fix(router): added validation to check total orderDetails amount equal to amount in request (#2965)

Co-authored-by: Sahkal Poddar <sahkal.poddar@juspay.in>
2025-11-01 19:42:27 +08:00 · 2023-11-27 10:43:59 +05:30
parent 04b7c0384d
commit 37532d46f5
4 changed files with 40 additions and 0 deletions
--- a/crates/router/src/core/payments/helpers.rs
+++ b/crates/router/src/core/payments/helpers.rs
@ -3686,3 +3686,22 @@ pub async fn get_gsm_record(
        })
        .ok()
 }
+
+pub fn validate_order_details_amount(
+    order_details: Vec<api_models::payments::OrderDetailsWithAmount>,
+    amount: i64,
+) -> Result<(), errors::ApiErrorResponse> {
+    let total_order_details_amount: i64 = order_details
+        .iter()
+        .map(|order| order.amount * i64::from(order.quantity))
+        .sum();
+
+    if total_order_details_amount != amount {
+        Err(errors::ApiErrorResponse::InvalidRequestData {
+            message: "Total sum of order details doesn't match amount in payment request"
+                .to_string(),
+        })
+    } else {
+        Ok(())
+    }
+}
--- a/crates/router/src/core/payments/operations/payment_confirm.rs
+++ b/crates/router/src/core/payments/operations/payment_confirm.rs
@ -102,6 +102,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
            utils::flatten_join_error(mandate_details_fut)
        )?;

+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
        helpers::validate_customer_access(&payment_intent, auth_flow, request)?;

        helpers::validate_payment_status_against_not_allowed_statuses(
--- a/crates/router/src/core/payments/operations/payment_create.rs
+++ b/crates/router/src/core/payments/operations/payment_create.rs
@ -186,6 +186,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
                payment_id: payment_id.clone(),
            })?;

+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
        payment_attempt = db
            .insert_payment_attempt(payment_attempt_new, storage_scheme)
            .await
--- a/crates/router/src/core/payments/operations/payment_update.rs
+++ b/crates/router/src/core/payments/operations/payment_update.rs
@ -60,6 +60,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
            .await
            .to_not_found_response(errors::ApiErrorResponse::PaymentNotFound)?;

+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
        payment_intent.setup_future_usage = request
            .setup_future_usage
            .or(payment_intent.setup_future_usage);