LEGAL API - Validate JWT with corp num

[Kaineatthelab]

Description:

For MVP the JWT username == Business Identifier as a temporary authorization mechanism.

A new end-point to authorizations has been added that will provide the allowable roles a user has on a particular business.

This ticket is to change the authorization in the legal_api to use the new authorization end-point to determine if the user, identified by the JWT, can submit a business filing, or view a businesses data & filings.

Dependencies

• Auth-API: eg. https://auth-api-dev.pathfinder.gov.bc.ca/api/v1/entities/{businessIdentifier}/authorizations
• Mock: eg. https://mock-lear-tools.pathfinder.gov.bc.ca/#/services/5d792bee23b01600018e9dd5

Acceptance Criteria The following roles are handled: {}, { "roles": [ "view", "edit" ] }, { "roles": [ "view"] } JWT role of STAFF will be changed to not allow filings.

Validation Rules

• {}: 401 Unauthorized
• EDIT: authorized to submit a filing
• VIEW: only allowed to view business details, filings and draft filings

Ready to Build (DoR):

• [x] Stakeholders have approved
• [x] User story completed
• [x] What are the dependencies
• [ ] Validation rules defined (UI, Data, Role-Action)
• [ ] Is a formal UAT required

Acceptance / DoD:

• [x] Design / Solution accepted by Product Owner
• [ ] Acceptance criteria has been defined (happy path, known sad paths)
• [ ] Test coverage acceptable
• [ ] Peer Reviewed
• [ ] PR Accepted
• [ ] Production burn in completed

[JohnamLane]

@thorwolpert Seems reasonable. My only question is if edit can delete a draft?

[thorwolpert]

@JohnamLane currently, yes. We don't have FGAC (Fine Grained Access Control) for filings. You either can or cannot submit a filing to alter a business, there's no restriction on the kind or pre-state of a filing. Currently staff are blocked from submitting a filing, but that will need to be examined when no-fee and corrections are done.