High Level Purpose: Have CHEFS store enpoint urls/tokens in a postgres table. CHEFS can then have event driven api restful callout endpoints. The initial subsribed event will be for the form_submission. CHEFS will use these endpoints to make restful call outs to approved systems. The ability to create subscriptions will be restricted to government systems.
Background: Transportation built a polling method to pick up form submissions through the use of API calls. It would be easier for government applications to instead subscribe to events where the CHEFS application would call out to the endpoint and pass the data after the event. In the case of form submissions the json of the form would be passed in the body.
Thoughts and concerns (Please add concerns here)
The main concern in building callouts may be around allowing communication external to the Openshift environment. The Grants system will also be hosted in the Openshift environment so communication on the backend api rest calls should be possible but should also maybe consider locking down routes.
Design
It looks like the ability to schedule events only is available after the initial for is saved. Add a checkbox to subscribe to events. Have a block on the frontend to allow a drop list of events and the ability to enter the endpoint token and endpoint URL for the event. Right now we only have defined 3 events so maybe just one line per each? Or might need to click add for the drop list for seperate row?
Security
Lock down the ability to create Subscription end points to only allow IDIR users the ability to save Subscribed Events.
Subscription Events
Several subscription events have been discussed the main events being:
Form Submission
Form Submission Status Change - Assigned / Revise
Form Assignement
Stored Data
Tablename: form_subscription
table.uuid('id').primary(); table.uuid('formVersionId').references('id').inTable('form_version').notNullable().index(); table.string('name'); table.string('description'); table.string('subscribeEvent'); table.string('endPointUrl').notNullable(); table.string('endPointToken').notNullable();
id | formVersionId | name | description | subscribeEvent | endPointUrl | endPointToken | createdBy | createdAt | updatedBy | updatedAt --------------------------------------+--------------------------------------+-----------------+---------------------------------------+-----------------+-----------------------------------+---------------+-------------------+-------------------------------+-----------+------------------------------- 05b52fd1-4c50-4b79-9099-a2cf87b34a8a | cbb49343-52be-4353-9db9-948a9b4a7d95 | form_submission | Subscription event on form submission | form_submission | https://reqbin.com/echo/post/json | AbCdEf123456 | 999-dev-seed-data | 2023-06-21 11:02:12.621903-07 | | 2023-06-21 11:02:12.621903-07
STRA - Thoughts:
I assume that STRA has been done on the API endpoints already
Passing sensitive data through a web restful request may not be necisarry if we just send the notification event soley with the id of the form submission. That way the endpoint would be notified only that an event occurred and then call back to the CHEFS API to retrieve the data.
I am open to discussing this further or creating STRA modifications on the GRANT system if we needed it for the entire form submission data to be passed. Each program area would most likely have it’s own sensitivity needs for what personal information is being passed.