diff --git a/crates/router/src/compatibility/stripe/customers.rs b/crates/router/src/compatibility/stripe/customers.rs index 56cf25434c..0ac15493bc 100644 --- a/crates/router/src/compatibility/stripe/customers.rs +++ b/crates/router/src/compatibility/stripe/customers.rs @@ -57,7 +57,10 @@ pub async fn customer_create( |state, auth: auth::AuthenticationData, req, _| { customers::create_customer(state, auth.merchant_account, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -101,7 +104,10 @@ pub async fn customer_retrieve( customer_id, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -158,7 +164,10 @@ pub async fn customer_update( auth.key_store, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -196,7 +205,10 @@ pub async fn customer_delete( |state, auth: auth::AuthenticationData, customer_id, _| { customers::delete_customer(state, auth.merchant_account, customer_id, auth.key_store) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -242,7 +254,10 @@ pub async fn list_customer_payment_method_api( None, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await diff --git a/crates/router/src/compatibility/stripe/payment_intents.rs b/crates/router/src/compatibility/stripe/payment_intents.rs index 6652f42ee0..4cdd29599e 100644 --- a/crates/router/src/compatibility/stripe/payment_intents.rs +++ b/crates/router/src/compatibility/stripe/payment_intents.rs @@ -95,7 +95,10 @@ pub async fn payment_intents_create( auth.platform_merchant_account, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), locking_action, )) .await @@ -121,8 +124,13 @@ pub async fn payment_intents_retrieve( expand_captures: None, }; + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -195,7 +203,13 @@ pub async fn payment_intents_retrieve_with_gateway_creds( merchant_connector_details: json_payload.merchant_connector_details.clone(), ..Default::default() }; - let (auth_type, _auth_flow) = match auth::get_auth_type_and_flow(req.headers()) { + + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + + let (auth_type, _auth_flow) = match auth::get_auth_type_and_flow(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -277,7 +291,12 @@ pub async fn payment_intents_update( payload.payment_id = Some(api_types::PaymentIdType::PaymentIntentId(payment_id)); - let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers()) { + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + + let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -362,8 +381,13 @@ pub async fn payment_intents_confirm( payload.payment_id = Some(api_types::PaymentIdType::PaymentIntentId(payment_id)); payload.confirm = Some(true); + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), }; @@ -480,7 +504,10 @@ pub async fn payment_intents_capture( auth.platform_merchant_account, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), locking_action, )) .await @@ -512,7 +539,12 @@ pub async fn payment_intents_cancel( let mut payload: payment_types::PaymentsCancelRequest = stripe_payload.into(); payload.payment_id = payment_id; - let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers()) { + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + + let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -591,7 +623,10 @@ pub async fn payment_intent_list( |state, auth: auth::AuthenticationData, req, _| { payments::list_payments(state, auth.merchant_account, None, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await diff --git a/crates/router/src/compatibility/stripe/refunds.rs b/crates/router/src/compatibility/stripe/refunds.rs index 63141f7311..0d46a325fe 100644 --- a/crates/router/src/compatibility/stripe/refunds.rs +++ b/crates/router/src/compatibility/stripe/refunds.rs @@ -52,7 +52,10 @@ pub async fn refund_create( |state, auth: auth::AuthenticationData, req, _| { refunds::refund_create_core(state, auth.merchant_account, None, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -103,7 +106,10 @@ pub async fn refund_retrieve_with_gateway_creds( refunds::refund_retrieve_core_with_refund_id, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -146,7 +152,10 @@ pub async fn refund_retrieve( refunds::refund_retrieve_core_with_refund_id, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -180,7 +189,10 @@ pub async fn refund_update( |state, auth: auth::AuthenticationData, req, _| { refunds::refund_update_core(state, auth.merchant_account, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await diff --git a/crates/router/src/compatibility/stripe/setup_intents.rs b/crates/router/src/compatibility/stripe/setup_intents.rs index 6dde49b0d6..4237a02459 100644 --- a/crates/router/src/compatibility/stripe/setup_intents.rs +++ b/crates/router/src/compatibility/stripe/setup_intents.rs @@ -81,7 +81,10 @@ pub async fn setup_intents_create( auth.platform_merchant_account, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -107,8 +110,13 @@ pub async fn setup_intents_retrieve( expand_captures: None, }; + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -184,8 +192,13 @@ pub async fn setup_intents_update( }; payload.payment_id = Some(api_types::PaymentIdType::PaymentIntentId(setup_id)); + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), }; @@ -262,8 +275,13 @@ pub async fn setup_intents_confirm( payload.payment_id = Some(api_types::PaymentIdType::PaymentIntentId(setup_id)); payload.confirm = Some(true); + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), }; diff --git a/crates/router/src/routes/blocklist.rs b/crates/router/src/routes/blocklist.rs index f54f61d8a0..5a7b7a7c88 100644 --- a/crates/router/src/routes/blocklist.rs +++ b/crates/router/src/routes/blocklist.rs @@ -35,7 +35,10 @@ pub async fn add_entry_to_blocklist( blocklist::add_entry_to_blocklist(state, auth.merchant_account, body) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantAccountWrite, }, @@ -73,7 +76,10 @@ pub async fn remove_entry_from_blocklist( blocklist::remove_entry_from_blocklist(state, auth.merchant_account, body) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantAccountWrite, }, @@ -113,7 +119,10 @@ pub async fn list_blocked_payment_methods( blocklist::list_blocklist_entries(state, auth.merchant_account, query) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantAccountRead, }, @@ -153,7 +162,10 @@ pub async fn toggle_blocklist_guard( blocklist::toggle_blocklist_guard(state, auth.merchant_account, query) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantAccountWrite, }, diff --git a/crates/router/src/routes/cards_info.rs b/crates/router/src/routes/cards_info.rs index f5db3b71e3..0e1a75e682 100644 --- a/crates/router/src/routes/cards_info.rs +++ b/crates/router/src/routes/cards_info.rs @@ -39,7 +39,10 @@ pub async fn card_iin_info( card_iin, }; - let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + let api_auth = auth::ApiKeyAuth::default(); + + let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) + { Ok((auth, _auth_flow)) => (auth, _auth_flow), Err(e) => return api::log_and_return_error_response(e), }; diff --git a/crates/router/src/routes/currency.rs b/crates/router/src/routes/currency.rs index b3969509bf..f311b23673 100644 --- a/crates/router/src/routes/currency.rs +++ b/crates/router/src/routes/currency.rs @@ -17,7 +17,10 @@ pub async fn retrieve_forex(state: web::Data, req: HttpRequest) -> Htt (), |state, _auth: auth::AuthenticationData, _, _| currency::retrieve_forex(state), auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::DashboardNoPermissionAuth, req.headers(), ), @@ -50,7 +53,10 @@ pub async fn convert_forex( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::DashboardNoPermissionAuth, req.headers(), ), diff --git a/crates/router/src/routes/customers.rs b/crates/router/src/routes/customers.rs index b889c41e7b..f3cfdff74f 100644 --- a/crates/router/src/routes/customers.rs +++ b/crates/router/src/routes/customers.rs @@ -25,7 +25,10 @@ pub async fn customers_create( create_customer(state, auth.merchant_account, auth.key_store, req) }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantCustomerWrite, }, @@ -52,7 +55,10 @@ pub async fn customers_create( create_customer(state, auth.merchant_account, auth.key_store, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantCustomerWrite, }, @@ -79,7 +85,8 @@ pub async fn customers_retrieve( permission: Permission::MerchantCustomerRead, }) } else { - match auth::is_ephemeral_auth(req.headers()) { + let api_auth = auth::ApiKeyAuth::default(); + match auth::is_ephemeral_auth(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), } @@ -126,7 +133,14 @@ pub async fn customers_retrieve( permission: Permission::MerchantCustomerRead, } } else { - api_or_client_auth(&auth::V2ApiKeyAuth, &v2_client_auth, req.headers()) + api_or_client_auth( + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, + &v2_client_auth, + req.headers(), + ) }; Box::pin(api::server_wrap( @@ -167,7 +181,10 @@ pub async fn customers_list( ) }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantCustomerRead, }, @@ -202,7 +219,10 @@ pub async fn customers_list( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantCustomerRead, }, @@ -243,7 +263,10 @@ pub async fn customers_update( ) }, auth::auth_type( - &auth::ApiKeyAuth, + &auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantCustomerWrite, }, @@ -281,7 +304,10 @@ pub async fn customers_update( ) }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantCustomerWrite, }, @@ -311,7 +337,10 @@ pub async fn customers_delete( delete_customer(state, auth.merchant_account, id, auth.key_store) }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantCustomerWrite, }, @@ -341,7 +370,10 @@ pub async fn customers_delete( delete_customer(state, auth.merchant_account, customer_id, auth.key_store) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantCustomerWrite, }, @@ -376,7 +408,10 @@ pub async fn get_customer_mandates( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantMandateRead, }, diff --git a/crates/router/src/routes/disputes.rs b/crates/router/src/routes/disputes.rs index c919bfcd40..b195566d7f 100644 --- a/crates/router/src/routes/disputes.rs +++ b/crates/router/src/routes/disputes.rs @@ -48,7 +48,10 @@ pub async fn retrieve_dispute( disputes::retrieve_dispute(state, auth.merchant_account, auth.profile_id, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeRead, }, @@ -99,7 +102,10 @@ pub async fn retrieve_disputes_list( disputes::retrieve_disputes_list(state, auth.merchant_account, None, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantDisputeRead, }, @@ -157,7 +163,10 @@ pub async fn retrieve_disputes_list_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeRead, }, @@ -192,7 +201,10 @@ pub async fn get_disputes_filters(state: web::Data, req: HttpRequest) disputes::get_filters_for_disputes(state, auth.merchant_account, None) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantDisputeRead, }, @@ -234,7 +246,10 @@ pub async fn get_disputes_filters_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeRead, }, @@ -286,7 +301,10 @@ pub async fn accept_dispute( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeWrite, }, @@ -333,7 +351,10 @@ pub async fn submit_dispute_evidence( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeWrite, }, @@ -387,7 +408,10 @@ pub async fn attach_dispute_evidence( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeWrite, }, @@ -433,7 +457,10 @@ pub async fn retrieve_dispute_evidence( disputes::retrieve_dispute_evidence(state, auth.merchant_account, auth.profile_id, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeRead, }, @@ -475,7 +502,10 @@ pub async fn delete_dispute_evidence( disputes::delete_evidence(state, auth.merchant_account, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeWrite, }, @@ -504,7 +534,10 @@ pub async fn get_disputes_aggregate( disputes::get_aggregates_for_disputes(state, auth.merchant_account, None, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantDisputeRead, }, @@ -539,7 +572,10 @@ pub async fn get_disputes_aggregate_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileDisputeRead, }, diff --git a/crates/router/src/routes/ephemeral_key.rs b/crates/router/src/routes/ephemeral_key.rs index 5a802cb4c5..f7af0d7a2b 100644 --- a/crates/router/src/routes/ephemeral_key.rs +++ b/crates/router/src/routes/ephemeral_key.rs @@ -28,7 +28,10 @@ pub async fn ephemeral_key_create( auth.merchant_account.get_id().to_owned(), ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, ) .await @@ -49,7 +52,10 @@ pub async fn ephemeral_key_delete( &req, payload, |state, _: auth::AuthenticationData, req, _| helpers::delete_ephemeral_key(state, req), - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, ) .await @@ -78,7 +84,10 @@ pub async fn client_secret_create( req.headers(), ) }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -99,7 +108,10 @@ pub async fn client_secret_delete( &req, payload, |state, _: auth::AuthenticationData, req, _| helpers::delete_client_secret(state, req), - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await diff --git a/crates/router/src/routes/files.rs b/crates/router/src/routes/files.rs index e68a7a63b3..7bc780f5f5 100644 --- a/crates/router/src/routes/files.rs +++ b/crates/router/src/routes/files.rs @@ -49,7 +49,10 @@ pub async fn files_create( files_create_core(state, auth.merchant_account, auth.key_store, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::DashboardNoPermissionAuth, req.headers(), ), @@ -95,7 +98,10 @@ pub async fn files_delete( files_delete_core(state, auth.merchant_account, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::DashboardNoPermissionAuth, req.headers(), ), @@ -141,7 +147,10 @@ pub async fn files_retrieve( files_retrieve_core(state, auth.merchant_account, auth.key_store, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::DashboardNoPermissionAuth, req.headers(), ), diff --git a/crates/router/src/routes/fraud_check.rs b/crates/router/src/routes/fraud_check.rs index 5e7b7f3ef6..b174547b1e 100644 --- a/crates/router/src/routes/fraud_check.rs +++ b/crates/router/src/routes/fraud_check.rs @@ -22,7 +22,10 @@ pub async fn frm_fulfillment( |state, auth: services::authentication::AuthenticationData, req, _| { frm_core::frm_fulfillment_core(state, auth.merchant_account, auth.key_store, req) }, - &services::authentication::ApiKeyAuth, + &services::authentication::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await diff --git a/crates/router/src/routes/mandates.rs b/crates/router/src/routes/mandates.rs index cb832d81a1..31aee47f75 100644 --- a/crates/router/src/routes/mandates.rs +++ b/crates/router/src/routes/mandates.rs @@ -44,7 +44,10 @@ pub async fn get_mandate( |state, auth: auth::AuthenticationData, req, _| { mandate::get_mandate(state, auth.merchant_account, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -69,7 +72,10 @@ pub async fn revoke_mandate( |state, auth: auth::AuthenticationData, req, _| { mandate::revoke_mandate(state, auth.merchant_account, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -114,7 +120,10 @@ pub async fn retrieve_mandates_list( mandate::retrieve_mandates_list(state, auth.merchant_account, auth.key_store, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantMandateRead, }, diff --git a/crates/router/src/routes/payment_link.rs b/crates/router/src/routes/payment_link.rs index 361367c7d2..9676e96f2a 100644 --- a/crates/router/src/routes/payment_link.rs +++ b/crates/router/src/routes/payment_link.rs @@ -34,10 +34,14 @@ pub async fn payment_link_retrieve( ) -> impl Responder { let flow = Flow::PaymentLinkRetrieve; let payload = json_payload.into_inner(); - let (auth_type, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload) { - Ok(auth) => auth, - Err(err) => return api::log_and_return_error_response(error_stack::report!(err)), - }; + let api_auth = auth::ApiKeyAuth::default(); + + let (auth_type, _) = + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { + Ok(auth) => auth, + Err(err) => return api::log_and_return_error_response(error_stack::report!(err)), + }; + api::server_wrap( flow, state, @@ -160,7 +164,10 @@ pub async fn payments_link_list( |state, auth: auth::AuthenticationData, payload, _| { list_payment_link(state, auth.merchant_account, payload) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await diff --git a/crates/router/src/routes/payment_methods.rs b/crates/router/src/routes/payment_methods.rs index 6b60a05c6c..f6f7c9b922 100644 --- a/crates/router/src/routes/payment_methods.rs +++ b/crates/router/src/routes/payment_methods.rs @@ -64,7 +64,10 @@ pub async fn create_payment_method_api( )) .await }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -95,7 +98,10 @@ pub async fn create_payment_method_api( )) .await }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -124,7 +130,10 @@ pub async fn create_payment_method_intent_api( )) .await }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -182,7 +191,10 @@ pub async fn payment_method_update_api( &payment_method_id, ) }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -214,7 +226,10 @@ pub async fn payment_method_retrieve_api( auth.merchant_account, ) }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -246,7 +261,10 @@ pub async fn payment_method_delete_api( auth.merchant_account, ) }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -377,7 +395,10 @@ pub async fn save_payment_method_api( let flow = Flow::PaymentMethodSave; let payload = json_payload.into_inner(); let pm_id = path.into_inner(); - let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + let api_auth = auth::ApiKeyAuth::default(); + + let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) + { Ok((auth, _auth_flow)) => (auth, _auth_flow), Err(e) => return api::log_and_return_error_response(e), }; @@ -411,7 +432,10 @@ pub async fn list_payment_method_api( ) -> HttpResponse { let flow = Flow::PaymentMethodsList; let payload = json_payload.into_inner(); - let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + let api_auth = auth::ApiKeyAuth::default(); + + let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) + { Ok((auth, _auth_flow)) => (auth, _auth_flow), Err(e) => return api::log_and_return_error_response(e), }; @@ -469,8 +493,9 @@ pub async fn list_customer_payment_method_api( let flow = Flow::CustomerPaymentMethodsList; let payload = query_payload.into_inner(); let customer_id = customer_id.into_inner().0; + let api_auth = auth::ApiKeyAuth::default(); - let ephemeral_auth = match auth::is_ephemeral_auth(req.headers()) { + let ephemeral_auth = match auth::is_ephemeral_auth(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), }; @@ -533,8 +558,12 @@ pub async fn list_customer_payment_method_api_client( let flow = Flow::CustomerPaymentMethodsList; let payload = query_payload.into_inner(); let api_key = auth::get_api_key(req.headers()).ok(); + let api_auth = auth::ApiKeyAuth::default(); + let (auth, _, is_ephemeral_auth) = - match auth::get_ephemeral_or_other_auth(req.headers(), false, Some(&payload)).await { + match auth::get_ephemeral_or_other_auth(req.headers(), false, Some(&payload), api_auth) + .await + { Ok((auth, _auth_flow, is_ephemeral_auth)) => (auth, _auth_flow, is_ephemeral_auth), Err(e) => return api::log_and_return_error_response(e), }; @@ -581,7 +610,10 @@ pub async fn initiate_pm_collect_link_flow( req, ) }, - &auth::ApiKeyAuth, + &auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -613,7 +645,10 @@ pub async fn list_customer_payment_method_api( ) }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantCustomerRead, }, @@ -644,7 +679,10 @@ pub async fn get_total_payment_method_count( ) }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantCustomerRead, }, @@ -712,7 +750,10 @@ pub async fn payment_method_retrieve_api( |state, auth: auth::AuthenticationData, pm, _| { cards::retrieve_payment_method(state, pm, auth.key_store, auth.merchant_account) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -732,8 +773,10 @@ pub async fn payment_method_update_api( let flow = Flow::PaymentMethodsUpdate; let payment_method_id = path.into_inner(); let payload = json_payload.into_inner(); + let api_auth = auth::ApiKeyAuth::default(); - let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) + { Ok((auth, _auth_flow)) => (auth, _auth_flow), Err(e) => return api::log_and_return_error_response(e), }; @@ -772,7 +815,9 @@ pub async fn payment_method_delete_api( let pm = PaymentMethodId { payment_method_id: payment_method_id.into_inner().0, }; - let ephemeral_auth = match auth::is_ephemeral_auth(req.headers()) { + let api_auth = auth::ApiKeyAuth::default(); + + let ephemeral_auth = match auth::is_ephemeral_auth(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), }; @@ -814,7 +859,10 @@ pub async fn list_countries_currencies_for_connector_payment_method( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileConnectorWrite, }, @@ -840,8 +888,9 @@ pub async fn default_payment_method_set_api( let payload = path.into_inner(); let pc = payload.clone(); let customer_id = &pc.customer_id; + let api_auth = auth::ApiKeyAuth::default(); - let ephemeral_auth = match auth::is_ephemeral_auth(req.headers()) { + let ephemeral_auth = match auth::is_ephemeral_auth(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(err), }; @@ -1110,7 +1159,10 @@ pub async fn payment_methods_session_create( ) .await }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -1145,7 +1197,10 @@ pub async fn payment_methods_session_update( .await } }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -1176,7 +1231,10 @@ pub async fn payment_methods_session_retrieve( .await }, auth::api_or_client_auth( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::V2ClientAuth( common_utils::types::authentication::ResourceId::PaymentMethodSession( payment_method_session_id, diff --git a/crates/router/src/routes/payments.rs b/crates/router/src/routes/payments.rs index 337c6f6517..fb2ccfa681 100644 --- a/crates/router/src/routes/payments.rs +++ b/crates/router/src/routes/payments.rs @@ -88,9 +88,15 @@ pub async fn payments_create( ) }, match env::which() { - env::Env::Production => &auth::HeaderAuth(auth::ApiKeyAuth), + env::Env::Production => &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), _ => auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), &auth::JWTAuth { permission: Permission::ProfilePaymentWrite, }, @@ -147,9 +153,15 @@ pub async fn payments_create_intent( ) }, match env::which() { - env::Env::Production => &auth::V2ApiKeyAuth, + env::Env::Production => &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, _ => auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfilePaymentWrite, }, @@ -210,7 +222,10 @@ pub async fn payments_get_intent( auth.platform_merchant_account, ) }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -249,9 +264,15 @@ pub async fn payments_create_and_confirm_intent( ) }, match env::which() { - env::Env::Production => &auth::V2ApiKeyAuth, + env::Env::Production => &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, _ => auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfilePaymentWrite, }, @@ -313,7 +334,10 @@ pub async fn payments_update_intent( auth.platform_merchant_account, ) }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -408,8 +432,13 @@ pub async fn payments_retrieve( tracing::Span::current().record("flow", flow.to_string()); + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -463,7 +492,12 @@ pub async fn payments_retrieve_with_gateway_creds( req: actix_web::HttpRequest, json_payload: web::Json, ) -> impl Responder { - let (auth_type, _auth_flow) = match auth::get_auth_type_and_flow(req.headers()) { + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }; + + let (auth_type, _auth_flow) = match auth::get_auth_type_and_flow(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -541,8 +575,11 @@ pub async fn payments_update( tracing::Span::current().record("payment_id", payment_id.get_string_repr()); payload.payment_id = Some(payment_types::PaymentIdType::PaymentIntentId(payment_id)); - - let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers()) { + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }; + let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers(), api_auth) { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -686,7 +723,10 @@ pub async fn payments_update_metadata( None, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), locking_action, )) .await @@ -723,8 +763,13 @@ pub async fn payments_confirm( payload.payment_id = Some(payment_types::PaymentIdType::PaymentIntentId(payment_id)); payload.confirm = Some(true); + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(e) => return api::log_and_return_error_response(e), }; @@ -803,7 +848,10 @@ pub async fn payments_capture( auth.platform_merchant_account, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), locking_action, )) .await @@ -1223,8 +1271,14 @@ pub async fn payments_complete_authorize( ..Default::default() }; + let api_auth = auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }; + let (auth_type, auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payment_confirm_req) { + match auth::check_client_secret_and_get_auth(req.headers(), &payment_confirm_req, api_auth) + { Ok(auth) => auth, Err(err) => return api::log_and_return_error_response(report!(err)), }; @@ -1308,7 +1362,10 @@ pub async fn payments_cancel( auth.platform_merchant_account, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), locking_action, )) .await @@ -1332,7 +1389,10 @@ pub async fn payments_list( payments::list_payments(state, auth.merchant_account, None, auth.key_store, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), &auth::JWTAuth { permission: Permission::MerchantPaymentRead, }, @@ -1361,7 +1421,10 @@ pub async fn payments_list( payments::list_payments(state, auth.merchant_account, auth.key_store, req) }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantPaymentRead, }, @@ -1396,7 +1459,10 @@ pub async fn profile_payments_list( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), &auth::JWTAuth { permission: Permission::ProfilePaymentRead, }, @@ -1646,9 +1712,15 @@ pub async fn payments_approve( ) }, match env::which() { - env::Env::Production => &auth::HeaderAuth(auth::ApiKeyAuth), + env::Env::Production => &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), _ => auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), &auth::JWTAuth { permission: Permission::ProfilePaymentWrite, }, @@ -1711,9 +1783,15 @@ pub async fn payments_reject( ) }, match env::which() { - env::Env::Production => &auth::HeaderAuth(auth::ApiKeyAuth), + env::Env::Production => &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), _ => auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), &auth::JWTAuth { permission: Permission::ProfilePaymentWrite, }, @@ -1891,7 +1969,10 @@ pub async fn payments_incremental_authorization( auth.platform_merchant_account, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), locking_action, )) .await @@ -2032,7 +2113,10 @@ pub async fn retrieve_extended_card_info( payment_id, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: true, + }), api_locking::LockAction::NotApplicable, )) .await @@ -2673,7 +2757,10 @@ pub async fn proxy_confirm_intent( header_payload.clone(), )) }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, locking_action, )) .await @@ -2744,7 +2831,10 @@ pub async fn payment_status( .await }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfilePaymentRead, }, @@ -2790,7 +2880,10 @@ pub async fn payment_get_intent_using_merchant_reference_id( )) .await }, - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, api_locking::LockAction::NotApplicable, )) .await @@ -2909,7 +3002,10 @@ pub async fn payments_capture( .await }, auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfileAccountWrite, }, diff --git a/crates/router/src/routes/payouts.rs b/crates/router/src/routes/payouts.rs index 4044630b4d..d5e71431a8 100644 --- a/crates/router/src/routes/payouts.rs +++ b/crates/router/src/routes/payouts.rs @@ -32,7 +32,10 @@ pub async fn payouts_create( |state, auth: auth::AuthenticationData, req, _| { payouts_create_core(state, auth.merchant_account, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -69,7 +72,10 @@ pub async fn payouts_retrieve( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfilePayoutRead, }, @@ -99,7 +105,10 @@ pub async fn payouts_update( |state, auth: auth::AuthenticationData, req, _| { payouts_update_core(state, auth.merchant_account, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -118,8 +127,10 @@ pub async fn payouts_confirm( tracing::Span::current().record("payout_id", &payout_id); payload.payout_id = Some(payout_id); payload.confirm = Some(true); + let api_auth = auth::ApiKeyAuth::default(); + let (auth_type, _auth_flow) = - match auth::check_client_secret_and_get_auth(req.headers(), &payload) { + match auth::check_client_secret_and_get_auth(req.headers(), &payload, api_auth) { Ok(auth) => auth, Err(e) => return api::log_and_return_error_response(e), }; @@ -158,7 +169,10 @@ pub async fn payouts_cancel( |state, auth: auth::AuthenticationData, req, _| { payouts_cancel_core(state, auth.merchant_account, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -183,7 +197,10 @@ pub async fn payouts_fulfill( |state, auth: auth::AuthenticationData, req, _| { payouts_fulfill_core(state, auth.merchant_account, auth.key_store, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -209,7 +226,10 @@ pub async fn payouts_list( payouts_list_core(state, auth.merchant_account, None, auth.key_store, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantPayoutRead, }, @@ -246,7 +266,10 @@ pub async fn payouts_list_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfilePayoutRead, }, @@ -277,7 +300,10 @@ pub async fn payouts_list_by_filter( payouts_filtered_list_core(state, auth.merchant_account, None, auth.key_store, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantPayoutRead, }, @@ -314,7 +340,10 @@ pub async fn payouts_list_by_filter_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfilePayoutRead, }, @@ -345,7 +374,10 @@ pub async fn payouts_list_available_filters_for_merchant( payouts_list_available_filters_core(state, auth.merchant_account, None, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantPayoutRead, }, @@ -381,7 +413,10 @@ pub async fn payouts_list_available_filters_for_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfilePayoutRead, }, diff --git a/crates/router/src/routes/pm_auth.rs b/crates/router/src/routes/pm_auth.rs index 31a2a0ba32..8333bdcd97 100644 --- a/crates/router/src/routes/pm_auth.rs +++ b/crates/router/src/routes/pm_auth.rs @@ -3,7 +3,10 @@ use api_models as api_types; use router_env::{instrument, tracing, types::Flow}; use crate::{ - core::api_locking, routes::AppState, services::api, types::transformers::ForeignTryFrom, + core::api_locking, + routes::AppState, + services::{api, authentication as auth}, + types::transformers::ForeignTryFrom, }; #[instrument(skip_all, fields(flow = ?Flow::PmAuthLinkTokenCreate))] @@ -14,9 +17,12 @@ pub async fn link_token_create( ) -> impl Responder { let payload = json_payload.into_inner(); let flow = Flow::PmAuthLinkTokenCreate; + let api_auth = auth::ApiKeyAuth::default(); + let (auth, _) = match crate::services::authentication::check_client_secret_and_get_auth( req.headers(), &payload, + api_auth, ) { Ok((auth, _auth_flow)) => (auth, _auth_flow), Err(e) => return api::log_and_return_error_response(e), @@ -58,9 +64,12 @@ pub async fn exchange_token( ) -> impl Responder { let payload = json_payload.into_inner(); let flow = Flow::PmAuthExchangeToken; + let api_auth = auth::ApiKeyAuth::default(); + let (auth, _) = match crate::services::authentication::check_client_secret_and_get_auth( req.headers(), &payload, + api_auth, ) { Ok((auth, _auth_flow)) => (auth, _auth_flow), Err(e) => return api::log_and_return_error_response(e), diff --git a/crates/router/src/routes/profiles.rs b/crates/router/src/routes/profiles.rs index cd91275df7..ec2d20a72e 100644 --- a/crates/router/src/routes/profiles.rs +++ b/crates/router/src/routes/profiles.rs @@ -343,7 +343,10 @@ pub async fn toggle_connector_agnostic_mit( connector_agnostic_mit_toggle(state, &merchant_id, &profile_id, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: permissions::Permission::MerchantRoutingWrite, }, diff --git a/crates/router/src/routes/refunds.rs b/crates/router/src/routes/refunds.rs index cbcfbcdcbf..aa2afa1c32 100644 --- a/crates/router/src/routes/refunds.rs +++ b/crates/router/src/routes/refunds.rs @@ -46,7 +46,10 @@ pub async fn refunds_create( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRefundWrite, }, @@ -109,7 +112,10 @@ pub async fn refunds_retrieve( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRefundRead, }, @@ -162,7 +168,10 @@ pub async fn refunds_retrieve_with_body( refund_retrieve_core_with_refund_id, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -204,7 +213,10 @@ pub async fn refunds_update( |state, auth: auth::AuthenticationData, req, _| { refund_update_core(state, auth.merchant_account, req) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -240,7 +252,10 @@ pub async fn refunds_list( refund_list(state, auth.merchant_account, None, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRefundRead, }, @@ -287,7 +302,10 @@ pub async fn refunds_list_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRefundRead, }, @@ -329,7 +347,10 @@ pub async fn refunds_filter_list( refund_filter_list(state, auth.merchant_account, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRefundRead, }, @@ -366,7 +387,10 @@ pub async fn get_refunds_filters(state: web::Data, req: HttpRequest) - get_filters_for_refunds(state, auth.merchant_account, None) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRefundRead, }, @@ -410,7 +434,10 @@ pub async fn get_refunds_filters_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRefundRead, }, @@ -439,7 +466,10 @@ pub async fn get_refunds_aggregates( get_aggregates_for_refunds(state, auth.merchant_account, None, req) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRefundRead, }, @@ -496,7 +526,10 @@ pub async fn get_refunds_aggregate_profile( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRefundRead, }, diff --git a/crates/router/src/routes/relay.rs b/crates/router/src/routes/relay.rs index dd079563a2..2d51c7b04e 100644 --- a/crates/router/src/routes/relay.rs +++ b/crates/router/src/routes/relay.rs @@ -33,7 +33,10 @@ pub async fn relay( req, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await @@ -69,7 +72,10 @@ pub async fn relay_retrieve( req, ) }, - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), api_locking::LockAction::NotApplicable, )) .await diff --git a/crates/router/src/routes/routing.rs b/crates/router/src/routes/routing.rs index 04a0d33168..4fa9a0d433 100644 --- a/crates/router/src/routes/routing.rs +++ b/crates/router/src/routes/routing.rs @@ -41,7 +41,10 @@ pub async fn routing_create_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRoutingWrite, }, @@ -82,7 +85,10 @@ pub async fn routing_create_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfileRoutingWrite, }, @@ -123,7 +129,10 @@ pub async fn routing_link_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRoutingWrite, }, @@ -170,7 +179,10 @@ pub async fn routing_link_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuthProfileFromRoute { profile_id: wrapper.profile_id, required_permission: Permission::MerchantRoutingWrite, @@ -212,7 +224,10 @@ pub async fn routing_retrieve_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRoutingRead, }, @@ -252,7 +267,10 @@ pub async fn routing_retrieve_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfileRoutingRead, }, @@ -292,7 +310,10 @@ pub async fn list_routing_configs( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRoutingRead, }, @@ -332,7 +353,10 @@ pub async fn list_routing_configs_for_profile( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRoutingRead, }, @@ -373,7 +397,10 @@ pub async fn routing_unlink_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuthProfileFromRoute { profile_id: path, required_permission: Permission::MerchantRoutingWrite, @@ -416,7 +443,10 @@ pub async fn routing_unlink_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRoutingWrite, }, @@ -459,7 +489,10 @@ pub async fn routing_update_default_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::MerchantRoutingWrite, }, @@ -497,7 +530,10 @@ pub async fn routing_update_default_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRoutingWrite, }, @@ -535,7 +571,10 @@ pub async fn routing_retrieve_default_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuthProfileFromRoute { profile_id: path, required_permission: Permission::MerchantRoutingRead, @@ -603,7 +642,10 @@ pub async fn upsert_surcharge_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantSurchargeDecisionManagerWrite, }, @@ -638,7 +680,10 @@ pub async fn delete_surcharge_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantSurchargeDecisionManagerWrite, }, @@ -673,7 +718,10 @@ pub async fn retrieve_surcharge_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantSurchargeDecisionManagerRead, }, @@ -711,7 +759,10 @@ pub async fn upsert_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantThreeDsDecisionManagerWrite, }, @@ -749,7 +800,10 @@ pub async fn upsert_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfileThreeDsDecisionManagerWrite, }, @@ -785,7 +839,10 @@ pub async fn delete_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantThreeDsDecisionManagerWrite, }, @@ -818,7 +875,10 @@ pub async fn retrieve_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuth { permission: Permission::ProfileThreeDsDecisionManagerWrite, }, @@ -851,7 +911,10 @@ pub async fn retrieve_decision_manager_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantThreeDsDecisionManagerRead, }, @@ -895,7 +958,10 @@ pub async fn routing_retrieve_linked_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id, required_permission: Permission::ProfileRoutingRead, @@ -928,7 +994,10 @@ pub async fn routing_retrieve_linked_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileRoutingRead, }, @@ -976,7 +1045,10 @@ pub async fn routing_retrieve_linked_config( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::V2ApiKeyAuth, + &auth::V2ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }, &auth::JWTAuthProfileFromRoute { profile_id: wrapper.profile_id, required_permission: Permission::ProfileRoutingRead, @@ -1015,7 +1087,10 @@ pub async fn routing_retrieve_default_config_for_profiles( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRoutingRead, }, @@ -1023,7 +1098,10 @@ pub async fn routing_retrieve_default_config_for_profiles( ), #[cfg(feature = "release")] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantRoutingRead, }, @@ -1064,7 +1142,10 @@ pub async fn routing_update_default_config_for_profile( }, #[cfg(not(feature = "release"))] auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id: routing_payload_wrapper.profile_id, required_permission: Permission::ProfileRoutingWrite, @@ -1113,7 +1194,10 @@ pub async fn toggle_success_based_routing( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id: wrapper.profile_id, required_permission: Permission::ProfileRoutingWrite, @@ -1154,7 +1238,10 @@ pub async fn success_based_routing_update_configs( .await }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id: routing_payload_wrapper.profile_id, required_permission: Permission::ProfileRoutingWrite, @@ -1201,7 +1288,10 @@ pub async fn contract_based_routing_setup_config( .await }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id: routing_payload_wrapper.profile_id, required_permission: Permission::ProfileRoutingWrite, @@ -1247,7 +1337,10 @@ pub async fn contract_based_routing_update_configs( .await }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id: routing_payload_wrapper.profile_id, required_permission: Permission::ProfileRoutingWrite, @@ -1291,7 +1384,10 @@ pub async fn toggle_elimination_routing( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id: wrapper.profile_id, required_permission: Permission::ProfileRoutingWrite, @@ -1339,7 +1435,10 @@ pub async fn set_dynamic_routing_volume_split( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuthProfileFromRoute { profile_id: payload.profile_id, required_permission: Permission::ProfileRoutingWrite, diff --git a/crates/router/src/routes/verification.rs b/crates/router/src/routes/verification.rs index 31e7638b3e..ed987fb76a 100644 --- a/crates/router/src/routes/verification.rs +++ b/crates/router/src/routes/verification.rs @@ -32,7 +32,10 @@ pub async fn apple_pay_merchant_registration( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::ProfileAccountWrite, }, @@ -66,7 +69,10 @@ pub async fn retrieve_apple_pay_verified_domains( ) }, auth::auth_type( - &auth::HeaderAuth(auth::ApiKeyAuth), + &auth::HeaderAuth(auth::ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }), &auth::JWTAuth { permission: Permission::MerchantAccountRead, }, diff --git a/crates/router/src/services/authentication.rs b/crates/router/src/services/authentication.rs index e3b71f6f4f..6a5683d4e4 100644 --- a/crates/router/src/services/authentication.rs +++ b/crates/router/src/services/authentication.rs @@ -349,8 +349,11 @@ where ) -> RouterResult<(T, AuthenticationType)>; } -#[derive(Debug)] -pub struct ApiKeyAuth; +#[derive(Debug, Default)] +pub struct ApiKeyAuth { + pub is_connected_allowed: bool, + pub is_platform_allowed: bool, +} pub struct NoAuth; @@ -482,6 +485,13 @@ where (merchant, None) }; + if platform_merchant_account.is_some() && !self.is_platform_allowed { + return Err(report!( + errors::ApiErrorResponse::PlatformAccountAuthNotSupported + )) + .attach_printable("Platform not authorized to access the resource"); + } + let key_store = if platform_merchant_account.is_some() { state .store() @@ -595,13 +605,19 @@ where .await .to_not_found_response(errors::ApiErrorResponse::Unauthorized)?; - // Get connected merchant account if API call is done by Platform merchant account on behalf of connected merchant account let (merchant, platform_merchant_account) = if state.conf().platform.enabled { get_platform_merchant_account(state, request_headers, merchant).await? } else { (merchant, None) }; + if platform_merchant_account.is_some() && !self.is_platform_allowed { + return Err(report!( + errors::ApiErrorResponse::PlatformAccountAuthNotSupported + )) + .attach_printable("Platform not authorized to access the resource"); + } + let key_store = if platform_merchant_account.is_some() { state .store() @@ -654,7 +670,11 @@ where request_headers: &HeaderMap, state: &A, ) -> RouterResult<(AuthenticationData, AuthenticationType)> { - let (auth_data, auth_type) = ApiKeyAuth + let api_auth = ApiKeyAuth { + is_connected_allowed: false, + is_platform_allowed: false, + }; + let (auth_data, auth_type) = api_auth .authenticate_and_fetch(request_headers, state) .await?; @@ -2029,7 +2049,10 @@ where /// Take api-key from `Authorization` header #[cfg(feature = "v2")] #[derive(Debug)] -pub struct V2ApiKeyAuth; +pub struct V2ApiKeyAuth { + pub is_connected_allowed: bool, + pub is_platform_allowed: bool, +} #[cfg(feature = "v2")] #[async_trait] @@ -2115,6 +2138,13 @@ where (merchant, None) }; + if platform_merchant_account.is_some() && !self.is_platform_allowed { + return Err(report!( + errors::ApiErrorResponse::PlatformAccountAuthNotSupported + )) + .attach_printable("Platform not authorized to access the resource"); + } + let key_store = if platform_merchant_account.is_some() { state .store() @@ -3706,6 +3736,7 @@ impl ClientSecretFetch for api_models::payment_methods::PaymentMethodUpdate { pub fn get_auth_type_and_flow( headers: &HeaderMap, + api_auth: ApiKeyAuth, ) -> RouterResult<( Box>, api::AuthFlow, @@ -3718,12 +3749,13 @@ pub fn get_auth_type_and_flow( api::AuthFlow::Client, )); } - Ok((Box::new(HeaderAuth(ApiKeyAuth)), api::AuthFlow::Merchant)) + Ok((Box::new(HeaderAuth(api_auth)), api::AuthFlow::Merchant)) } pub fn check_client_secret_and_get_auth( headers: &HeaderMap, payload: &impl ClientSecretFetch, + api_auth: ApiKeyAuth, ) -> RouterResult<( Box>, api::AuthFlow, @@ -3753,13 +3785,14 @@ where } .into()); } - Ok((Box::new(HeaderAuth(ApiKeyAuth)), api::AuthFlow::Merchant)) + Ok((Box::new(HeaderAuth(api_auth)), api::AuthFlow::Merchant)) } pub async fn get_ephemeral_or_other_auth( headers: &HeaderMap, is_merchant_flow: bool, payload: Option<&impl ClientSecretFetch>, + api_auth: ApiKeyAuth, ) -> RouterResult<( Box>, api::AuthFlow, @@ -3777,13 +3810,13 @@ where Ok((Box::new(EphemeralKeyAuth), api::AuthFlow::Client, true)) } else if is_merchant_flow { Ok(( - Box::new(HeaderAuth(ApiKeyAuth)), + Box::new(HeaderAuth(api_auth)), api::AuthFlow::Merchant, false, )) } else { let payload = payload.get_required_value("ClientSecretFetch")?; - let (auth, auth_flow) = check_client_secret_and_get_auth(headers, payload)?; + let (auth, auth_flow) = check_client_secret_and_get_auth(headers, payload, api_auth)?; Ok((auth, auth_flow, false)) } } @@ -3791,11 +3824,12 @@ where #[cfg(feature = "v1")] pub fn is_ephemeral_auth( headers: &HeaderMap, + api_auth: ApiKeyAuth, ) -> RouterResult>> { let api_key = get_api_key(headers)?; if !api_key.starts_with("epk") { - Ok(Box::new(HeaderAuth(ApiKeyAuth))) + Ok(Box::new(HeaderAuth(api_auth))) } else { Ok(Box::new(EphemeralKeyAuth)) }