Sim swap alignement with commonalities 0.5 #180
Conversation
Align sim-swap.yaml with commonalities 0.5
Update sim-swap-check.feature with commonalities 0.5
🦙 MegaLinter status: ✅ SUCCESS
See detailed report in MegaLinter reports MegaLinter is graciously provided by |
code/API_definitions/sim-swap.yaml
Outdated
|
|
||
| This specification defines the `phoneNumber` field as optional in API requests, specifically in cases where the API is accessed using a 3-legged access token, and the phone number can be uniquely identified by the token. This approach simplifies API usage for API consumers by relying on the information associated with the access token used to invoke the API. | ||
| This API requires the API consumer to identify a device as the subject of the API as follows: |
There was a problem hiding this comment.
For SimSwap a subject of the API is a phone number, not a device. The "device-centric" language is misleading.
There was a problem hiding this comment.
Agreed. I will apply.
code/API_definitions/sim-swap.yaml
Outdated
| @@ -326,7 +354,7 @@ components: | |||
| value: | |||
| status: 403 | |||
| code: INVALID_TOKEN_CONTEXT | |||
| message: phoneNumber is not consistent with access token | |||
| message: "{{field}} is not consistent with access token." | |||
There was a problem hiding this comment.
What "field" other than the phoneNumber can it be?
There was a problem hiding this comment.
I followed what is described in the CAMARA_common.yaml
I tend to think that this error should not be triggered in our case because if you pass a 3-legs access token identifying the phone number and a phone number in the body the 422 UNNECESSARY_IDENTIFIER must be triggered.
There was a problem hiding this comment.
Yes, I understood that you follow commonalities. But should we really copy paste its wording 1:1 when we know better. A developer will read this text and can be confused.
And you are right - with the change this PR introduces, this check will not be executed: 422 to be returned without checking if both match or not. Let's remove it.
There was a problem hiding this comment.
Yes make sense for me. to remove ut but I would like to hear from @fernandopradocabrillo before to proceed.
Fernando do you think we can remove 403 INVALID_TOKEN_CONTEXT ? as we do not see when this error will be triggered.
| ### Restrictions for tokens without an associated authenticated phone number: | ||
|
|
||
| - For scenarios which do not have a phone number associated to the token during the authentication flow, e.g. 2-legged access tokens, the `phoneNumber` field MUST be provided in the API request. This ensures that the phone number is explicit and valid for each API call made with these tokens. | ||
| - If the subject can be identified from the access token and the optional `phoneNumber` identifier is also included in the request, then the server will return an error with the `422 UNNECESSARY_IDENTIFIER` error code. This will be the case even if the same device is identified by these two methods, as the server is unable to make this comparison. |
There was a problem hiding this comment.
I agree with the logic of the change, but this is a not-backward compatible change. Currently one may send 3-legged token and the phoneNumber (even if this is not recommended), with this change this will cause a error.
There was a problem hiding this comment.
Agree we have a breaking change here but we have to follow commonalities. Indeed, If you use 3-legs access token with a phoneNumber in the body you'll have a 422 UNNECESSARY_IDENTIFIER while previously it worked.
As a reminder we introduced this to avoid 'hidden' number verification
There was a problem hiding this comment.
The purpose of my comment was to highlight this, and make sure that the consequences of new commonalities are not overlooked.
removed 403 INVALID_TOKEN_CONTEXT
|
@fernandopradocabrillo @gregory1g Following camaraproject/Commonalities#369 discussion I think it's fair to remove 403 INVALID_TOKEN_CONTEXT example in the yaml. May I ask you to review this new proposal soon as we have to prepare the RC candidate before Jan17th. We can still modify after but we have to achieve the milestone. |
code/API_definitions/sim-swap.yaml
Outdated
|
|
||
| It is important to remark that in cases where personal user data is processed by the API, and users can exercise their rights through mechanisms such as opt-in and/or opt-out, the use of 3-legged access tokens becomes mandatory. This measure ensures that the API remains in strict compliance with user privacy preferences and regulatory obligations, upholding the principles of transparency and user-centric data control. | ||
|
|
||
| # Identifying a phone number from the access token | ||
| # Identifying the device from the access token |
There was a problem hiding this comment.
I thought that we agreed that for this API we keep phoneNumber as a the API subject.
There was a problem hiding this comment.
You're right. I fixed line 49 but missed this one. I will fix. Thanks
code/API_definitions/sim-swap.yaml
Outdated
| code: SERVICE_NOT_APPLICABLE | ||
| message: The service is not available for the provided identifier. | ||
| GENERIC_422_MISSING_IDENTIFIER: | ||
| description: An identifier is not included in the request and the device or phone number identification cannot be derived from the 3-legged access token |
There was a problem hiding this comment.
If this error for 3-legged token invocation only it should not say "not included in the request", because this is not allowed for the 3-legged invocation.
If the error is generic it should not explicitly mention 3-legged token (because it could be a 2-legged token). Like "An identifier is not included in the request and the device or phone number identification cannot be derived from access token".
Since "MISSING_IDENTIFIER" error message uses a generic "access token" style, I suggest to use generic style here as well.
There was a problem hiding this comment.
This is generic.
I followed commonalities guideline see here.
I suggest @gregory1g that you post your comment in commonalities as it makes sense.
There was a problem hiding this comment.
created an issue there: camaraproject/Commonalities#370
There was a problem hiding this comment.
according to Eric, commonality's "description" is not a error message to be send, it is a description for the reader of the table in the document. While example of the message is in the "Message example" column. An this is just an example, different API can use different text
There was a problem hiding this comment.
Proposal discussed with @fernandopradocabrillo : We propose to add precision about this error in the Test Case
There was a problem hiding this comment.
I've reworked the yaml & TC to add all clarification - please review.
code/API_definitions/sim-swap.yaml
Outdated
| description: API Server Timeout | ||
| status: 429 | ||
| code: QUOTA_EXCEEDED | ||
| message: Either out of resource quota or reaching rate limiting. |
There was a problem hiding this comment.
As a API client I would prefer an error message that describes the issue precisely, especially since the server distinguishes these tow issues (code is different). Currently, the human readable description is more generic that error code.
There was a problem hiding this comment.
This is a good comment @gregory1g but it should be triggered to commonalities first as here I used what we have defined for commonalities v0.5 (in https://github.com/camaraproject/Commonalities/blob/main/artifacts/CAMARA_common.yaml)
I suggest to not change this for this release to keep alignement with Commonalities 0.5 and then change this depending of commonalities outcome for next iteration. Work for you?
There was a problem hiding this comment.
ok. Added camaraproject/Commonalities#372
There was a problem hiding this comment.
according to Eric "Message example" column where the text came from us just an example, different API can use different text. So, there is no need to use exactly the same text as in the commonalities.
There was a problem hiding this comment.
Thanks @gregory1g
As the implementation is free to change the description do we have to provide here something different from other API for 429?
I 'm fine to provide 2 exemple if is it a blocking point for you but me preference is to keep as it.
There was a problem hiding this comment.
Discussed with @fernandopradocabrillo --> I will fix the yaml as suggested by @gregory1g
Fixe line 47 (device -> phone number)
What type of PR is this?
Add one of the following kinds:
What this PR does / why we need it:
Alignement of sim_swap.yaml, sim_swap-retrieveDate.feature and sim_swap-check.feature with commonalities 0.5 rules.
See detail in release note
Which issue(s) this PR fixes:
Fixes #161
Special notes for reviewers:
This is breaking change.
Changelog input
Additional documentation
This section can be blank.