feat(authz): Add custom role checks in authorization (#3719)

Co-authored-by: Apoorv Dixit <apoorv.dixit@juspay.in> Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-10-28 04:04:55 +08:00 · 2024-02-21 19:14:36 +05:30
parent 5952017260
commit ada6a32276
15 changed files with 669 additions and 148 deletions
--- a/crates/router/src/services/authentication.rs
+++ b/crates/router/src/services/authentication.rs
@ -503,8 +503,8 @@ where
            return Err(errors::ApiErrorResponse::InvalidJwtToken.into());
        }

-        let permissions = authorization::get_permissions(&payload.role_id)?;
-        authorization::check_authorization(&self.0, permissions)?;
+        let permissions = authorization::get_permissions(state, &payload).await?;
+        authorization::check_authorization(&self.0, &permissions)?;

        Ok((
            (),
@ -532,8 +532,8 @@ where
            return Err(errors::ApiErrorResponse::InvalidJwtToken.into());
        }

-        let permissions = authorization::get_permissions(&payload.role_id)?;
-        authorization::check_authorization(&self.0, permissions)?;
+        let permissions = authorization::get_permissions(state, &payload).await?;
+        authorization::check_authorization(&self.0, &permissions)?;

        Ok((
            UserFromToken {
@ -570,8 +570,8 @@ where
            return Err(errors::ApiErrorResponse::InvalidJwtToken.into());
        }

-        let permissions = authorization::get_permissions(&payload.role_id)?;
-        authorization::check_authorization(&self.required_permission, permissions)?;
+        let permissions = authorization::get_permissions(state, &payload).await?;
+        authorization::check_authorization(&self.required_permission, &permissions)?;

        // Check if token has access to MerchantId that has been requested through query param
        if payload.merchant_id != self.merchant_id {
@ -613,8 +613,8 @@ where
            return Err(errors::ApiErrorResponse::InvalidJwtToken.into());
        }

-        let permissions = authorization::get_permissions(&payload.role_id)?;
-        authorization::check_authorization(&self.0, permissions)?;
+        let permissions = authorization::get_permissions(state, &payload).await?;
+        authorization::check_authorization(&self.0, &permissions)?;

        let key_store = state
            .store()
@ -663,8 +663,8 @@ where
            return Err(errors::ApiErrorResponse::InvalidJwtToken.into());
        }

-        let permissions = authorization::get_permissions(&payload.role_id)?;
-        authorization::check_authorization(&self.0, permissions)?;
+        let permissions = authorization::get_permissions(state, &payload).await?;
+        authorization::check_authorization(&self.0, &permissions)?;

        let key_store = state
            .store()