clinical record auth handling rework (#127)

# clinical record auth handling rework

## ♻️ Current situation & Problem
see #123 for details

## ⚙️ Release Notes
- attempts to fix clinical record authorization handling

## 📚 Documentation
n/a

## ✅ Testing
i wote a test case but i'm not sure how stable this'll be; we might have
to remove it again

### Code of Conduct & Contributing Guidelines
By creating and submitting this pull request, you agree to follow our
[Code of
Conduct](https://github.com/StanfordBDHG/.github/blob/main/CODE_OF_CONDUCT.md)
and [Contributing
Guidelines](https://github.com/StanfordBDHG/.github/blob/main/CONTRIBUTING.md):
- [x] I agree to follow the [Code of
Conduct](https://github.com/StanfordBDHG/.github/blob/main/CODE_OF_CONDUCT.md)
and [Contributing
Guidelines](https://github.com/StanfordBDHG/.github/blob/main/CONTRIBUTING.md).

Author: lukaskollmer

MyHeartCounts.xcodeproj/project.pbxproj

@@ -80,6 +80,7 @@
 		80713BE52D93F48C00A2DB0A /* SpeziStudy in Frameworks */ = {isa = PBXBuildFile; productRef = 80713BE42D93F48C00A2DB0A /* SpeziStudy */; };
 		807229A72ED747BC00999926 /* SpeziFoundation in Frameworks */ = {isa = PBXBuildFile; productRef = 807229A62ED747BC00999926 /* SpeziFoundation */; };
 		807229A92ED747BC00999926 /* SpeziLocalization in Frameworks */ = {isa = PBXBuildFile; productRef = 807229A82ED747BC00999926 /* SpeziLocalization */; };
+		807423542F28E15E00113313 /* MHCStudyDefinitionExporter in Frameworks */ = {isa = PBXBuildFile; productRef = 807423532F28E15E00113313 /* MHCStudyDefinitionExporter */; };
 		8076696E2D772C07001B980B /* Algorithms in Frameworks */ = {isa = PBXBuildFile; productRef = 8076696D2D772C07001B980B /* Algorithms */; };
 		807669712D772C40001B980B /* BitCollections in Frameworks */ = {isa = PBXBuildFile; productRef = 807669702D772C40001B980B /* BitCollections */; };
 		807669732D772C40001B980B /* Collections in Frameworks */ = {isa = PBXBuildFile; productRef = 807669722D772C40001B980B /* Collections */; };
@@ -261,6 +262,7 @@
 				8052B86E2EB9FFDF005E2D8C /* SpeziStudyDefinition in Frameworks */,
 				8052B86D2EB9FFDF005E2D8C /* SpeziStudy in Frameworks */,
 				8052B86C2EB9FFDF005E2D8C /* SpeziStudy in Frameworks */,
+				807423542F28E15E00113313 /* MHCStudyDefinitionExporter in Frameworks */,
 				8052B86B2EB9FFDF005E2D8C /* SpeziStudy in Frameworks */,
 				8052B86A2EB9FFDF005E2D8C /* SpeziOnboarding in Frameworks */,
 				800474692EF066E100585753 /* SpeziFirebaseAccount in Frameworks */,
@@ -532,6 +534,7 @@
 				80ADAC5F2F0FEC9C0061DE0C /* SpeziSensorKit */,
 				80E144762F1E4AF500FE2A8A /* SpeziStudy */,
 				80E144782F1E4AF500FE2A8A /* SpeziStudyDefinition */,
+				807423532F28E15E00113313 /* MHCStudyDefinitionExporter */,
 			);
 			productName = MyHeartCounts;
 			productReference = 653A254D283387FE005D4D48 /* MyHeartCounts.app */;
@@ -972,6 +975,7 @@
 				INFOPLIST_KEY_NSSensorKitPrivacyPolicyURL = "https://myheartcounts.su.domains/privacy-policy/";
 				INFOPLIST_KEY_NSSensorKitUsageDescription = "Enabling SensorKit provides more accurate and in depth data for things like ECG to help advance cardiovascular research.";
 				INFOPLIST_KEY_NSSpeechRecognitionUsageDescription = "This message should never appear. Please adjust this when you start using speecg information. We have to put this in here as ResearchKit has the possibility to use it and not putting it here returns an error on AppStore Connect.";
+				INFOPLIST_KEY_NSSupportsLiveActivities = YES;
 				INFOPLIST_KEY_UIApplicationSupportsIndirectInputEvents = YES;
 				INFOPLIST_KEY_UILaunchScreen_Generation = YES;
 				INFOPLIST_KEY_UISupportedInterfaceOrientations = UIInterfaceOrientationPortrait;
@@ -1030,6 +1034,7 @@
 				INFOPLIST_KEY_NSSensorKitPrivacyPolicyURL = "https://myheartcounts.su.domains/privacy-policy/";
 				INFOPLIST_KEY_NSSensorKitUsageDescription = "Enabling SensorKit provides more accurate and in depth data for things like ECG to help advance cardiovascular research.";
 				INFOPLIST_KEY_NSSpeechRecognitionUsageDescription = "This message should never appear. Please adjust this when you start using speecg information. We have to put this in here as ResearchKit has the possibility to use it and not putting it here returns an error on AppStore Connect.";
+				INFOPLIST_KEY_NSSupportsLiveActivities = YES;
 				INFOPLIST_KEY_UIApplicationSupportsIndirectInputEvents = YES;
 				INFOPLIST_KEY_UILaunchScreen_Generation = YES;
 				INFOPLIST_KEY_UIMyHeartCountslicationSceneManifest_Generation = YES;
@@ -1368,7 +1373,7 @@
 			repositoryURL = "https://github.com/StanfordBDHG/MyHeartCounts-StudyDefinitions.git";
 			requirement = {
 				kind = upToNextMajorVersion;
-				minimumVersion = 0.1.13;
+				minimumVersion = 0.1.14;
 			};
 		};
 		804C11E72ECA382D004783C3 /* XCRemoteSwiftPackageReference "SpeziScheduler" */ = {
@@ -1512,7 +1517,7 @@
 			repositoryURL = "https://github.com/StanfordSpezi/SpeziStudy.git";
 			requirement = {
 				kind = upToNextMajorVersion;
-				minimumVersion = 0.1.18;
+				minimumVersion = 0.1.19;
 			};
 		};
 		80E6B9322EFAC1960037D4BB /* XCRemoteSwiftPackageReference "SpeziHealthKit" */ = {
@@ -1825,6 +1830,11 @@
 			package = 807229A52ED747BC00999926 /* XCRemoteSwiftPackageReference "SpeziFoundation" */;
 			productName = SpeziLocalization;
 		};
+		807423532F28E15E00113313 /* MHCStudyDefinitionExporter */ = {
+			isa = XCSwiftPackageProductDependency;
+			package = 804C11E22ECA380D004783C3 /* XCRemoteSwiftPackageReference "MyHeartCounts-StudyDefinitions" */;
+			productName = MHCStudyDefinitionExporter;
+		};
 		8076696D2D772C07001B980B /* Algorithms */ = {
 			isa = XCSwiftPackageProductDependency;
 			package = 8076696C2D772C07001B980B /* XCRemoteSwiftPackageReference "swift-algorithms" */;

MyHeartCounts.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved

@@ -6,6 +6,7 @@
 // SPDX-License-Identifier: MIT
 //
 
+import FirebaseCore
 import FirebaseFunctions
 import SFSafeSymbols
 import SpeziAccount
@@ -129,10 +130,19 @@ struct AccountSheet: View {
         Section {
             LabeledContent {
                 let bundle = Bundle.main
-                Text("\(bundle.appVersion) (\(bundle.appBuildNumber ?? -1))")
+                Text(verbatim: "\(bundle.appVersion) (\(bundle.appBuildNumber ?? -1))")
             } label: {
-                Label("My Heart Counts", systemSymbol: .infoCircle)
-                    .foregroundStyle(colorScheme.textLabelForegroundStyle)
+                Label(symbol: .infoCircle) {
+                    VStack(alignment: .leading) {
+                        Text("My Heart Counts")
+                        if let firebaseProjectId = FirebaseApp.app()?.options.projectID {
+                            Text(firebaseProjectId)
+                                .font(.footnote)
+                                .foregroundStyle(.secondary)
+                        }
+                    }
+                }
+                .foregroundStyle(colorScheme.textLabelForegroundStyle)
             }
             NavigationLink {
                 ContributionsList(projectLicense: .mit)

MyHeartCounts/Account/AccountSheet.swift

@@ -115,7 +115,8 @@ final class HistoricalHealthSamplesExportManager: Module, EnvironmentAccessible,
             do {
                 return try await bulkExporter.session(
                     withId: .mhcHistoricalDataExport,
-                    for: study.allCollectedHealthData,
+                    // The bulk exporter does not ask for permission to read the samples, so it's safe to always pass in everything.
+                    for: study.allCollectedHealthData(includingOptionalSampleTypes: true),
                     startDate: startDate,
                     using: HealthKitSamplesFHIRUploader(standard: standard)
                 )

MyHeartCounts/Health Import/HistoricalHealthSamplesExportManager.swift

@@ -267,7 +267,7 @@ private struct HealthDashboardQuestionnaireView: View {
                 QuestionnaireView(questionnaire: questionnaire) { result in
                     switch result {
                     case .completed(let response):
-                        await standard.add(response)
+                        await standard.add(response, for: questionnaire)
                     case .cancelled, .failed:
                         break
                     }

MyHeartCounts/Heart Health Dashboard/HeartHealthDashboard.swift

@@ -0,0 +1,122 @@
+//
+// This source file is part of the My Heart Counts iOS application based on the Stanford Spezi Template Application project
+//
+// SPDX-FileCopyrightText: 2026 Stanford University
+//
+// SPDX-License-Identifier: MIT
+//
+
+import Foundation
+import Spezi
+import SpeziFoundation
+import SpeziHealthKit
+import SpeziStudy
+
+
+@Observable
+@MainActor
+final class ClinicalRecordPermissions: Module, EnvironmentAccessible, Sendable {
+    enum AuthorizationState: Hashable {
+        /// The user already was prompted this, and made some decision to allow/deny.
+        case decided
+        /// The user was prompted but cancelled the authorization flow.
+        case cancelled
+        /// The user has not been prompted for clinical record access at all.
+        case undetermined
+    }
+    
+    // swiftlint:disable attributes
+    @ObservationIgnored @Dependency(HealthKit.self) private var healthKit
+    @ObservationIgnored @Dependency(StudyBundleLoader.self) private var studyLoader
+    @ObservationIgnored @Dependency(StudyManager.self) private var studyManager: StudyManager?
+    
+    @ObservationIgnored @LocalPreference(.clinicalRecordAuthWasCancelledByUser)
+    private var wasCancelledByUser
+    // swiftlint:enable attributes
+    
+    private(set) var authorizationState: AuthorizationState = .undetermined
+    
+    func configure() {
+        Task {
+            _ = try? await studyLoader.update()
+            await updateAuthorizationState()
+        }
+    }
+    
+    func updateAuthorizationState() async {
+        /// HealthKit's opinion on whether we already asked for access.
+        let healthKitValue = await healthKit.didAskForAuthorization(for: dataAccessRequirements())
+        switch (healthKitValue, wasCancelledByUser) {
+        case (true, _):
+            authorizationState = .decided
+            wasCancelledByUser = false // just to make sure this is correct.
+        case (false, true):
+            authorizationState = .cancelled
+        case (false, false):
+            authorizationState = .undetermined
+        }
+    }
+    
+    /// Prompts the user for authorization to access clinical record sample types, unless the user has cancelled a previous request.
+    ///
+    /// Also triggers any automatic health data collection for such sample types.
+    func askForAuthorization(askAgainIfCancelledPreviously: Bool) async throws {
+        await updateAuthorizationState()
+        switch authorizationState {
+        case .decided:
+            return
+        case .cancelled:
+            guard askAgainIfCancelledPreviously else {
+                return
+            }
+        case .undetermined:
+            break
+        }
+        do {
+            try await healthKit.askForAuthorization(for: dataAccessRequirements())
+            await updateAuthorizationState()
+            try await studyManager?.updateHealthDataCollection()
+        } catch {
+            if let error = error as? HKError, error.code == .errorUserCanceled {
+                wasCancelledByUser = true
+            } else {
+                throw error
+            }
+        }
+    }
+    
+    private func dataAccessRequirements() async -> HealthKit.DataAccessRequirements {
+        HealthKit.DataAccessRequirements(read: await requestedRecordTypes().lazy.map(\.hkSampleType))
+    }
+    
+    private func requestedRecordTypes() async -> Set<SampleType<HKClinicalRecord>> {
+        let imp = { (_ study: StudyDefinition) -> Set<SampleType<HKClinicalRecord>> in
+            var types = Set<SampleType<HKClinicalRecord>>()
+            for component in study.healthDataCollectionComponents {
+                types.formUnion(component.sampleTypes.compactMap { $0 as? SampleType<HKClinicalRecord> })
+                types.formUnion(component.optionalSampleTypes.compactMap { $0 as? SampleType<HKClinicalRecord> })
+            }
+            return types
+        }
+        if let enrollments = studyManager?.studyEnrollments {
+            return enrollments.reduce(into: []) { types, enrollment in
+                guard let studyDefinition = enrollment.studyBundle?.studyDefinition else {
+                    return
+                }
+                types.formUnion(imp(studyDefinition))
+            }
+        } else if let studyDefinition = try? studyLoader.studyBundle?.get().studyDefinition {
+            return imp(studyDefinition)
+        } else {
+            return []
+        }
+    }
+}
+
+
+extension LocalPreferenceKeys {
+    fileprivate static let clinicalRecordAuthWasCancelledByUser = LocalPreferenceKey(
+        "clinicalRecordAuthWasCancelledByUser",
+        default: false
+    )
+}

MyHeartCounts/Modules/ClinicalRecordPermissions.swift

@@ -45,6 +45,7 @@ final class SetupTestEnvironment: Module, EnvironmentAccessible, Sendable {
     @ObservationIgnored @Dependency(FirebaseAccountService.self) private var accountService: FirebaseAccountService?
     @ObservationIgnored @Dependency(StudyBundleLoader.self) private var studyBundleLoader
     @ObservationIgnored @Dependency(HealthKit.self) private var healthKit
+    @ObservationIgnored @Dependency(ClinicalRecordPermissions.self) private var clinicalRecordPermissions
     @ObservationIgnored @Dependency(BulkHealthExporter.self) private var bulkHealthExporter
     @ObservationIgnored @Dependency(ManagedFileUpload.self) private var fileUploader
     @ObservationIgnored @Dependency(LocalStorage.self) private var localStorage
@@ -55,6 +56,7 @@ final class SetupTestEnvironment: Module, EnvironmentAccessible, Sendable {
     @MainActor private(set) var isInSetup = false
 
     private(set) var state: State
+    private(set) var desc = ""
 
     init() {
         state = if FeatureFlags.disableFirebase || config == .disabled {
@@ -93,9 +95,11 @@ final class SetupTestEnvironment: Module, EnvironmentAccessible, Sendable {
             isInSetup = false
         }
         if config.resetExistingData {
+            desc = "\(#function) will reset existing data"
             try await resetExistingData()
         }
         if config.loginAndEnroll {
+            desc = "\(#function) will loginAndEnroll"
             try await loginAndEnroll()
         }
     }
@@ -150,26 +154,36 @@ final class SetupTestEnvironment: Module, EnvironmentAccessible, Sendable {
             // an error occurred logging in to the test account, and it's not because the account doesn't exist.
             throw error
         }
+        desc = "\(#function) will update study bundle loader"
         let studyBundle = try await studyBundleLoader.update()
         logger.notice("Enrolling test environment into study bundle")
-        let accessReqs = MyHeartCountsStandard.baselineHealthAccessReqs
-            .merging(with: .init(read: studyBundle.studyDefinition.allCollectedHealthData.filter(isNotKindOf: SampleType<HKClinicalRecord>.self)))
+        let accessReqs = MyHeartCountsStandard.baselineHealthAccessReqs.merging(
+            with: .init(read: studyBundle.studyDefinition.allCollectedHealthData(includingOptionalSampleTypes: true).exceptClinicalRecordTypes())
+        )
+        desc = "\(#function) will ask for regular HK auth"
         try await healthKit.askForAuthorization(for: accessReqs)
+        desc = "\(#function) will enroll"
+        try await standard.enroll(in: studyBundle)
         if HKHealthStore().supportsHealthRecords() {
+            desc = "\(#function) will ask for clinical access"
             try await _Concurrency.Task.sleep(for: .seconds(1))
-            try await healthKit.askForAuthorization(for: .init(read: studyBundle.studyDefinition.allCollectedHealthData.clinicalRecordTypes()))
+            try await clinicalRecordPermissions.askForAuthorization(askAgainIfCancelledPreviously: false)
         }
-        try await standard.enroll(in: studyBundle)
         LocalPreferencesStore.standard[.onboardingFlowComplete] = true
+        desc = "\(#function) DONE"
     }
 }
 
 
 extension SampleTypesCollection {
-    func clinicalRecordTypes() -> Self {
+    func onlyClinicalRecordTypes() -> Self {
         filter(isKindOf: SampleType<HKClinicalRecord>.self)
     }
 
+    func exceptClinicalRecordTypes() -> Self {
+        filter(isNotKindOf: SampleType<HKClinicalRecord>.self)
+    }
+    
     func filter<Sample>(isKindOf _: SampleType<Sample>.Type) -> Self {
         Self(self.filter { $0 is SampleType<Sample> })
     }

MyHeartCounts/Modules/SetupTestEnvironment.swift

@@ -32,6 +32,7 @@ final class MyHeartCountsDelegate: SpeziAppDelegate {
             SetupTestEnvironment()
             DeferredConfigLoading.initialAppLaunchConfig
             HealthKit()
+            ClinicalRecordPermissions()
             Scheduler()
             Notifications()
             BulkHealthExporter()

MyHeartCounts/MyHeartCountsDelegate.swift

@@ -7,7 +7,7 @@
 //
 
 @preconcurrency import FirebaseFirestore
-import class ModelsR4.QuestionnaireResponse
+import ModelsR4
 import MyHeartCountsShared
 import OSLog
 import Spezi
@@ -16,13 +16,19 @@ import SpeziHealthKit
 
 extension MyHeartCountsStandard {
     // periphery:ignore:parameters isolation
-    func add(isolation: isolated (any Actor)? = #isolation, _ response: ModelsR4.QuestionnaireResponse) async {
+    func add(
+        isolation: isolated (any Actor)? = #isolation,
+        _ response: ModelsR4.QuestionnaireResponse,
+        for questionnaire: ModelsR4.Questionnaire
+    ) async {
+        // shouldn't be necessary, but we had some issues with these not being properly set
+        response.questionnaire = questionnaire.url?.value?.url.absoluteString.asFHIRCanonicalPrimitive()
         let logger = await self.logger
         let id = response.identifier?.value?.value?.string ?? UUID().uuidString
         do {
             try await firebaseConfiguration.userDocumentReference
-                .collection("questionnaireResponses") // Add all HealthKit sources in a /QuestionnaireResponse collection.
-                .document(id) // Set the document identifier to the id of the response.
+                .collection("questionnaireResponses")
+                .document(id)
                 .setData(from: response)
         } catch {
             logger.error("Could not store questionnaire response: \(error)")