All checks were successful
## What & why First half of **S-12c** (behandel-portal backend), per **ADR-0013** (decisions recorded in #84): - **BFF multi-realm auth.** A second JWT bearer scheme (`medewerker`) alongside the default `digid` scheme. On validation it lifts Keycloak's `realm_access.roles` onto the principal, and a `behandelaar` policy (medewerker scheme + `behandelaar` role) gates `/behandel/*`. Self-service keeps the digid scheme. - **Werkbak = Flowable tasks.** The domain `Werkbak` query reads the open `Beoordelen` tasks (§8.2, S-12b's `IUserTaskClient`) and enriches each with its aggregate's bsn + status; `GET /behandel/werkbak` (domain) is proxied by the BFF `GET /behandel/werkbak` behind the behandelaar policy. The read projection stays the anonymous openbaar model (no premature `IN_BEHANDELING`/personal-data plumbing — deferred in ADR-0008). Behavior: `/behandel/werkbak` is **401** without a token, **403** for a medewerker lacking the role, **200 + werkbak** for a behandelaar. **S-12c-2** (next): `POST /behandel/registrations/{id}/decide` → domain decision + complete the Flowable task. ## Definition of Done - [x] Linked issue: #13 (umbrella, `refs`); closes the adr-proposal #84 - [x] Tests first; red → green per layer - [x] Unit + acceptance green (`make unit`): domain 78, bff 23, acceptance 9 (+ acl/event-subscriber unaffected) - [x] api-client `test` green; openapi.json regenerated (drift guard passes) - [x] Mutation ≥ break(90): **domain 100%, bff 100%** - [x] ADR-0013 added; `Keycloak__MedewerkerAuthority` wired into compose - [ ] CI green (pending) Part of #13. closes #84 Reviewed-on: #85
159 lines
3.1 KiB
JSON
159 lines
3.1 KiB
JSON
{
|
|
"openapi": "3.1.1",
|
|
"info": {
|
|
"title": "Bff.Api | v1",
|
|
"version": "1.0.0"
|
|
},
|
|
"paths": {
|
|
"/self-service/registrations": {
|
|
"post": {
|
|
"tags": [
|
|
"Bff.Api"
|
|
],
|
|
"responses": {
|
|
"202": {
|
|
"description": "Accepted",
|
|
"content": {
|
|
"application/json": {
|
|
"schema": {
|
|
"$ref": "#/components/schemas/SubmitAccepted"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"400": {
|
|
"description": "Bad Request"
|
|
},
|
|
"401": {
|
|
"description": "Unauthorized"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"/openbaar/register": {
|
|
"get": {
|
|
"tags": [
|
|
"Bff.Api"
|
|
],
|
|
"parameters": [
|
|
{
|
|
"name": "q",
|
|
"in": "query",
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"200": {
|
|
"description": "OK",
|
|
"content": {
|
|
"application/json": {
|
|
"schema": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/components/schemas/OpenbaarEntry"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"/behandel/werkbak": {
|
|
"get": {
|
|
"tags": [
|
|
"Bff.Api"
|
|
],
|
|
"responses": {
|
|
"200": {
|
|
"description": "OK",
|
|
"content": {
|
|
"application/json": {
|
|
"schema": {
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/components/schemas/WerkbakItem"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"401": {
|
|
"description": "Unauthorized"
|
|
},
|
|
"403": {
|
|
"description": "Forbidden"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"components": {
|
|
"schemas": {
|
|
"OpenbaarEntry": {
|
|
"required": [
|
|
"id",
|
|
"status",
|
|
"reference"
|
|
],
|
|
"type": "object",
|
|
"properties": {
|
|
"id": {
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"type": "string"
|
|
},
|
|
"reference": {
|
|
"type": [
|
|
"null",
|
|
"string"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"SubmitAccepted": {
|
|
"required": [
|
|
"registrationId",
|
|
"status"
|
|
],
|
|
"type": "object",
|
|
"properties": {
|
|
"registrationId": {
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
},
|
|
"WerkbakItem": {
|
|
"required": [
|
|
"registrationId",
|
|
"bsn",
|
|
"status"
|
|
],
|
|
"type": "object",
|
|
"properties": {
|
|
"registrationId": {
|
|
"type": "string"
|
|
},
|
|
"bsn": {
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"tags": [
|
|
{
|
|
"name": "Bff.Api"
|
|
}
|
|
]
|
|
}
|