Overview
The goal of this document is to give an overview of API interactions that occur when a SafePaths mobile user uploads their data to the SafePlaces API within the context of a contact tracing interview.
Flow Overview
Case and Access Code Creation
Contact tracer creates a new case within the SafePaths web UI. After successful creation of a case the web UI makes another call to create an access code that will be displayed to the contact tracer and verbally communicated via phone to the intervieweethe new case has been created a new AccessCode
record will be created and associated with the case. The accessCode
value will be returned in the response payload of the create case endpoint. See this document (https://pathcheck.atlassian.net/wiki/spaces/SA/pages/81134291/SPL+Token+Exchange#Access-Code-Exchange ) for information on creating access tokens.
Endpoint:
POST /organization/case/{caseId}/access-code
(https://pathcheck.atlassian.net/wiki/spaces/SA/pages/73924822/SPL+API+Specification+v1+For+MVP1#POSTMVP1#confirmed%3A--%2Fcase%2F%7BcaseId%7D%2FaccessPOST-code%2Forganization%2Fcase )
Access Code Validation
The user will input the accessCode
into the SafePaths app. An API request will be made against to this endpoint. The endpoint returns a boolean indicating whether or not the accessCode
exists and is still activevalid.
Endpoint:
GET /access-code/valid/{accessCode}
(https://pathcheck.atlassian.net/wiki/spaces/SA/pages/73924822/SPL+API+Specification+v1+For+MVP1#GET-%2Faccess-code%2Fvalid%2F%7BaccessCode%7D )
User Consent
The user consents to the HA’s terms of service after the access code is confirmed to be valid. We record the user’s consent on the case record associated with the accessCode
and set the access code to expire invalidate the accessCode
record (set invalidatedAt
timestamp) if the user did not consent to the terms of service.
Endpoint:
POST /consent
(https://pathcheck.atlassian.net/wiki/spaces/SA/pages/73924822/SPL+API+Specification+v1+For+MVP1#POST-%2Fconsent )
Data Upload
User data (points of concern) are posted to the endpoint along with the access code accessCode
. Validation on the code accessCode
occurs once more and then we persist the provided user data.
Endpoint:
POST /upload
(https://pathcheck.atlassian.net/wiki/spaces/SA/pages/73924822/SPL+API+Specification+v1+For+MVP1#POST-%2Fupload )
Post Data Upload
The SafePlaces frontend application will be polling the GET /case/{caseId}/points
(https://pathcheck.atlassian.net/wiki/spaces/SA/pages/73924822/SPL+API+Specification+v1+For+MVP1#GET-%2Fcase%2F%7BcaseId%7D%2Fpoints ). Once the upload process has concluded the endpoint will return the points of concern that were uploaded from the SafePaths app. The endpoint should check for the presence of an access code record associated with the case and take the following actions:
Return an appropriate error message to the client if the access code record has expired
accessCode
record is no longer valid (invalidatedAt
timestamp is notnil
) for any reasonReturn an appropriate error message to the client if the user has not consented to the HA’s terms of service
Return an appropriate status code if there is a unexpired valid access code associated with the case and but no points of concern associated with the case (user has not uploaded data yet)
Return all points of concern associated with the case if there are any
Open Questions
The SafePaths mobile app needs to know what HA’s are using SafePlaces. How are we serving up information about what HA’s are on using SafePlaces? What information do we expose about the HA’s and their organizations?