Tracking issue for:

• https://github.com/medplum/medplum/security/code-scanning/4

If a resource has multiple identifiers with the same value, then search results can include the same resource twice.

The root cause is an incorrect JOIN:

Current query:

SELECT "Patient"."id"
FROM "Patient" 
JOIN "Identifier" ON "Patient"."id"="Identifier"."resourceId" 
WHERE "deleted"=false AND "Identifier"."value"=$1
LIMIT 20;

Desired query:

SELECT "Patient"."id"
FROM "Patient" 
JOIN (
  SELECT DISTINCT ON ("Identifier"."resourceId") *
  FROM "Identifier"
  WHERE "Identifier"."value"=$1
  ORDER BY "Identifier"."resourceId"
) "Identifier" ON "Patient"."id"="Identifier"."resourceId"
WHERE "deleted"=false
LIMIT 20;

Add Questionnaire enableWhen element to allow for more complex logic in Questionnaires in the frontend web app. https://www.hl7.org/fhir/questionnaire-definitions.html#Questionnaire.item.enableWhen

E.g. If a user answers Yes to a question then it enables an alternate question

FHIR specification for Slot: https://www.hl7.org/fhir/slot.html

start and end should be an an instant: https://www.hl7.org/fhir/datatypes.html#instant — "An instant in time in the format YYYY-MM-DDThh:mm:ss.sss+zz:zz (e.g. 2015-02-07T13:28:17.239+02:00 or 2017-01-01T00:00:00Z)" and with the regex ([0-9]([0-9]([0-9][1-9]|[1-9]0)|[1-9]00)|[1-9]000)-(0[1-9]|1[0-2])-(0[1-9]|[1-2][0-9]|3[0-1])T([01][0-9]|2[0-3]):[0-5][0-9]:([0-5][0-9]|60)(\.[0-9]+)?(Z|(\+|-)((0[0-9]|1[0-3]):[0-5][0-9]|14:00))

When I create a Slot with a start that is a string, e.g. "example", I do not get an error, but I believe I should get an error for not matching the required format. In the TypeScript definition it is a start?: string. This might be related to #857.

After I click sign in with Google, and sign in using the popup window, I get to this page, after which nothing happens.
Nothing loads further.
If I try registering from scratch, it tells me the email is already in use. If I try signing in otherwise with the email, it says invalid authentication method, so I'm somewhat stuck here. This is my first time ever using the app (https://app.medplum.com/signin).

For example, enter "active" as a Subscription.status:

The current description leaves a little to be desired.

Medplum is a healthcare platform that helps you quickly develop high-quality compliant applications. Medplum includes a FHIR server, React component library, and developer console.

Your description should be targeted to the most important user/developer group weighted by how often that group sees the README. READMEs are the most frequently visited pages on Github and you should be able to clearly tell your intended audience why and how they can get involved.

What you should do is state clearly what medplum does, why what's currently available isn't adequate for the job, and how medplumis different.

Stress your code coverage and quality. Mention how typescript's static typing makes it harder to introduce bugs. Have a story that tells healthcare admins, users, and developers, "There's this problem we all have that medplum fixes. Let's build it together".

This is a wishlist item

Ability to pull down and validate terminology from an external service like VSAC (vsac.nlm.nih.gov/) or something else and check that the codes that have been received are valid. Similar to the FHIR validation use case: #389 (I recognize it should be covered already). E.g. receiving a resource and checking that the LOINC, SNOMED, or RXnorm code is valid from the sender.

Even better would be the ability to embed a standard code in a newly created resource e.g. a doctor is creating a medication and we can add an RXNorm code to it immediately.

I'm an administrator in my project. Clicking the Remove button does not fire off any request & does not remove the user. It also does not navigate the page anywhere.

Medplum supports both createPatient and createProject API calls. I believe it would be useful to include a addPractitioner.

In my use case I want doctors to register in my app when they are invited by patients.

More details: https://discordapp.com/channels/905144809105260605/905144809105260608/1027056044419055626

Thanks,
Bruno

I ran some experiments with devcontainers in hopes of a better localhost Docker developer experience. It's not perfect, but it shows promise.

In my experiments, it is currently functional, but too slow to be usable (full test cycle is 10x longer, running basic terminal commands like ls can take seconds to complete).

One of the recommended performance tips is to keep the container completely isolated -- it lives only in Docker, no bind mounts to the host file system.

That might be a "2 steps forward, 1 step back" solution. All development happens in Docker, but to do anything useful it requires VS Code and the Remote Development VS Code extension.

Filing this issue to track the experiment.

Links:

Developing inside a container
https://code.visualstudio.com/docs/remote/containers

Containers tutorial
https://code.visualstudio.com/docs/remote/containers-tutorial

Performance tips
https://code.visualstudio.com/remote/advancedcontainers/improve-performance

Non-root user
https://code.visualstudio.com/remote/advancedcontainers/add-nonroot-user

JavaScript and Postgres example
https://github.com/microsoft/vscode-dev-containers/tree/main/containers/javascript-node-postgres

From Discord

I'm at localhost:3000/Project/new, and I can't fill in the Owner field because it's trying to search Users by "name" and that's not a supported search parameter for User. Is this the right way to create a project through the app, or am I looking in the wrong place? This is the http error response I'm getting: {"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"invalid","details":{"text":"Unknown search parameter: name"}}]}

README should have a section like this at the top of the page right after the project description

Install

git clone https://github.com/medplum/medplum && cd medplum && docker compose up -d

This will let potential users see exactly what's going on with medplum.

Allow devs to set up their environment using docker only, with nothing else installed on their local machines

Really neat project! Any need for iOS contributions? E.g. HealthKit / CareKit integrations or Swift SDK?

Current API docs implementation looks static and will rot fairly quickly. Consider setting up a github action that compiles a static swagger site for each release.

The inclusion of '_'-prepended primitive elements, as described here in the spec (see: "_birthdate"), in a resource seems to cause resource creation to fail with:

{
  resourceType: 'OperationOutcome',
  id: '838c5a4d-da73-4f14-aeb3-bcea4b36d623',
  issue: [
    {
      severity: 'error',
      code: 'structure',
      details: {
        text: 'Invalid additional property "Questionnaire.item._text"'
      },
      expression: [ 'Questionnaire.item._text' ]
    },
...
  ]
}

I'm not sure if there exists any behavioural implications from accepting these elements, but we're just looking to be able to create then get resources with them. The sample resource we're attempting to create can be found here for reference. Feel free to let me know if this is a complex feature or if a PR can help!

It seems to not currently be feasible to associate an access policy with a client Application.

This would be useful for a number of use cases I have.

In particular, I'd like to create a Client Application that can only submit a specific questionnaire and read specific fields from patients/service requests associated with their compartment.

If this seems like an interesting use case that could be explored further, I might be able to dedicate a few cycles towards this goal. I've explored this some, and it seems like it wouldn't be too difficult to get going.

However, I'm not sure what to do about the existing functionality - that a synthetic access policy is crafted. Should an explicit access policy override the synthetic?

If docker is the main form of deployment there should a docker img built and deployed with every release. There's likely a github action that can do this but I'm really only familiar with GoReleaser which is Go specific.

This might just be something I'm not doing right but I created an example Questionnaire that looks like such:

However, on submission it does not include the attachment:

{
  "resourceType": "QuestionnaireResponse",
  "questionnaire": "Questionnaire/04bca47c-49a5-47aa-a4e1-9aa7cf52c423",
  "source": {
    "reference": "Practitioner/aa3b949c-495d-4a28-8c5b-f0233da05f6f",
    "display": "James Ward"
  },
  "authored": "2022-02-17T07:17:31.069Z",
  "id": "ed2f5389-6ab8-4e02-bd89-eb411e0c04f6",
  "meta": {
    "versionId": "b57384d1-aa74-4566-9229-cf70243916b1",
    "lastUpdated": "2022-02-17T07:17:32.389Z",
    "author": {
      "reference": "Practitioner/aa3b949c-495d-4a28-8c5b-f0233da05f6f",
      "display": "James Ward"
    },
    "project": "82526724-2a0a-495d-9e23-0aba1a51d19f"
  }
}

Package structure review

As we look toward the 1.0.0 release, we are taking another look at the organization of npm packages and dependencies. The current state is working, although there are a few awkward rough edges, and a few cases of code duplication. As an organization, we are deeply committed to backward compatibility for LTS releases, so now is the time to get this right.

Considerations

• Developer experience
  • We want to make it easy for developers to pick up the dependencies they need and go
  • We want to avoid unnecessary confusion regarding "which packages do I need?"
• Bundle size
  • We want tight bundle sizes to avoid unnecessary code bloat
  • We want to avoid unnecessary stress from developers asking "is this dependency too big for my project?"
• Code duplication
  • We want a clean project structure and architecture
  • We want to minimize the amount of code duplicated across projects
• SEO and discoverability
  • Some developers will search for packages on npmjs.com
  • There are marketing advantages to descriptive package names with keywords in the name
  • @medplum/core performs poorly in this regard, because it only works if you search for medplum
  • @medplum/fhirpath performs better, because it is one of the few results for fhirpath
  • Unclear how much this matters
• What about ESM and tree-shaking?
  • At some point in the future, as ESM becomes more popular, and bundlers become more advanced, size concerns should go aay.
  • In that world, the bundler should be able to identify only the parts that are actually used, and ignore everything else.
  • This is an argument for bigger and simpler packages.
• What about direct <script> import?
  • Many developers still use the simple model of including dependencies by <script> tag
  • This is an argument for smaller and tighter dependencies
• What about CQL?
  • In the future, we intend to add CQL parsing and execution.
  • CQL is a superset of FHIRPath, so those projects are likely to comingle in the code base.
  • CQL is big, and likely to 2x-5x the size of the FHIRPath implementation.
• How big is too big?
  • jquery: 88kb minified, 30kb minified and gzipped
  • lodash: 70kb minified, 25kb minified and gzipped
  • react: 6.4kb minified, 2.5kb minified and gzipped
  • react-dom: 130kb minified, 41kb minified and gzipped
  • moment: 290kb minified, 72kb minified and gzipped
  • fhirpath.js: 159kb minified, 40kb minified and gzipped

Options

1. Current state

• @medplum/core - Main client SDK
  • ~30kb minified
  • ~10kb minified and gzipped
• @medplum/fhirpath - FHIRPath implementation
  • ~22kb minified
  • ~6kb minified and gzipped
• @medplum/fhirtypes - FHIR TypeScript type annotations
  • This is compile time only, so bundle size is irrelevant

2. One big core

• Move @medplum/fhirpath into @medplum/core - Main client SDK
• Perhaps move @medplum/fhirtypes into @medplum/core as well
• Pros:
  • Maximum simplicity for developer customers
  • Eliminates most of the current cases of code duplication
• Cons:
  • @medplum/core gets bigger, estimated 50kb minified, 16kb minified and gzipped
  • Impossible to use @medplum/fhirpath as standalone

3. Separate utils

• Split @medplum/core into @medplum/client and @medplum/utils
• Make @medplum/utils a peer dependency of @medplum/fhirpath
• Pros:
  • Maximum modularity
  • Best from a "conceptual integrity" perspective
  • Smallest individual dependencies
• Cons:
  • More developer complexity - more cognitive overhead to determine which dependencies are needed

4. Separate utils + @medplum/all-in-one

• Option 3 + a new convenience package called @medplum/all-in-one
• The @medplum/all-in-one is provided as a convenience package for developers who just want everything
• Pros:
  • Possibly best of both?
• Cons
  • Possibly the worst of both? This option ends up having the most dependencies to choose from
  • Risk of bad developer experience if you try to use both all-in-one and core, and all hell breaks loose

For security purposes, we would like customize login to ensure that all users for a project log in via Google Auth, and that all users have emails from a specific domain.

FHIR specification for Slot: https://www.hl7.org/fhir/slot.html

A Slot must have a schedule, status, start, and end.

If I submit an API request to /fhir/R4/Slot with body

{
    "resourceType": "Slot"
}

I get an expected error: Missing required property \"schedule\"

If I include schedule:

{
    "resourceType": "Slot",
    "schedule": {
        "reference": "schedule/example"
    }
}

A Slot is created successfully. However, I'm still missing the required fields start and end. I think this should throw an error if it's to match the FHIR specification.

Steps to repro:

• Go to service request vide
• Click on column header for "Subject"
• Filter by "contains"
• Type any character + enter

┆Attachments: image.png | image.png

Tracking issue for:

• https://github.com/medplum/medplum/security/code-scanning/5

In the project Access page I seem to be unable to remove access policies from client applications & users. The access policy is always applied in the POST that occurs from it

Repro steps:

1. Create a new node project (npm init)
2. Add "type": "module" to package.json
3. Add medplum (npm install @medplum/core)
4. Use ESM import syntax:

import { createReference } from '@medplum/core';

createReference({resourceType: 'Patient', id: '123'});

Current behavior:

$ node index.js
file:///C:/Users/cody/dev/medplum-esm-test/index.js:1
import { createReference } from '@medplum/core';
         ^^^^^^^^^^^^^^^
SyntaxError: Named export 'createReference' not found. The requested module '@medplum/core' is a CommonJS module, which may not support all module.exports as named exports.
CommonJS modules can always be imported via the default export, for example using:

import pkg from '@medplum/core';
const { createReference } = pkg;

    at ModuleJob._instantiate (node:internal/modules/esm/module_job:128:21)
    at async ModuleJob.run (node:internal/modules/esm/module_job:194:5)
    at async Promise.all (index 0)
    at async ESMLoader.import (node:internal/modules/esm/loader:409:24)
    at async loadESM (node:internal/process/esm_loader:85:5)
    at async handleMainPromise (node:internal/modules/run_main:61:12)

Node.js v18.2.0

Expected behavior: Executes normally

Fix: Add a JSON file @medplum/core/dist/esm/package.json with only the contents {"type":"module"}

Notes:

• Most projects use bundlers such as webpack, rollup, or vite. Most of those bundlers handle this for you.
• The important part of this bug is that there are no bundlers, just vanilla JS and node

See:

• nodejs/node#34515
• https://nodejs.org/api/packages.html#type
• https://www.sensedeep.com/blog/posts/2021/how-to-create-single-source-npm-module.html
• sindresorhus/meta#15

Simple vite+medplum project using version 0.9.9. npm run build works as expected. npm run dev fails with the following error:

✘ [ERROR] Could not resolve "pdfmake"

    node_modules/@medplum/core/dist/esm/index.js:855:39:
      855 │             const PdfPrinter = require('pdfmake');
          ╵                                        ~~~~~~~~~

  You can mark the path "pdfmake" as external to exclude it from the bundle, which will remove this
  error. You can also surround this "require" call with a try/catch block to handle this failure at
  run-time instead of bundle-time.

4:55:40 PM [vite] error while updating dependencies:
Error: Build failed with 1 error:
node_modules/@medplum/core/dist/esm/index.js:855:39: ERROR: Could not resolve "pdfmake"
    at failureErrorWithLog (/Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:1600:15)
    at /Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:1246:28
    at runOnEndCallbacks (/Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:1031:63)
    at buildResponseToResult (/Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:1244:7)
    at /Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:1353:14
    at /Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:663:9
    at handleIncomingPacket (/Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:760:9)
    at Socket.readFromStdout (/Users/reshmakhilnani/dev/humanfirst-lab-sample/node_modules/esbuild/lib/main.js:629:7)
    at Socket.emit (node:events:390:28)
    at addChunk (node:internal/streams/readable:324:12)
Vite Error, /node_modules/.vite/deps/@medplum_react.js?v=05a5517e optimized info should be defined
Vite Error, /node_modules/.vite/deps/react.js?v=305e321a optimized info should be defined
Vite Error, /node_modules/.vite/deps/react-dom.js?v=305e321a optimized info should be defined
Vite Error, /node_modules/.vite/deps/react-router-dom.js?v=8a01f066 optimized info should be defined
Vite Error, /node_modules/.vite/deps/@medplum_core.js?v=6310d204 optimized info should be defined
Vite Error, /node_modules/.vite/deps/react_jsx-dev-runtime.js?v=305e321a optimized info should be defined
Vite Error, /node_modules/.vite/deps/@medplum_react.js?v=05a5517e optimized info should be defined
Vite Error, /node_modules/.vite/deps/react.js?v=305e321a optimized info should be defined
Vite Error, /node_modules/.vite/deps/react-router-dom.js?v=8a01f066 optimized info should be defined
Vite Error, /node_modules/.vite/deps/react_jsx-dev-runtime.js?v=305e321a optimized info should be defined
Vite Error, /node_modules/.vite/deps/react_jsx-dev-runtime.js?v=305e321a optimized info should be defined (x2)

I found this bug while using the PatientTimeline in my app.

When click in Comment I get the following error:

{
    "resourceType": "OperationOutcome",
    "id": "my Id",
    "issue": [
        {
            "severity": "error",
            "code": "structure",
            "details": {
                "text": "Missing required property"
            },
            "expression": [
                "Communication.status"
            ]
        }
    ]
}

Same when uploading new Media:

{
    "resourceType": "OperationOutcome",
    "id": "my Id",
    "issue": [
        {
            "severity": "error",
            "code": "structure",
            "details": {
                "text": "Missing required property"
            },
            "expression": [
                "Media.status"
            ]
        }
    ]
}

It looks like those missing properties are missing in createCommunication and createMedia, here: https://github.com/medplum/medplum/blob/main/packages/react/src/PatientTimeline.tsx

Thanks,
Bruno

Problem:

• Lab instruments need to send raw messages in HL7 or ASTM format
• We need a place to store those messages in raw unedited form
• Bots or other utilities can be used to inspect the message contents and respond accordingly

Proposal:

• Add a new DeviceMessage resource
• Standard resource fields (id, meta, etc)
• content for raw string content
• Bots can then subscribe to DeviceMessage creation events

I'm not crazy about adding more custom resource types. I considered a few alternatives. Here are my reasons for not choosing them:

• AuditEvent - lots of irrelevant required fields
• Binary - messages are not actually binary content, and we also store binaries in blob storage, which would complicate the interaction with bots
• Communication - not a great conceptual match, intended for human communications

It would be good to add a docker compose file for running services all together (PostgreSQL, Redis, API server, web UI and etc).

The ServiceRequestTimeline does not currently show the history on Specimens associated with the ServiceRequest. Specimens should be added as well.

For reference: Search params for Specimen

When the sidebar is open, clicking the hamburger does not close it as would be expected. Additionally, the sidebar stays in an absolute position and the shading on the rest of the page does not extend to the bottom.
Here is a video example of this issue: https://www.loom.com/share/ccceff337c0845cd906a9e6d85b2df4f?from_recorder=1&focus_title=1

Add the ability to configure "sites" to project admin page, including:

• domains
• recaptcha credentials
• google auth credentials

When un-checking the admin privileges I get back a 304 Not Modified response - it seems the check box doesn't get sent along

Reference: https://discordapp.com/channels/905144809105260605/905144809105260608/1024367915866275910

In my product, Patients can upload their exams either on PDF or an Image, creating both a Binary and a Media resource. And then they can share these files with their doctor (that are modeled as a Practitioner). The shared option creates a Consent, that (roughly) looks like this:

Consent {
  patient: createReference(currentPatient),
  performer: createReference(pratictionerSelected),
  provision: {
    {
      meaning: 'instance',
      reference: createReference(mediaResource)
    },
    {
      meaning: 'instance',
      reference: createReference(binaryResource)
    }
  }
}

I'd like to have an AccessPolicy that only grants to the scecific Practitioner based on what is allowed in some Consent. The objective is to grant patients full control of what they want to share to their Doctors.

Per my conversation with @rahul1, he suggested to open this feature request as you're reviewing AccessPolicy modeling.

Thanks,
Bruno

http://hl7.org/fhir/uv/sdc/2019May/

http://hl7.org/fhir/uv/sdc/2019May/rendering.html

http://hl7.org/fhir/uv/sdc/2019May/behavior.html

Some features that we would like to support:

• Open patient registration
• Embed a calendar control to choose a Slot for a Schedule
• Display groups represented as different pages

When someone opens a pull request from a fork (i.e., outside of the medplum/medplum repo), then the build fails. That is because Github Actions does not share Github secrets for forked PR's, so SONAR_TOKEN is not available, and the SonarCloud step fails.

We experimented with changing pull_request to pull_request_target, as described here, but that has security risks. A bad actor could submit a PR that completely changes the build scripts to perform an escalation attack as described here. This was reverted back to pull_request.

The "right" fix requires the following:

• Separate build.yml into two actions
• First, the build step that builds and tests, triggered by pull_request, which does not share any secrets
• Second, an analysis step, triggered by workflow_run, which sends data to Sonar and Coveralls

This will require some experimentation. As others have found, the env variables in workflow_run are a weird hybrid of PR values and main branch values.

https://www.medplum.com/docs/contributing/run-the-stack#using-docker-recommended

Broken links for

• postgres.conf
• https://github.com/medplum/medplum/postgres/init_test.sql

Docusaurus ships with a feature where it generates and renders links at the bottom of each page prompting the reader to suggest edits if there should be anything added or fixed.

It looks like medplum's link generator is broken. This edit page url displayed on the doc's intro page leads here: https://github.com/medplum/medplum/packages/docs/docs/intro.md

Instead it should lead here: https://github.com/medplum/medplum/blob/main/packages/docs/docs/intro.md

Looks like the link generator isn't including the "/blob/main" part of the url that should lead to the correct resource. This should be a simple config fix in docusaurus.