Skip to main content

Fire Arrow 1.6.0

· 2 min read
Till Gerken
Till Gerken
CTO

Fire Arrow 1.6.0 has been released.

  • (change) LegitimateInterest and GeneralPractitioner don't default to allow on entity creation.
  • (improvement) Cache fixes for automatic entity creation on authentication
  • (bugfix) Quantity can now be returned as a type
  • (bugfix) LegitimateInterest prints correct resource name in validation errors

The LegitimateInterest and GeneralPractitioner validators can run into situations where they can't properly validate a request on entity creation. For example, a Practitioner client trying to create an Organization can't prove legitimate interest to the new Organization resource because the client needs to first create Organization and then a corresponding PractitionerRole pointing to the new organization.

In some of these situations both LegitimateInterest and GeneralPractitioner defaulted to allowing the request. This implicit behavior can create a false sense of security because implementers may expect that some form of validation happens, while in reality the behavior is the same as Allowed.

Fire Arrow is now more explicit and will always return Unauthorized errors. This requires implementers to choose the Allowed validator in config.json and makes it much more obvious what's really going on behind the scenes. There is no change in the validation strategies or capabilities of the validators, the change just makes the behavior more consistent and easier to understand in the configuration file.

When config.json requires Fire Arrow to automatically create FHIR entities for clients that authenticate the first time, they may not have been visible immediately in search queries. This has been fixed.

A further bugfix improves the handling of Quantity. A Quantity serves both as interface for Age, Count, Distance and Duration. GraphQL interface types must be abstract and can't be returned as a type, which led to deserialization errors on properties such as Observation.valueQuantity. The schema has been changed so that Quantity is now a GraphQL type.

Error messages in LegitimateInterest have been improved so that they print the name of the resource that failed validation. Sometimes the string 'dynamic' appeared instead of the actual resource name, which could lead to confusing messages.