursor.js:162:16
    at commandHandler (/root/openhim-core-js/node_modules/mongodb/lib/mongodb/cursor.js:706:16)
    at /root/openhim-core-js/node_modules/mongodb/lib/mongodb/db.js:1806:9
    at Server.Base._callHandler (/root/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/base.js:442:41)
    at /root/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/server.js:485:18
    at MongoReply.parseBody (/root/openhim-core-js/node_modules/mongodb/lib/mongodb/responses/mongo_reply.js:68:5)
    at null.<anonymous> (/root/openhim-core-js/node_modules/mongodb/lib/mongodb/connection/server.js:443:20)
    at EventEmitter.emit (events.js:104:17)

Rename application to client

A hashing function designed for password (e.g. bcrypt) should be used and not a general hashing function like MD5.

The HIM should allow HTTPS access and it should authenticate this access by using mutual TLS (both client and server need to provide a cert). The client's cert is only considered valid if the HIM has this certificate added to its trusted list of certificates else any request that is make must be refused.

The client application certificates should be stored in mogodb along with details about that application. See #4