VA80 - KeyClaim (OneTimeCode) API requires different protection then OTC verification/key submission API's

[caitlintuba]

Service has two different user groups The keyclaim service implements functionality that would be used by health care providers, as well as the general public. These user groups are vastly different and by implementing the functionality in a shared service like this you are exposing the new-key-claim method to a wider audience of potentially malicious users.

REC-3 SEPARATE FUNCTIONALITY: The new-key-claim and claim-key methods should be split into separate services so that the audience for the new-key-claim method can be limited.

This came from the vulnerability analysis; originally Loudmouth Recommendation 3; was marked as low priority by security assessment team

[whytoe]

Is this a duplicate of #34

[obrien-j]

Before splitting this out into another microservice, investigate what options AWS WAF/ALB offers for path based+IP based routing/filtering:

Implement path/IP based WAF acl's

• Set default 'block' rule on "/new-key-claim" paths
• Create IP Set (IP's to be provided by P/T's at time of integration for allowlisting)
• Create allow rule on PT_IPSET & path==starts_with("/new-key-clam/") ish.

[maxneuvians]

We still need to set up the IP block sets for this

[maxneuvians]

Closed in #177