fix(api): add correct scope

[disaerna]

Api - Health Directorate

What

Adding correct scope

Checklist:

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• Formatting passes locally with my changes
• I have rebased against main before asking for a review

Summary by CodeRabbit

• New Features
  • Enhanced security and access control for health services with updated API scopes for donor status and vaccination methods.
• Bug Fixes
  • Improved method annotations to ensure proper permissions are enforced for accessing donor and vaccination data.

[coderabbitai]

Walkthrough

The pull request modifies the HealthDirectorateResolver class within the health-directorate.resolver.ts file. It updates method annotations to include new API scopes for getDonorStatus, updateDonorStatus, and getVaccinations, enhancing access control related to health services. The existing feature flags for these methods are retained, ensuring they remain conditional on specific feature availability. The core functionality and error handling of the methods remain unchanged, focusing on the addition of scope requirements for improved security.

Changes

File Path	Change Summary
libs/api/domains/health-directorate/src/lib/health-directorate.resolver.ts	- Updated getDonorStatus, updateDonorStatus, and getVaccinations methods to include @Scopes annotations for access control related to health services. - Retained existing @FeatureFlag decorators for the methods.

Possibly related PRs

• fix(chore): missing env for application system #15926: This PR adds new entities related to health services, specifically HealthDirectorateVaccination and HealthDirectorateOrganDonation, which are directly relevant to the changes made in the HealthDirectorateResolver class regarding organ donation and vaccinations.
• fix(application-system-api): Add missing national registry v3 xroad client config #16770: This PR injects the national registry v3 X-Road client configuration into the application system API, which is relevant as it may relate to the broader health services context in which the HealthDirectorateResolver operates.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[thorkellmani]

LGTM

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

libs/api/domains/health-directorate/src/lib/health-directorate.resolver.ts (2)

Line range hint 83-92: Consider documenting error cases

The scope addition looks good, but since the method can return null, consider adding JSDoc comments to document when null is returned versus when an error is thrown.

+ /**
+  * Retrieves vaccinations for the current user
+  * @param locale - The locale for the response
+  * @param user - The authenticated user
+  * @returns Vaccinations data or null if no records found
+  * @throws Unauthorized if user lacks required scope
+  */
 @Audit()
 @Scopes(ApiScope.healthVaccinations)

---

Line range hint 1-92: Well-structured security implementation with defense in depth

The resolver implements multiple security layers effectively:

1. IdsUserGuard for authentication
2. ScopesGuard for authorization
3. FeatureFlagGuard for feature control
4. Audit decorators for logging

This follows security best practices by implementing defense in depth.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between b434660 and fd434a0.

📒 Files selected for processing (1)

• libs/api/domains/health-directorate/src/lib/health-directorate.resolver.ts (4 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

libs/api/domains/health-directorate/src/lib/health-directorate.resolver.ts (1)

Pattern libs/**/*: "Confirm that the code adheres to the following:

• Reusability of components and hooks across different NextJS apps.
• TypeScript usage for defining props and exporting types.
• Effective tree-shaking and bundling practices."

🔇 Additional comments (2)

libs/api/domains/health-directorate/src/lib/health-directorate.resolver.ts (2)

Line range hint 41-51: LGTM! Appropriate scope added for organ donation data access

The addition of @Scopes(ApiScope.healthOrganDonation) properly secures the organ donation status endpoint while maintaining existing feature flag controls.

---

Line range hint 67-77: Verify if write operations need a separate scope

Currently using the same scope (healthOrganDonation) for both reading and updating donor status. While this might be intentional, consider if write operations should have a more specific scope for finer-grained access control.

✅ Verification successful

Based on the search results, I can now provide a definitive response about the scope granularity for health-related mutations in the codebase:

Using the same scope for read/write operations follows established pattern

Looking at other health-related mutations in the codebase:

• healthDentists scope is used for both registering dentists and querying dentist information
• healthMedicines scope is used for both drug calculations and certificate queries
• healthOrganDonation scope follows this same pattern for both reading and updating donor status

This consistent pattern across the health domain indicates that using the same scope for both read and write operations is an intentional design choice in the codebase.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for other mutation endpoints in the codebase to verify scope granularity patterns
ast-grep --pattern 'class $_ {
  $$$
  @Mutation($_)
  @Scopes($_)
  $$$
}'

Length of output: 77

---

Script:

#!/bin/bash
# Let's try a different approach to find mutations with scopes
rg "@Mutation.*\n.*@Scopes" -A 5

# Also search for any usage of healthOrganDonation scope
rg "healthOrganDonation" -B 2 -A 2

Length of output: 3401

---

Script:

#!/bin/bash
# Let's try one more search to find mutations with multiline support
rg -U "@Mutation[\s\S]*?@Scopes" -A 10

# Also search for any other health-related mutations to see the scope pattern
rg -U "@Mutation[\s\S]*?health" -A 10

Length of output: 69394

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.44%. Comparing base (94f3f89) to head (00569d8).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #16874      +/-   ##
==========================================
- Coverage   36.44%   36.44%   -0.01%     
==========================================
  Files        6851     6851              
  Lines      143569   143569              
  Branches    40980    40980              
==========================================
- Hits        52329    52328       -1     
- Misses      91240    91241       +1     

Flag	Coverage Δ
air-discount-scheme-backend	54.08% <ø> (ø)
air-discount-scheme-web	0.00% <ø> (ø)
api	3.34% <ø> (ø)
api-catalogue-services	77.85% <ø> (ø)
api-domains-air-discount-scheme	37.08% <ø> (ø)
api-domains-assets	26.71% <ø> (ø)
api-domains-auth-admin	48.48% <ø> (ø)
api-domains-communications	39.64% <ø> (ø)
api-domains-criminal-record	47.56% <ø> (ø)
api-domains-driving-license	44.50% <ø> (ø)
api-domains-education	30.62% <ø> (ø)
api-domains-health-insurance	34.43% <ø> (ø)
api-domains-mortgage-certificate	34.74% <ø> (ø)
api-domains-payment-schedule	41.31% <ø> (ø)
application-api-files	62.52% <ø> (ø)
application-core	70.75% <ø> (-0.32%)	⬇️
application-system-api	40.98% <ø> (-0.01%)	⬇️
application-template-api-modules	27.64% <ø> (-0.01%)	⬇️
application-templates-accident-notification	28.98% <ø> (ø)
application-templates-car-recycling	3.12% <ø> (ø)
application-templates-criminal-record	25.87% <ø> (ø)
application-templates-driving-license	18.26% <ø> (ø)
application-templates-estate	12.14% <ø> (ø)
application-templates-example-payment	24.80% <ø> (ø)
application-templates-financial-aid	15.48% <ø> (ø)
application-templates-general-petition	23.07% <ø> (ø)
application-templates-inheritance-report	6.52% <ø> (ø)
application-templates-marriage-conditions	15.04% <ø> (ø)
application-templates-parental-leave	29.74% <ø> (-0.12%)	⬇️
application-types	6.60% <ø> (ø)
application-ui-components	1.27% <ø> (ø)
application-ui-shell	20.83% <ø> (ø)
auth-admin-web	2.43% <ø> (ø)
auth-nest-tools	30.92% <ø> (ø)
auth-shared	75.00% <ø> (ø)
clients-charge-fjs-v2	24.11% <ø> (ø)
clients-driving-license	40.28% <ø> (ø)
clients-driving-license-book	43.50% <ø> (ø)
clients-financial-statements-inao	49.06% <ø> (ø)
clients-license-client	1.26% <ø> (ø)
clients-middlewares	72.97% <ø> (-0.34%)	⬇️
clients-regulations	42.36% <ø> (ø)
clients-rsk-company-registry	29.76% <ø> (ø)
clients-rsk-personal-tax-return	38.00% <ø> (ø)
clients-smartsolutions	12.77% <ø> (ø)
clients-syslumenn	49.23% <ø> (ø)
clients-zendesk	50.61% <ø> (ø)
cms	0.42% <ø> (ø)
cms-translations	38.94% <ø> (ø)
content-search-index-manager	95.65% <ø> (ø)
content-search-toolkit	8.14% <ø> (ø)
contentful-apps	4.69% <ø> (ø)
dokobit-signing	62.76% <ø> (ø)
download-service	44.16% <ø> (ø)
email-service	60.57% <ø> (ø)
feature-flags	90.62% <ø> (ø)
file-storage	46.09% <ø> (ø)
financial-aid-backend	51.29% <ø> (ø)
financial-aid-shared	17.81% <ø> (ø)
icelandic-names-registry-backend	54.34% <ø> (ø)
infra-nest-server	48.37% <ø> (ø)
infra-tracing	43.24% <ø> (ø)
island-ui-core	28.88% <ø> (ø)
judicial-system-api	19.76% <ø> (ø)
judicial-system-audit-trail	68.86% <ø> (ø)
judicial-system-backend	55.14% <ø> (ø)
judicial-system-formatters	79.26% <ø> (ø)
judicial-system-message	66.99% <ø> (ø)
judicial-system-message-handler	47.99% <ø> (ø)
judicial-system-scheduler	70.67% <ø> (ø)
judicial-system-types	43.58% <ø> (ø)
judicial-system-web	27.16% <ø> (ø)
license-api	42.65% <ø> (+0.05%)	⬆️
localization	10.15% <ø> (ø)
logging	48.43% <ø> (ø)
message-queue	68.79% <ø> (ø)
nest-audit	68.20% <ø> (ø)
nest-aws	54.03% <ø> (ø)
nest-config	78.00% <ø> (ø)
nest-core	43.54% <ø> (ø)
nest-feature-flags	51.09% <ø> (ø)
nest-problem	45.82% <ø> (ø)
nest-sequelize	94.44% <ø> (ø)
nest-swagger	51.71% <ø> (ø)
nova-sms	62.09% <ø> (ø)
portals-admin-regulations-admin	1.85% <ø> (ø)
portals-core	15.89% <ø> (ø)
reference-backend	49.74% <ø> (ø)
regulations	16.78% <ø> (ø)
residence-history	85.00% <ø> (ø)
services-auth-admin-api	52.50% <ø> (ø)
services-auth-delegation-api	58.22% <ø> (ø)
services-auth-ids-api	52.08% <ø> (-0.01%)	⬇️
services-auth-personal-representative	45.62% <ø> (ø)
services-auth-personal-representative-public	41.75% <ø> (ø)
services-auth-public-api	49.59% <ø> (ø)
services-documents	60.81% <ø> (ø)
services-endorsements-api	53.26% <ø> (ø)
services-sessions	65.44% <ø> (ø)
services-university-gateway	49.34% <ø> (+0.11%)	⬆️
services-user-notification	46.92% <ø> (ø)
services-user-profile	61.81% <ø> (-0.08%)	⬇️
shared-components	26.90% <ø> (ø)
shared-form-fields	31.26% <ø> (ø)
shared-mocking	60.89% <ø> (ø)
shared-pii	92.85% <ø> (ø)
shared-problem	87.50% <ø> (ø)
shared-utils	27.69% <ø> (ø)
skilavottord-ws	24.14% <ø> (ø)
web	1.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 94f3f89...00569d8. Read the comment docs.

[datadog-island-is]

Datadog Report

All test runs b368f40 🔗

✅ 99 Total Test Services: 0 Failed, 97 Passed
🔻 Test Sessions change in coverage: 3 decreased, 1 increased (+0.03%), 196 no change

Test Services

This report shows up to 10 services

Service Name	Failed	Known Flaky	New Flaky	Passed	Skipped	Total Time	Code Coverage Change	Test Service View
air-discount-scheme-backend	0	0	0	82	0	27.68s	N/A	Link
air-discount-scheme-web	0	0	0	2	0	8.94s	N/A	Link
api	0	0	0	4	0	3.06s	N/A	Link
api-catalogue-services	0	0	0	23	0	12.82s	N/A	Link
api-domains-air-discount-scheme	0	0	0	6	0	20.27s	N/A	Link
api-domains-assets	0	0	0	3	0	12.83s	N/A	Link
api-domains-auth-admin	0	0	0	18	0	13.81s	N/A	Link
api-domains-communications	0	0	0	5	0	35.79s	N/A	Link
api-domains-criminal-record	0	0	0	5	0	9.42s	1 no change	Link
api-domains-driving-license	0	0	0	23	0	33.25s	N/A	Link

🔻 Code Coverage Decreases vs Default Branch (3)

• clients-middlewares - jest 75.72% (-0.2%) - Details
• application-templates-parental-leave - jest 34.9% (-0.1%) - Details
• services-user-profile - jest 52.58% (-0.02%) - Details