...
We should build a service that can validate the API requests against the valid data scope assigned to self service user. A self service login user, should be able to view/transact only their loans and savings accounts. Also it should prevent the user from reading certain confidential information like notes and internal approval cycle.
Design
New Screens
Scope of this feature is to provide only platform capability and doesn't include any UI.
...
This would be achieved similar to the suggestion provided here http://stackoverflow.com/questions/10231854/multiple-jersey-applications-with-same-path-for-root-resource
Identifying self service user
...
m_appusers table would be modified to add a column 'is_self_service_user to identify a self service API user.
...
This API would be available only /mifosng-provider root, indicating this is in control of back office/administrative user.
All the data scoping for self service user would be based on this client mapping.
In future, additional use cases like agent, staff with limited scope can be created with multiple client mapping in this table and they would get access to view/transact on only such clients.
...
Two new AuthenticationProvider classes would be created extending existing default spring DaoAuthenticationProvider one each for /mifosng-provider and /mifosng-selfservice roots. These extensions would additionally check the is_self_service_user attribute and enforce proper authorisation.
Self Service User Role permissions
Existing Role permission APIs would be used. Due to differentiation of self service and back office user authorisation as explained above, a self service user will not have access to any APIs other than those exposed for self service channel.
New APIs for self service users
To start with, all the APIs exposed would support only GET methods. And data scope would be limited to clients association mapping to the user.
| Usecase | APINotes | |
|---|---|---|
| Authentication Basic HTTP | /mifosng-selfservice/api/v1/authentication?username={username}&password={password} | |
| Authentication Oauth2 | /mifosng-selfservice/api/oauth/token?username={username}&password={password}&client_id={clientId}&grant_type={grant_type}&client_secret={client_secret} | |
| /mifosng-selfservice/api/oauth/token?refresh_token={refresh_token}&client_id={clientId}&grant_type={grant_type}&client_secret={client_secret} | ||
| /mifosng-selfservice/api/v1/userdetails?access_token={access_token} | ||
| List Clients | /mifosng-selfservice/api/v1/clients | Return list of clients mapped to given self service app user |
| Retrieve a Client | /mifosng-selfservice/api/v1/clients/{clientId} | Only approved and active clients |
| Retrieve client accounts overview | /mifosng-selfservice/api/v1/clients/{clientId}/accounts Only approved and activeaccounts | |
| Get client image | /mifosng-selfservice/api/v1/clients/{clientId}/images | |
| List client charges | /mifosng-selfservice/api/v1/clients/{clientId}/charges | |
| Retrieve a client charge | /mifosng-selfservice/api/v1/clients/{clientId}/charges/{clientChargeId} | |
| List client transactions | /mifosng-selfservice/api/v1/clients/{clientId}/transactions | |
| Retrieve a client transaction | /mifosng-selfservice/api/v1/clients/{clientId}/transaction/{transactionId} | |
| Retrieve a Savings Account | /mifosng-selfservice/api/v1/savingsaccounts/{accountId}Only approved and active account | |
| List Savings account transactions | /mifosng-selfservice/api/v1/savingsaccounts/{accountId}/transactions | |
| Retrieve a savings account transaction | /mifosng-selfservice/api/v1/savingsaccounts/{accountId}/transactions/{transactionId} | |
| List Savings account charges | /mifosng-selfservice/savingsaccounts/{accountId}/charges | |
| Retrieve a savings account charge | /mifosng-selfservice/api/v1/savingsaccounts/{accountId}/charges/{savingsAccountChargeId} | |
| Retrieve a Loan | /mifosng-selfservice/api/v1/loans/{loanId} | Only approved and active account |
| List loan account transactions | /mifosng-selfservice/loans/{loanId}/transactions | |
| Retrieve loan account transaction | /mifosng-selfservice/api/v1/loans/{loanId}/transactions/{transactionId} | |
| List loan account charges | /mifosng-selfservice/api/v1/loans/{loanId}/charges | |
| Retrieve a loan account charge | /mifosng-selfservice/api/v1/loans/{loanId}/charges/{chargeId} |
User interaction and design
Exception Handling
Reporting
APIs
Notes
Data scoping self service API
A new service would be written to validate the request parameters against the Data scope for the given user. Parameters for each API would be validated for client id, loan id, account id, additional parameter requests etc. On invalid requests appropriate AuthenticationException would be thrown.
Role permissions verification would be taken care by the existing service implementations.
Notes
On this feature deployment, all the existing users will be marked as non-self service user.
Questions
Below is a list of questions to be addressed as a result of this requirements document:
| Question | Outcome |
|---|---|
Out of Scope
- Transfers within/outside client accounts are not considered yet.