Strapi Provider MW

UBI Strapi Provider Middleware

The UBI Strapi Provider Middleware is a NestJS-based backend service that processes benefit applications through the UBI / ONEST Network.

Core Features

Application Management: Lists and manages benefit applications from Strapi CMS

Document Verification: Verifies uploaded application documents using Verification SDK

VC Verification: Validates Verifiable Credentials (VCs) for authenticity

Eligibility Checks: Performs eligibility verification using Eligibility SDK

Application Processing: Approves or rejects benefit applications

UBI / ONEST Network Protocol: Implements UBI / ONEST Network provider standards

System Context

This service connects:

  • Strapi CMS (benefits catalog management)

  • Verification SDK (verifies VCs and documents)

  • Eligibility SDK (performs eligibility checks)

  • UBI / ONEST Network (standardized benefit discovery)

  • Consumer Applications (end-user interfaces)

Technology Stack

Runtime: Node.js 20+

Framework: NestJS (TypeScript)

Database: PostgreSQL with Prisma ORM

Authentication: JWT tokens

File Storage: Local filesystem or AWS S3

API Documentation: Swagger/OpenAPI

Security Features

JWT authentication with role-based access

Data encryption with configurable keys

Input validation and sanitization

Secure file upload handling

Audit logging for application changes

Data Encryption

Algorithm: AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode)

Key Specifications:

  • Key Size: 256-bit (32 bytes)

  • IV Length: 12 bytes (recommended for AES-GCM)

  • Authentication: Built-in authentication tag (16 bytes)

  • Encoding: Base64 for storage and transmission

Encrypted Data:

  • Applications.applicationData field containing:

    • Applicant personal details (name, age, income)

    • Bank account information

    • Sensitive identifiers

    • Disability type information

    • Custom application form data

Key Management:

  • Environment variable based: ENCRYPTION_KEY (current), OLD_ENCRYPTION_KEY (for rotation)

  • Supports seamless key rotation with fallback mechanism

  • Keys must be base64-encoded 32-byte strings

Implementation:

  • Transparent encryption/decryption via Prisma middleware

  • Automatic JSON parsing for applicationData field

  • Random IV generation for each encryption operation

  • Authenticated encryption prevents data tampering

Key Rotation Support:

  • Dedicated script: scripts/rotate-encryption-key.ts

  • Batch processing with configurable batch sizes

  • Graceful fallback during rotation periods

PreviousSample DataNextPrerequisites

Last updated