Analysis: Get Person API with lastname validation - caching of number of requests #3637
Closed
2 tasks
Labels
area/register
Area: Using data from the register component in Altinn in an app.
kind/analysis
Used when an issue needs to be analysed before it becomes a user story.
kind/security
Issue related to security.
kind/user-story
Used for issues that describes functionality for our users.
org/udir
Issues relevant for Utdanningsdirektoratet
solution/app-backend
API backend for the apps that's been developed in Altinn Studio.
Milestone
Description
In some apps there is a need for user to input ssn to give information about other parties.
In Altinn there is typical a requirement that if end user should be able to input the ssn to some other party he also needs to add the first 4 letters of the last name.
This so the solution not can be used to wash ssn.
Considerations
We need to identify how we ensure that a person number look up API can't be misused.
Caching
The most obvious mechanism for keeping a look up counter is some sort of caching. This needs to be a cache that can be used across as many apps as possible. There are 3 possible scopes:
For this issue we could consider a global cache a requirement. The idea is that there might be many apps across all app owners that are using the lookup. A global cache would then prevent misuse across all of them.
Counting all look ups triggered across the apps of each app owner might be enough to limit misuse.
Probably not broad enough for the case being discussed here. Though this point probably covers most of other caching needs?
It is also possible to create a custom cache client that hides the underlying service. The client can implement a type of scoping and add elements to a cache key to make the unique for a given scope. Maybe there is a need for a stronger wall between app owners, than the caching scope they set?
When it comes to the needs in this specific change the caching will be done by the Register platform component. This means we will need a caching mechanism available for the Platform. This will dictate what choices we make here. Another element is that we want to avoid relying too much on Azure specifically. Because of this the preferred hosting is as a container. We loose the built in monitoring.
Caching products
Managed Azure resource. Can easily be available for all apps across all app owners. Can alternatively have one for each app owner.
Redis can run in a docker container in any of our kubernets clusters. There could be one container i Platform for use as a global cache or there can be an instance running in each app owner cluster. https://hub.docker.com/_/redis
Open source: https://github.com/redis/redis
There are predefined images for Virual Machines on Azure, but no Managed resource offer. There are predefined docker images: https://hub.docker.com/_/memcached
Open source: https://github.com/memcached/memcached
Acceptance criteria
Development tasks
The text was updated successfully, but these errors were encountered: