From 1e44c8df1e57351bc5d704d7fc0bee66c5e84aec Mon Sep 17 00:00:00 2001
From: Prajjwal Kumar <prajjwal.kumar@juspay.in>
Date: Sun, 27 Aug 2023 19:47:47 +0530
Subject: [PATCH] refactor(core): authenticate client secret with fulfilment
 time (#2026)

---
 crates/router/src/core/payments.rs            |  7 ---
 .../payments/operations/payment_confirm.rs    |  5 ++
 .../payments/operations/payment_session.rs    |  5 ++
 .../core/payments/operations/payment_start.rs |  5 ++
 .../payments/operations/payment_status.rs     | 47 +++++++++++++------
 .../payments/operations/payment_update.rs     |  5 ++
 6 files changed, 53 insertions(+), 21 deletions(-)

diff --git a/crates/router/src/core/payments.rs b/crates/router/src/core/payments.rs
index e888f1f2fb..1050aab00f 100644
--- a/crates/router/src/core/payments.rs
+++ b/crates/router/src/core/payments.rs
@@ -24,7 +24,6 @@ pub use self::operations::{
 };
 use self::{
     flows::{ConstructFlowSpecificData, Feature},
-    helpers::authenticate_client_secret,
     operations::{payment_complete_authorize, BoxedOperation, Operation},
 };
 use super::errors::StorageErrorExt;
@@ -91,12 +90,6 @@ where
         )
         .await?;
 
-    authenticate_client_secret(
-        req.get_client_secret(),
-        &payment_data.payment_intent,
-        merchant_account.intent_fulfillment_time,
-    )?;
-
     let (operation, customer) = operation
         .to_domain()?
         .get_or_create_customer_details(
diff --git a/crates/router/src/core/payments/operations/payment_confirm.rs b/crates/router/src/core/payments/operations/payment_confirm.rs
index 9469cea970..0d08f1c9c2 100644
--- a/crates/router/src/core/payments/operations/payment_confirm.rs
+++ b/crates/router/src/core/payments/operations/payment_confirm.rs
@@ -75,6 +75,11 @@ impl<F: Send + Clone> GetTracker<F, PaymentData<F>, api::PaymentsRequest> for Pa
             "confirm",
         )?;
 
+        helpers::authenticate_client_secret(
+            request.client_secret.as_ref(),
+            &payment_intent,
+            merchant_account.intent_fulfillment_time,
+        )?;
         payment_attempt = db
             .find_payment_attempt_by_payment_id_merchant_id_attempt_id(
                 payment_intent.payment_id.as_str(),
diff --git a/crates/router/src/core/payments/operations/payment_session.rs b/crates/router/src/core/payments/operations/payment_session.rs
index 4fecc586dd..1502ce68ab 100644
--- a/crates/router/src/core/payments/operations/payment_session.rs
+++ b/crates/router/src/core/payments/operations/payment_session.rs
@@ -69,6 +69,11 @@ impl<F: Send + Clone> GetTracker<F, PaymentData<F>, api::PaymentsSessionRequest>
             "create a session token for",
         )?;
 
+        helpers::authenticate_client_secret(
+            Some(&request.client_secret),
+            &payment_intent,
+            merchant_account.intent_fulfillment_time,
+        )?;
         let mut payment_attempt = db
             .find_payment_attempt_by_payment_id_merchant_id_attempt_id(
                 payment_intent.payment_id.as_str(),
diff --git a/crates/router/src/core/payments/operations/payment_start.rs b/crates/router/src/core/payments/operations/payment_start.rs
index 9dab74ee19..bd8f5c2ac3 100644
--- a/crates/router/src/core/payments/operations/payment_start.rs
+++ b/crates/router/src/core/payments/operations/payment_start.rs
@@ -67,6 +67,11 @@ impl<F: Send + Clone> GetTracker<F, PaymentData<F>, api::PaymentsStartRequest> f
             "update",
         )?;
 
+        helpers::authenticate_client_secret(
+            payment_intent.client_secret.as_ref(),
+            &payment_intent,
+            merchant_account.intent_fulfillment_time,
+        )?;
         payment_attempt = db
             .find_payment_attempt_by_payment_id_merchant_id_attempt_id(
                 payment_intent.payment_id.as_str(),
diff --git a/crates/router/src/core/payments/operations/payment_status.rs b/crates/router/src/core/payments/operations/payment_status.rs
index 7960b46859..5afcc4d513 100644
--- a/crates/router/src/core/payments/operations/payment_status.rs
+++ b/crates/router/src/core/payments/operations/payment_status.rs
@@ -175,7 +175,7 @@ impl<F: Send + Clone> GetTracker<F, PaymentData<F>, api::PaymentsRetrieveRequest
     )> {
         get_tracker_for_sync(
             payment_id,
-            &merchant_account.merchant_id,
+            merchant_account,
             key_store,
             &*state.store,
             request,
@@ -192,7 +192,7 @@ async fn get_tracker_for_sync<
     Op: Operation<F, api::PaymentsRetrieveRequest> + 'a + Send + Sync,
 >(
     payment_id: &api::PaymentIdType,
-    merchant_id: &str,
+    merchant_account: &domain::MerchantAccount,
     mechant_key_store: &domain::MerchantKeyStore,
     db: &dyn StorageInterface,
     request: &api::PaymentsRetrieveRequest,
@@ -205,9 +205,19 @@ async fn get_tracker_for_sync<
 )> {
     let (payment_intent, payment_attempt, currency, amount);
 
-    (payment_intent, payment_attempt) =
-        get_payment_intent_payment_attempt(db, payment_id, merchant_id, storage_scheme).await?;
+    (payment_intent, payment_attempt) = get_payment_intent_payment_attempt(
+        db,
+        payment_id,
+        &merchant_account.merchant_id,
+        storage_scheme,
+    )
+    .await?;
 
+    helpers::authenticate_client_secret(
+        request.client_secret.as_ref(),
+        &payment_intent,
+        merchant_account.intent_fulfillment_time,
+    )?;
     let payment_id_str = payment_attempt.payment_id.clone();
 
     let mut connector_response = db
@@ -241,11 +251,11 @@ async fn get_tracker_for_sync<
     let attempts = match request.expand_attempts {
         Some(true) => {
             Some(db
-                .find_attempts_by_merchant_id_payment_id(merchant_id, &payment_id_str, storage_scheme)
+                .find_attempts_by_merchant_id_payment_id(&merchant_account.merchant_id, &payment_id_str, storage_scheme)
                 .await
                 .change_context(errors::ApiErrorResponse::PaymentNotFound)
                 .attach_printable_lazy(|| {
-                    format!("Error while retrieving attempt list for, merchant_id: {merchant_id}, payment_id: {payment_id_str}")
+                    format!("Error while retrieving attempt list for, merchant_id: {}, payment_id: {payment_id_str}",&merchant_account.merchant_id)
                 })?)
         },
         _ => None,
@@ -262,7 +272,7 @@ async fn get_tracker_for_sync<
             .await
             .change_context(errors::ApiErrorResponse::PaymentNotFound)
                 .attach_printable_lazy(|| {
-                    format!("Error while retrieving capture list for, merchant_id: {merchant_id}, payment_id: {payment_id_str}")
+                    format!("Error while retrieving capture list for, merchant_id: {}, payment_id: {payment_id_str}", merchant_account.merchant_id)
                 })?;
         Some(types::MultipleCaptureData::new_for_sync(captures)?)
     } else {
@@ -270,30 +280,34 @@ async fn get_tracker_for_sync<
     };
 
     let refunds = db
-        .find_refund_by_payment_id_merchant_id(&payment_id_str, merchant_id, storage_scheme)
+        .find_refund_by_payment_id_merchant_id(
+            &payment_id_str,
+            &merchant_account.merchant_id,
+            storage_scheme,
+        )
         .await
         .change_context(errors::ApiErrorResponse::PaymentNotFound)
         .attach_printable_lazy(|| {
             format!(
                 "Failed while getting refund list for, payment_id: {}, merchant_id: {}",
-                &payment_id_str, merchant_id
+                &payment_id_str, merchant_account.merchant_id
             )
         })?;
 
     let disputes = db
-        .find_disputes_by_merchant_id_payment_id(merchant_id, &payment_id_str)
+        .find_disputes_by_merchant_id_payment_id(&merchant_account.merchant_id, &payment_id_str)
         .await
         .change_context(errors::ApiErrorResponse::PaymentNotFound)
         .attach_printable_lazy(|| {
-            format!("Error while retrieving dispute list for, merchant_id: {merchant_id}, payment_id: {payment_id_str}")
+            format!("Error while retrieving dispute list for, merchant_id: {}, payment_id: {payment_id_str}", &merchant_account.merchant_id)
         })?;
 
     let frm_response = db
-        .find_fraud_check_by_payment_id(payment_id_str.to_string(), merchant_id.to_string())
+        .find_fraud_check_by_payment_id(payment_id_str.to_string(), merchant_account.merchant_id.clone())
         .await
         .change_context(errors::ApiErrorResponse::PaymentNotFound)
         .attach_printable_lazy(|| {
-            format!("Error while retrieving frm_response, merchant_id: {merchant_id}, payment_id: {payment_id_str}")
+            format!("Error while retrieving frm_response, merchant_id: {}, payment_id: {payment_id_str}", &merchant_account.merchant_id)
         });
 
     let frm_message = match frm_response.ok() {
@@ -325,7 +339,12 @@ async fn get_tracker_for_sync<
         .merchant_connector_details
         .to_owned()
         .async_map(|mcd| async {
-            helpers::insert_merchant_connector_creds_to_config(db, merchant_id, mcd).await
+            helpers::insert_merchant_connector_creds_to_config(
+                db,
+                &merchant_account.merchant_id,
+                mcd,
+            )
+            .await
         })
         .await
         .transpose()?;
diff --git a/crates/router/src/core/payments/operations/payment_update.rs b/crates/router/src/core/payments/operations/payment_update.rs
index 0935fd587b..3ca6b21ab3 100644
--- a/crates/router/src/core/payments/operations/payment_update.rs
+++ b/crates/router/src/core/payments/operations/payment_update.rs
@@ -80,6 +80,11 @@ impl<F: Send + Clone> GetTracker<F, PaymentData<F>, api::PaymentsRequest> for Pa
             "update",
         )?;
 
+        helpers::authenticate_client_secret(
+            request.client_secret.as_ref(),
+            &payment_intent,
+            merchant_account.intent_fulfillment_time,
+        )?;
         let (
             token,
             payment_method,