feat(recon): add recon APIs (#3345)

Co-authored-by: Kashif <mohammed.kashif@juspay.in> Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-10-28 04:04:55 +08:00 · 2024-01-16 16:37:44 +05:30
parent 5ad3f8939a
commit 8678f8d144
22 changed files with 639 additions and 7 deletions
--- a/crates/router/src/services/authentication.rs
+++ b/crates/router/src/services/authentication.rs
@ -12,10 +12,14 @@ use serde::Serialize;
 use super::authorization::{self, permissions::Permission};
 #[cfg(feature = "olap")]
 use super::jwt;
+#[cfg(feature = "recon")]
+use super::recon::ReconToken;
 #[cfg(feature = "olap")]
 use crate::consts;
 #[cfg(feature = "olap")]
 use crate::core::errors::UserResult;
+#[cfg(feature = "recon")]
+use crate::routes::AppState;
 use crate::{
    configs::settings,
    core::{
@ -822,3 +826,95 @@ where
    }
    default_auth
 }
+
+#[cfg(feature = "recon")]
+static RECON_API_KEY: tokio::sync::OnceCell<StrongSecret<String>> =
+    tokio::sync::OnceCell::const_new();
+
+#[cfg(feature = "recon")]
+pub async fn get_recon_admin_api_key(
+    secrets: &settings::Secrets,
+    #[cfg(feature = "kms")] kms_client: &kms::KmsClient,
+) -> RouterResult<&'static StrongSecret<String>> {
+    RECON_API_KEY
+        .get_or_try_init(|| async {
+            #[cfg(feature = "kms")]
+            let recon_admin_api_key = secrets
+                .kms_encrypted_recon_admin_api_key
+                .decrypt_inner(kms_client)
+                .await
+                .change_context(errors::ApiErrorResponse::InternalServerError)
+                .attach_printable("Failed to KMS decrypt recon admin API key")?;
+
+            #[cfg(not(feature = "kms"))]
+            let recon_admin_api_key = secrets.recon_admin_api_key.clone();
+
+            Ok(StrongSecret::new(recon_admin_api_key))
+        })
+        .await
+}
+
+#[cfg(feature = "recon")]
+pub struct ReconAdmin;
+
+#[async_trait]
+#[cfg(feature = "recon")]
+impl<A> AuthenticateAndFetch<(), A> for ReconAdmin
+where
+    A: AppStateInfo + Sync,
+{
+    async fn authenticate_and_fetch(
+        &self,
+        request_headers: &HeaderMap,
+        state: &A,
+    ) -> RouterResult<((), AuthenticationType)> {
+        let request_admin_api_key =
+            get_api_key(request_headers).change_context(errors::ApiErrorResponse::Unauthorized)?;
+        let conf = state.conf();
+
+        let admin_api_key = get_recon_admin_api_key(
+            &conf.secrets,
+            #[cfg(feature = "kms")]
+            kms::get_kms_client(&conf.kms).await,
+        )
+        .await?;
+
+        if request_admin_api_key != admin_api_key.peek() {
+            Err(report!(errors::ApiErrorResponse::Unauthorized)
+                .attach_printable("Recon Admin Authentication Failure"))?;
+        }
+
+        Ok(((), AuthenticationType::NoAuth))
+    }
+}
+
+#[cfg(feature = "recon")]
+pub struct ReconJWT;
+#[cfg(feature = "recon")]
+pub struct ReconUser {
+    pub user_id: String,
+}
+#[cfg(feature = "recon")]
+impl AuthInfo for ReconUser {
+    fn get_merchant_id(&self) -> Option<&str> {
+        None
+    }
+}
+#[cfg(all(feature = "olap", feature = "recon"))]
+#[async_trait]
+impl AuthenticateAndFetch<ReconUser, AppState> for ReconJWT {
+    async fn authenticate_and_fetch(
+        &self,
+        request_headers: &HeaderMap,
+        state: &AppState,
+    ) -> RouterResult<(ReconUser, AuthenticationType)> {
+        let payload = parse_jwt_payload::<AppState, ReconToken>(request_headers, state).await?;
+
+        Ok((
+            ReconUser {
+                user_id: payload.user_id,
+            },
+            AuthenticationType::NoAuth,
+        ))
+    }
+}