Skip to content

Oauth scopes are ignored when POSTING bundle to /v0.2/api/fhir #514

Description

@Reinaard

All bundles are accepted with all scope

When POSTing a bundle like this (in this case it includes a GET/POST/DELETE) I would expect it be only possible with the correct scope (or otherwise 403).

Request

url:
https://nvi.test.gf.irealisatie.nl/v0.2/api/fhir

example body:

{
    "resourceType": "Bundle",
    "id": "8056af80-b381-4acb-a132-0ef19bdc5b1e",
    "total": 3,
    "entry": [
        {
            "request": {
                "method": "POST",
                "url": "List"
            },
            "resource": {
                "resourceType": "List",
                "extension": [
                    {
                        "valueReference": {
                            "identifier": {
                                "system": "http://fhir.nl/fhir/NamingSystem/ura",
                                "value": "90000106"
                            }
                        },
                        "url": "http://minvws.github.io/generiekefuncties-docs/StructureDefinition/nl-gf-localization-custodian"
                    }
                ],
                "subject": {
                    "identifier": {
                        "system": "http://minvws.github.io/generiekefuncties-docs/NamingSystem/nvi-identifier",
                        "value": "XXX"
                    }
                },
                "source": {
                    "identifier": {
                        "system": "urn:ietf:rfc:3986",
                        "value": "EHR-SYS-2024-001"
                    },
                    "type": "Device"
                },
                "status": "current",
                "mode": "working",
                "emptyReason": {
                    "coding": [
                        {
                            "code": "withheld",
                            "system": "http://terminology.hl7.org/CodeSystem/list-empty-reason"
                        }
                    ]
                },
                "code": {
                    "coding": [
                        {
                            "code": "Specimen",
                            "system": "http://minvws.github.io/generiekefuncties-docs/CodeSystem/nl-gf-data-categories-cs",
                            "display": "Medicatieafspraak"
                        }
                    ]
                }
            }
        },
        {
            "request": {
                "method": "GET",
                "url": "List?patient.identifier=XX|YY&code=Genomics"
            }
        },
        {
            "request": {
                "method": "GET",
                "url": "List/1edc96d4-c84a-46f7-9c5d-a3118cb9966a"
            }
        },
        {
            "request": {
                "method": "DELETE",
                "url": "List/1edc96d4-c84a-46f7-9c5d-a3118cb9966a"
            }
        }
    ],
    "type": "transaction"
}

Response

status: 200

body:

{
    "resourceType": "Bundle",
    "type": "searchset",
    "entry": [
        {
            "response": {
                "status": "400",
                "outcome": {
                    "resourceType": "OperationOutcome",
                    "issue": [
                        {
                            "severity": "error",
                            "code": "error",
                            "details": {
                                "text": "Bundle.entry.0: Invalid pseudonym in subject:identifier"
                            }
                        }
                    ]
                }
            }
        },
        {
            "response": {
                "status": "422",
                "outcome": {
                    "resourceType": "OperationOutcome",
                    "issue": [
                        {
                            "severity": "error",
                            "code": "required",
                            "details": {
                                "text": "Bundle.entry.1.request: invalid url parameter: 1 validation error for LocalizationListParams\n`patient.identifier`\n  Extra inputs are not permitted [type=extra_forbidden, input_value='XX|YY', input_type=str]\n    For further information visit https://errors.pydantic.dev/2.13/v/extra_forbidden"
                            }
                        }
                    ]
                }
            }
        },
        {
            "response": {
                "status": "404",
                "outcome": {
                    "resourceType": "OperationOutcome",
                    "issue": [
                        {
                            "severity": "error",
                            "code": "error",
                            "details": {
                                "text": "Bundle.entry.2: Record not found"
                            }
                        }
                    ]
                }
            }
        },
        {
            "response": {
                "status": "500",
                "outcome": {
                    "resourceType": "OperationOutcome",
                    "issue": [
                        {
                            "severity": "error",
                            "code": "error",
                            "details": {
                                "text": "Bundle.entry.3: Record not found"
                            }
                        }
                    ]
                }
            }
        }
    ]
}

The request is incorrect, but my point is: why is it returning a 400/422/404/500 when the scope is incorrect?

I tried this with different scopes and all responses are the same:

  • nvi:localize
  • nvi:create
  • nvi:read
  • nvi:delete

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions