mirror of
https://github.com/juspay/hyperswitch.git
synced 2025-10-28 04:04:55 +08:00
refactor(authentication): modify auth for profiles and mca routes to ApiKeyAuthWithMerchantIdFromRoute (#7656)
This commit is contained in:
Sandeep Kumar
@ -499,7 +499,7 @@ pub async fn connector_create(
|
||||
)
|
||||
},
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromRoute(merchant_id.clone()),
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id: merchant_id.clone(),
|
||||
required_permission: Permission::ProfileConnectorWrite,
|
||||
@ -598,7 +598,7 @@ pub async fn connector_retrieve(
|
||||
)
|
||||
},
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromHeader,
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id,
|
||||
// This should ideally be ProfileConnectorRead, but since this API responds with
|
||||
@ -716,7 +716,7 @@ pub async fn connector_list(
|
||||
merchant_id.to_owned(),
|
||||
|state, _auth, merchant_id, _| list_payment_connectors(state, merchant_id, None),
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromHeader,
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id,
|
||||
required_permission: Permission::MerchantConnectorRead,
|
||||
@ -769,7 +769,7 @@ pub async fn connector_list_profile(
|
||||
)
|
||||
},
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromHeader,
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id,
|
||||
required_permission: Permission::ProfileConnectorRead,
|
||||
@ -830,7 +830,7 @@ pub async fn connector_update(
|
||||
)
|
||||
},
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromHeader,
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id: merchant_id.clone(),
|
||||
required_permission: Permission::ProfileConnectorWrite,
|
||||
|
||||
@ -29,7 +29,7 @@ pub async fn profile_create(
|
||||
create_profile(state, req, auth_data.merchant_account, auth_data.key_store)
|
||||
},
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromRoute(merchant_id.clone()),
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id,
|
||||
required_permission: permissions::Permission::MerchantAccountWrite,
|
||||
@ -95,7 +95,7 @@ pub async fn profile_retrieve(
|
||||
profile_id,
|
||||
|state, auth_data, profile_id, _| retrieve_profile(state, profile_id, auth_data.key_store),
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromRoute(merchant_id.clone()),
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id: merchant_id.clone(),
|
||||
required_permission: permissions::Permission::ProfileAccountRead,
|
||||
@ -158,7 +158,7 @@ pub async fn profile_update(
|
||||
json_payload.into_inner(),
|
||||
|state, auth_data, req, _| update_profile(state, &profile_id, auth_data.key_store, req),
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromRoute(merchant_id.clone()),
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantAndProfileFromRoute {
|
||||
merchant_id: merchant_id.clone(),
|
||||
profile_id: profile_id.clone(),
|
||||
@ -243,7 +243,7 @@ pub async fn profiles_list(
|
||||
merchant_id.clone(),
|
||||
|state, _auth, merchant_id, _| list_profile(state, merchant_id, None),
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromRoute(merchant_id.clone()),
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id,
|
||||
required_permission: permissions::Permission::MerchantAccountRead,
|
||||
@ -309,7 +309,7 @@ pub async fn profiles_list_at_profile_level(
|
||||
)
|
||||
},
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromHeader,
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id,
|
||||
required_permission: permissions::Permission::ProfileAccountRead,
|
||||
@ -402,7 +402,7 @@ pub async fn payment_connector_list_profile(
|
||||
)
|
||||
},
|
||||
auth::auth_type(
|
||||
&auth::AdminApiAuthWithMerchantIdFromHeader,
|
||||
&auth::HeaderAuth(auth::ApiKeyAuthWithMerchantIdFromRoute(merchant_id.clone())),
|
||||
&auth::JWTAuthMerchantFromRoute {
|
||||
merchant_id,
|
||||
required_permission: permissions::Permission::ProfileConnectorRead,
|
||||
|
||||
@ -633,6 +633,137 @@ where
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct ApiKeyAuthWithMerchantIdFromRoute(pub id_type::MerchantId);
|
||||
|
||||
#[cfg(feature = "partial-auth")]
|
||||
impl GetAuthType for ApiKeyAuthWithMerchantIdFromRoute {
|
||||
fn get_auth_type(&self) -> detached::PayloadType {
|
||||
detached::PayloadType::ApiKey
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(feature = "v1")]
|
||||
#[async_trait]
|
||||
impl<A> AuthenticateAndFetch<AuthenticationData, A> for ApiKeyAuthWithMerchantIdFromRoute
|
||||
where
|
||||
A: SessionStateInfo + Sync,
|
||||
{
|
||||
async fn authenticate_and_fetch(
|
||||
&self,
|
||||
request_headers: &HeaderMap,
|
||||
state: &A,
|
||||
) -> RouterResult<(AuthenticationData, AuthenticationType)> {
|
||||
let merchant_id_from_route = self.0.clone();
|
||||
let api_key = get_api_key(request_headers)
|
||||
.change_context(errors::ApiErrorResponse::Unauthorized)?
|
||||
.trim();
|
||||
if api_key.is_empty() {
|
||||
return Err(errors::ApiErrorResponse::Unauthorized)
|
||||
.attach_printable("API key is empty");
|
||||
}
|
||||
|
||||
let api_key = api_keys::PlaintextApiKey::from(api_key);
|
||||
let hash_key = {
|
||||
let config = state.conf();
|
||||
config.api_keys.get_inner().get_hash_key()?
|
||||
};
|
||||
let hashed_api_key = api_key.keyed_hash(hash_key.peek());
|
||||
|
||||
let stored_api_key = state
|
||||
.store()
|
||||
.find_api_key_by_hash_optional(hashed_api_key.into())
|
||||
.await
|
||||
.change_context(errors::ApiErrorResponse::InternalServerError) // If retrieve failed
|
||||
.attach_printable("Failed to retrieve API key")?
|
||||
.ok_or(report!(errors::ApiErrorResponse::Unauthorized)) // If retrieve returned `None`
|
||||
.attach_printable("Merchant not authenticated")?;
|
||||
|
||||
if stored_api_key
|
||||
.expires_at
|
||||
.map(|expires_at| expires_at < date_time::now())
|
||||
.unwrap_or(false)
|
||||
{
|
||||
return Err(report!(errors::ApiErrorResponse::Unauthorized))
|
||||
.attach_printable("API key has expired");
|
||||
}
|
||||
|
||||
let key_manager_state = &(&state.session_state()).into();
|
||||
|
||||
let key_store = state
|
||||
.store()
|
||||
.get_merchant_key_store_by_merchant_id(
|
||||
key_manager_state,
|
||||
&stored_api_key.merchant_id,
|
||||
&state.store().get_master_key().to_vec().into(),
|
||||
)
|
||||
.await
|
||||
.change_context(errors::ApiErrorResponse::Unauthorized)
|
||||
.attach_printable("Failed to fetch merchant key store for the merchant id")?;
|
||||
|
||||
let profile_id =
|
||||
get_header_value_by_key(headers::X_PROFILE_ID.to_string(), request_headers)?
|
||||
.map(id_type::ProfileId::from_str)
|
||||
.transpose()
|
||||
.change_context(errors::ValidationError::IncorrectValueProvided {
|
||||
field_name: "X-Profile-Id",
|
||||
})
|
||||
.change_context(errors::ApiErrorResponse::Unauthorized)?;
|
||||
|
||||
if merchant_id_from_route != stored_api_key.merchant_id {
|
||||
return Err(report!(errors::ApiErrorResponse::Unauthorized)).attach_printable(
|
||||
"Merchant ID from route and Merchant ID from api-key in header do not match",
|
||||
);
|
||||
}
|
||||
|
||||
let merchant = state
|
||||
.store()
|
||||
.find_merchant_account_by_merchant_id(
|
||||
key_manager_state,
|
||||
&stored_api_key.merchant_id,
|
||||
&key_store,
|
||||
)
|
||||
.await
|
||||
.to_not_found_response(errors::ApiErrorResponse::Unauthorized)?;
|
||||
|
||||
// Get connected merchant account if API call is done by Platform merchant account on behalf of connected merchant account
|
||||
let (merchant, platform_merchant_account) = if state.conf().platform.enabled {
|
||||
get_platform_merchant_account(state, request_headers, merchant).await?
|
||||
} else {
|
||||
(merchant, None)
|
||||
};
|
||||
|
||||
let key_store = if platform_merchant_account.is_some() {
|
||||
state
|
||||
.store()
|
||||
.get_merchant_key_store_by_merchant_id(
|
||||
key_manager_state,
|
||||
merchant.get_id(),
|
||||
&state.store().get_master_key().to_vec().into(),
|
||||
)
|
||||
.await
|
||||
.change_context(errors::ApiErrorResponse::Unauthorized)
|
||||
.attach_printable("Failed to fetch merchant key store for the merchant id")?
|
||||
} else {
|
||||
key_store
|
||||
};
|
||||
|
||||
let auth = AuthenticationData {
|
||||
merchant_account: merchant,
|
||||
platform_merchant_account,
|
||||
key_store,
|
||||
profile_id,
|
||||
};
|
||||
Ok((
|
||||
auth.clone(),
|
||||
AuthenticationType::ApiKey {
|
||||
merchant_id: auth.merchant_account.get_id().clone(),
|
||||
key_id: stored_api_key.key_id,
|
||||
},
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "partial-auth"))]
|
||||
#[async_trait]
|
||||
impl<A, I> AuthenticateAndFetch<AuthenticationData, A> for HeaderAuth<I>
|
||||
|
||||
Reference in New Issue
Block a user