Enrich SuperTokens Profile Metadata with Roles and FHIR Resource IDs #202
Description
User Story
As a developer, I want SuperTokens profile metadata to include assigned roles and corresponding FHIR resource IDs, and ensure this metadata is embedded in the access token so that resource ownership and authorization can be validated efficiently.
Description
Currently, SuperTokens profiles do not provide sufficient metadata for direct authorization checks. To streamline access control and resource ownership validation, enrich the profile with:
-
Assigned Roles
Store all user roles (e.g., Patient, Practitioner, Clinic Admin, Researcher). -
FHIR Resource ID
Provide the correct FHIR resource path based on the user’s primary role:- If
Patient→Patient/{ID} - If
Practitioner→Practitioner/{ID} - Otherwise →
Person/{ID}
- If
-
Access Token Embedding
Include both roles and FHIR resource ID inside the SuperTokens access token payload for quick validation at the API gateway or backend service level.
Proposed Flow
- Extend SuperTokens user metadata schema to store:
-
roles: array of assigned roles. -
fhirResourceId: formatted asPatient/{ID},Practitioner/{ID}, orPerson/{ID}.
-
- Modify sign-up and role-assignment logic to populate metadata during registration or role updates.
- Implement backend middleware to validate API requests using roles and FHIR resource ID directly from the access token. Access the metadata to validate resource ownership.
Reference
- SuperTokens documentation on user metadata
- FHIR specification for Patient, Practitioner, and Person resources
Notes:
- Ensure backward compatibility for existing users; provide migration logic where necessary.
- Validate that role-based FHIR resource IDs remain synchronized with resource creation in the FHIR server.
- Include tests to verify access token payload correctness after login, refresh, or role updates.