feat(router): restricted customer update in payments-confirm and payments-update call via clientAuth (#1659)

Co-authored-by: Sahkal Poddar <sahkal.poddar@juspay.in>
Co-authored-by: Arun Raj M <jarnura47@gmail.com>

crates/router/src/core/payments/helpers.rs

@@ -2550,3 +2550,28 @@ pub async fn get_additional_payment_data(
         }
     }
 }
+
+pub fn validate_customer_access(
+    payment_intent: &storage::PaymentIntent,
+    auth_flow: services::AuthFlow,
+    request: &api::PaymentsRequest,
+) -> Result<(), errors::ApiErrorResponse> {
+    if auth_flow == services::AuthFlow::Client && request.customer_id.is_some() {
+        let is_not_same_customer = request
+            .clone()
+            .customer_id
+            .and_then(|customer| {
+                payment_intent
+                    .clone()
+                    .customer_id
+                    .map(|payment_customer| payment_customer != customer)
+            })
+            .unwrap_or(false);
+        if is_not_same_customer {
+            Err(errors::ApiErrorResponse::GenericUnauthorized {
+                message: "Unauthorised access to update customer".to_string(),
+            })?;
+        }
+    }
+    Ok(())
+}