Check out the wiki for sequence diagram and more https://github.com/HIEofOne/Trustee-Community/wiki
Trustee Community is the code repository a community manager can fork to create a new patient community.
To create a new patient community, a manger will need these prequisites:
- An account at DigtialOcean to pay for hosting the community members Trustees (patient-controlled health records),
- An account at Stripe to collect credit card payments for Trustee subscriptions hosted by the community (future state)
- A domain name for the community,
- A privacy policy describing the initial configuration of Trustee access policies and how subscribers can change the policies if they choose.
- have these ready for the installer in step 5
- details on getting API keys are in the section More on Additional API Services
- assume you have a domain name (mydomain.xyz) and email address needed for LetsEncrypt SSL ([email protected])
- you have a GitHub account to fork NOSH3 to. You will need the organization name and obtain a personal access token.
- link your GitHub account to DigitalOcean
- size: 's-1vcpu-1gb',
- image: 'ubuntu-22-10-x64'
git clone -b deploy --single-branch https://github.com/HIEofOne/Trustee-Community.git
cd Trustee-Community
./do-install.sh
exit
cd Trustee-Community
./do-install.sh
6. Open your browser to https://mydomain.xyz
- Other notable endpoints with your Trustee include:
- https://db.mydomain.xyz which points to the CouchDB database used to store user account information (just email) and droplet info.
- https://noshdb.mydomain.xyz whihc points to the NOSH CouchDB database instance used to store encrypted health information for the NOSH3 in DigitalOcean App Platform.
- https://router.mydomain.xyz which points to the Traefik reverse proxy router
7. Set up GitHub Action - Sync Upstream Repo Fork
Auto sync the NOSH3 codebase which is used to update the creation of your DigitalOcean App Platform image.
- in GitHub, go to the recently forked repository for nosh3 in your organization account.
- click on Actions
- Enable all workflows to start (you may receive an error with the Docker Image CI workflow run, just ignore)
- on the left, there are 2 workflows (Docker Image CI and Sync NOSH3 Upstream).
- in Docker Image CI, click on the 3 dots on the right-hand side (Show wokflow options), and click Disable Workflow
Magic instructions:
- Set up an account for free by visiting Magic. Click on Start now.
- Once you are in the dashboard, go to Magic Auth and click on New App. Enter the App Name (My App Powered by Trustee) and hit Create App.
- Once you are in the home page for the app, scroll down to API Keys and copy the PUBISHABLE API KEY value. This API Key will be usee to interact with Magic's APIs
- Set up an account here
- Edit your profile and click on Generate new API Key. Copy this API key.
Trustee is based around Docker containers. This repository source code is for the Trustee core which is Next.JS based application and served by Node.JS. Deployment of individual Docker containers which includes the patient health record powered by NOSH specific to only one patient/user is demonstrated by this project.
The docker-compose.yml (template found in docker-compose.tmp under the docker directory) defines the specific containers that when working together, allow Trustee to be able to fully featured (e.g. a bundle). Below are the different containers and what they do:
1. Traefik - this is the router, specifying the ports and routing to the containers in the bundle
2. CouchDB - this is the NoSQL database that stores all documents
3. NOSH - this is the Node.js based server application
4. Watchtower - this service pulls and applies updates to all Docker Images in the bundle automatically without manager intervention
Get all patients
GET /api/couchdb/patients/all
Trustee also functions as an Authorization Server as specified by the Grant Negotiation and Authorization Protocol.
Client sends HTTP POST to the grant endpoint of Trustee with the following headers and body. The Content-Digest, Signature, and Signature-Input fields and how they are constructed are described here. It is imperative that the processes outlined in the aformentioned link are followed explicitly as Trustee verifies these header fields with the public key presented in the request body (client.key field) NOTE: Trustee currently only accepts JSON Web Keys for the public key presentation at this time (in the client.key field)
POST /api/as/tx
Content-Type: application/json
Signature-Input: sig1=...
Signature: sig1=:...
Content-Digest: sha-256=...
{
"access_token": {
"access": [
{
"type": "app",
"actions": [
"read",
"write"
],
"locations": [
"https://nosh-app-mj3xd.ondigitalocean.app/app/chart/nosh_49798bcb-c617-4165-beb6-05442152c99a"
],
"datatypes": [
"application"
]
},
{
"type": "conditions",
"actions": [
"read",
"write"
],
"locations": [
"https://nosh-app-mj3xd.ondigitalocean.app/fhir/api/Condition"
],
"datatypes": [
"application/json"
]
}
]
},
"client": {
"display": {
"name": "My Client Display Name",
"uri": "https://client.example.net"
},
"key": {
"proof": "httpsig",
"jwk": {
"kty": "RSA",
"e": "AQAB",
"kid": "xyz-1",
"alg": "RS256",
"n": "kOB5rR4Jv0GMeL...."
}
}
},
"interact": {
"start": ["redirect"],
"finish": {
"method": "redirect",
"uri": "https://client.example.net/return/123455",
"nonce": "LKLTI25DK82FX4T4QFZC"
}
},
"subject": {
"sub_id_formats": ["iss_sub", "opaque"],
"assertion_formats": ["id_token"]
}
}
If verified successfuly, Trustee responds with:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"interact": {
"redirect":
"https://server.example.com/api/as/interact/4CF492MLVMSW9MKM",
"finish": "MBDOFXG4Y5CVJCX821LH"
}
"continue": {
"access_token": {
"value": "80UPRY5NM33OMUKMKSKU"
},
"uri": "https://server.example.com/api/as/continue"
},
"instance_id": "7C7C4AZ9KHRS6X63AJAO"
}