VAOS Staging: Patient with Pseudo SSN Failing in VAOS

[jmercado-va]

(4/26/22 - Discussed on VAOS Scrum of Scrums)

---

Description:

(Originally logged back in January. Retested with VAOS Service 1.18.2 as this test in regression testing and it failed.)

Steps to Reproduce:

1. Login to VAOS with patient with a pseudo SSN. When registering a patient in VistA, the patient can refuse to give their SSN and VistA will then make up an SSN and append a P to the end of the SSN. Patient = mightykc70@gmail.com Password = Password1234!
2. In VATS set Cheyenne Optometry Request to Yes Any. In SM or VAOS cancel any open optometry requests for Cheyenne.
3. In VAOS select start schedule, select eye, select Optometry. Select Cheyenne. If direct scheduling flow displays, select my clinic is not listed.
4. Request flow displays and enter a request. Select submit request.
5. Results Expected: Request can be submitted and newly submitted request details display back to veteran.
6. Results Seen: VAOS shows a 400 error for this URL: ** https://staging-api.va.gov/vaos/v0/appointment_requests?type=va The endpoint shows a 400 error with
   Response: {"errors":[{"title":"Bad Request","detail":"Patient.SSN is missing","code":"VAOS_400","source":{"vamfUrl":" https://internal-dsva-vagov-staging-fwdproxy-1821450725.us-gov-west-1.elb.amazonaws.com:4463/var/VeteranAppointmentRequestService/v4/rest/appointment-service/patient/ICN/1013174702V548786/appointments","vamfBody":"{\"errors\":[ {\"fieldName\":\"ssn\",\"errorMessage\":\"Patient.SSN is missing\"} ],\"objectType\":\"ValidationErrors\",\"empty\":false}","vamfStatus":400},"status":"400"}]}

Environments, users, and patients tested in: Staging mightykc70@gmail.com Password1234!

Versions Tested: MAS 2.17.2

---

(Jira Comment; latest finding) Robin Raju added a comment - 4/25/22

Cody Billiter: I went and logged in here: https://staging.va.gov/?next=loginModal&postLogin=true. I logged in as the user with the issue described above. I noticed that I did not see the traffic ever hit the /landing page, thus I believe what is going on is VAOS or somewhere in the process some service within staging-api.va.gov is creating the JWT itself and then using user-service to endorse the JWT as a trusted external JWT. Going to https://sqa.eauth.va.gov/MAP/users/v2/session/jwt after logging in shows a valid JWT generated with patient.ssn set to 999999995 - this shows that if JWT was generated from normal post authentication (/landing), the JWT would contain the correct info. However, when I look at the traffic, I believe its populating attributes based on a call to https://staging-api.va.gov/v0/user. If you look at the response of this call, it does not contain an SSN. Therefore, it builds the JWT without the patient SSN due to https://staging-api.va.gov/v0/user missing this information. The error being reported is: Patient.SSN is missing and thus I believe that is what is going on. So https://staging-api.va.gov/v0/user call probably needs to return this information in its response to fix the issue. This is my best guess of what is going on.

---

Screenshot:

---

Related to Jira issue: https://issues.mobilehealth.va.gov/browse/VAOSR-2859

[ajmagdub]

@marcynadeau, the problem is not that mightykc70@gmail.com has a pseudo-SSN but that the user does not have an SSN entered in MPI. To create a JWT Vets API looks for the SSN in MPI.

The SSN lookup in Vets API can be set up to first look up the SSN in identity (Login.gov, ID.me, DS Logon, or My HealthyVet) and if it cannot find one there, look it up in the MPI.

But since this will affect all VAOS users for both VAR Resources and VAOS Service, I wanted to check with you that this would not have any negative impacts.

[marcynadeau]

@ajmagdub I haven't forgot about this one. With all the issues with test accounts, I haven't had time to circle back to this. It is still on my list and hopefully I can get to it next week.

[marcynadeau]

@ajmagdub Can we discuss on scrum? this was retested on Friday and still having the same same issues.

Request URL: https://staging-api.va.gov/vaos/v0/appointment_requests?type=va Response: {"errors":[{"title":"Bad Request","detail":"Patient.SSN is missing","code":"VAOS_400","source":{"vamfUrl":"https://internal-dsva-vagov-staging-fwdproxy-1821450725.us-gov-west-1.elb.amazonaws.com:4463/var/VeteranAppointmentRequestService/v4/rest/appointment-service/patient/ICN/1013174702V548786/appointments","vamfBody":"{\"objectType\":\"ValidationErrors\",\"errors\":[{\"fieldName\":\"ssn\",\"errorMessage\":\"Patient.SSN is missing\"}],\"empty\":false}","vamfStatus":400},"status":"400"}]}

Also we tested in the VAMF using the same patient in Virtual Care Manager and there was not any issue there.

[marcynadeau]

Above is from VAR Resources. Switch patient to VAOS Service v2. https://staging-api.va.gov/vaos/v2/appointments {,…} errors: [{title: "Bad Gateway", detail: "Received an an invalid response from the upstream server",…}] 0: {title: "Bad Gateway", detail: "Received an an invalid response from the upstream server",…} code: "VAOS_502" detail: "Received an an invalid response from the upstream server" source: {,…} vamfBody: "{\"id\":\"6ef07eb1-fb2c-4830-8654-6d0c4c246f60\",\"code\":500,\"errorCode\":7004,\"traceId\":\"4578ac4948d80b6b60c18df1f8bb0b04\",\"message\":\"failed to create appointment\",\"detail\":\"Could not create appointment request through the Appointment Request Service\",\"meta\":{\"upstreamErrorSource\":\"mobile-appointment-service\",\"upstreamErrorId\":\"89cb5ad2-9b85-45a4-8a64-67573adbd4f3\"}}" vamfStatus: 500 vamfUrl: "https://internal-dsva-vagov-staging-fwdproxy-1821450725.us-gov-west-1.elb.amazonaws.com:4463/vaos/v1/patients/1013174702V548786/appointments" status: "502" title: "Bad Gateway"

[ajmagdub]

I checked Cecil Morgan, and we are getting the SSN from the MPI service, whereas for mightykc70, the MPI service is not returning an SSN. The SSN will be included in the JWT if we have it; otherwise, it’ll be null. The SSN may be taken from the JWT, as it’s sometimes done for ICN verification. But since the error is coming from ARS and ARS also makes a call to the MPI/MVI service, it’s more likely that the MPI/MVI service is also returning a null SSN to ARS. And ARS will return a validation error if the SSN is null.

[marcynadeau]

@ldelacosta logged ticket with Backend. VAOSR-3730: VAOS Staging: Patient w/Pseudo SSN 502 error Submitting Request https://issues.mobilehealth.va.gov/browse/VAOSR-3730