From b428298030b3c04a249f175b51b7904ab96e2ce7 Mon Sep 17 00:00:00 2001
From: Abhishek Marrivagu <68317979+Abhicodes-crypto@users.noreply.github.com>
Date: Mon, 10 Jul 2023 13:21:10 +0530
Subject: [PATCH] feat(payments): add client_secret auth for payments retrieve
 (#1663)

---
 crates/api_models/src/payments.rs                |  4 ++++
 .../src/compatibility/stripe/payment_intents.rs  | 11 +++++++----
 .../stripe/payment_intents/types.rs              |  5 +++++
 .../src/compatibility/stripe/setup_intents.rs    | 16 +++++++++++-----
 crates/router/src/core/payments.rs               |  1 +
 crates/router/src/core/webhooks.rs               |  1 +
 crates/router/src/routes/payments.rs             | 12 +++++++-----
 crates/router/src/services/authentication.rs     |  6 ++++++
 openapi/openapi_spec.json                        | 10 ++++++++++
 9 files changed, 52 insertions(+), 14 deletions(-)

diff --git a/crates/api_models/src/payments.rs b/crates/api_models/src/payments.rs
index 50eb552ee5..7101f598db 100644
--- a/crates/api_models/src/payments.rs
+++ b/crates/api_models/src/payments.rs
@@ -1790,6 +1790,8 @@ pub struct PaymentsRetrieveRequest {
     /// Merchant connector details used to make payments.
     #[schema(value_type = Option<MerchantConnectorDetailsWrap>)]
     pub merchant_connector_details: Option<admin::MerchantConnectorDetailsWrap>,
+    /// This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK
+    pub client_secret: Option<String>,
 }
 
 #[derive(Debug, Default, Eq, PartialEq, serde::Deserialize, serde::Serialize, Clone, ToSchema)]
@@ -2181,6 +2183,8 @@ pub struct PaymentRetrieveBody {
     pub merchant_id: Option<String>,
     /// Decider to enable or disable the connector call for retrieve request
     pub force_sync: Option<bool>,
+    /// This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK
+    pub client_secret: Option<String>,
 }
 
 #[derive(Default, Debug, serde::Deserialize, serde::Serialize, Clone, ToSchema)]
diff --git a/crates/router/src/compatibility/stripe/payment_intents.rs b/crates/router/src/compatibility/stripe/payment_intents.rs
index f6fdfedf47..165317775c 100644
--- a/crates/router/src/compatibility/stripe/payment_intents.rs
+++ b/crates/router/src/compatibility/stripe/payment_intents.rs
@@ -70,6 +70,7 @@ pub async fn payment_intents_retrieve(
     state: web::Data<routes::AppState>,
     req: HttpRequest,
     path: web::Path<String>,
+    query_payload: web::Query<types::StripePaymentRetrieveBody>,
 ) -> HttpResponse {
     let payload = payment_types::PaymentsRetrieveRequest {
         resource_id: api_types::PaymentIdType::PaymentIntentId(path.to_string()),
@@ -78,12 +79,14 @@ pub async fn payment_intents_retrieve(
         connector: None,
         param: None,
         merchant_connector_details: None,
+        client_secret: query_payload.client_secret.clone(),
     };
 
-    let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers()) {
-        Ok(auth) => auth,
-        Err(err) => return api::log_and_return_error_response(report!(err)),
-    };
+    let (auth_type, auth_flow) =
+        match auth::check_client_secret_and_get_auth(req.headers(), &payload) {
+            Ok(auth) => auth,
+            Err(err) => return api::log_and_return_error_response(report!(err)),
+        };
 
     let flow = Flow::PaymentsRetrieve;
 
diff --git a/crates/router/src/compatibility/stripe/payment_intents/types.rs b/crates/router/src/compatibility/stripe/payment_intents/types.rs
index d592904434..de8af66214 100644
--- a/crates/router/src/compatibility/stripe/payment_intents/types.rs
+++ b/crates/router/src/compatibility/stripe/payment_intents/types.rs
@@ -718,3 +718,8 @@ pub(crate) fn into_stripe_next_action(
         }
     })
 }
+
+#[derive(Deserialize, Clone)]
+pub struct StripePaymentRetrieveBody {
+    pub client_secret: Option<String>,
+}
diff --git a/crates/router/src/compatibility/stripe/setup_intents.rs b/crates/router/src/compatibility/stripe/setup_intents.rs
index 941afaeb49..8665031140 100644
--- a/crates/router/src/compatibility/stripe/setup_intents.rs
+++ b/crates/router/src/compatibility/stripe/setup_intents.rs
@@ -6,7 +6,10 @@ use error_stack::report;
 use router_env::{instrument, tracing, Flow};
 
 use crate::{
-    compatibility::{stripe::errors, wrap},
+    compatibility::{
+        stripe::{errors, payment_intents::types as stripe_payment_types},
+        wrap,
+    },
     core::payments,
     routes,
     services::{api, authentication as auth},
@@ -71,6 +74,7 @@ pub async fn setup_intents_retrieve(
     state: web::Data<routes::AppState>,
     req: HttpRequest,
     path: web::Path<String>,
+    query_payload: web::Query<stripe_payment_types::StripePaymentRetrieveBody>,
 ) -> HttpResponse {
     let payload = payment_types::PaymentsRetrieveRequest {
         resource_id: api_types::PaymentIdType::PaymentIntentId(path.to_string()),
@@ -79,12 +83,14 @@ pub async fn setup_intents_retrieve(
         connector: None,
         param: None,
         merchant_connector_details: None,
+        client_secret: query_payload.client_secret.clone(),
     };
 
-    let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers()) {
-        Ok(auth) => auth,
-        Err(err) => return api::log_and_return_error_response(report!(err)),
-    };
+    let (auth_type, auth_flow) =
+        match auth::check_client_secret_and_get_auth(req.headers(), &payload) {
+            Ok(auth) => auth,
+            Err(err) => return api::log_and_return_error_response(report!(err)),
+        };
 
     let flow = Flow::PaymentsRetrieve;
 
diff --git a/crates/router/src/core/payments.rs b/crates/router/src/core/payments.rs
index b077318e12..c82044fdf7 100644
--- a/crates/router/src/core/payments.rs
+++ b/crates/router/src/core/payments.rs
@@ -486,6 +486,7 @@ impl PaymentRedirectFlow for PaymentRedirectSync {
                     encoded_data: None,
                 }
             }),
+            client_secret: None,
         };
         payments_core::<api::PSync, api::PaymentsResponse, _, _, _>(
             state,
diff --git a/crates/router/src/core/webhooks.rs b/crates/router/src/core/webhooks.rs
index ce7fa8f25d..9c0d88be62 100644
--- a/crates/router/src/core/webhooks.rs
+++ b/crates/router/src/core/webhooks.rs
@@ -55,6 +55,7 @@ pub async fn payments_incoming_webhook_flow<W: api::OutgoingWebhookType>(
                     connector: None,
                     param: None,
                     merchant_connector_details: None,
+                    client_secret: None,
                 },
                 services::AuthFlow::Merchant,
                 consume_or_trigger_flow,
diff --git a/crates/router/src/routes/payments.rs b/crates/router/src/routes/payments.rs
index c862351b74..492d551140 100644
--- a/crates/router/src/routes/payments.rs
+++ b/crates/router/src/routes/payments.rs
@@ -148,12 +148,14 @@ pub async fn payments_retrieve(
         resource_id: payment_types::PaymentIdType::PaymentIntentId(path.to_string()),
         merchant_id: json_payload.merchant_id.clone(),
         force_sync: json_payload.force_sync.unwrap_or(false),
+        client_secret: json_payload.client_secret.clone(),
         ..Default::default()
     };
-    let (auth_type, _auth_flow) = match auth::get_auth_type_and_flow(req.headers()) {
-        Ok(auth) => auth,
-        Err(err) => return api::log_and_return_error_response(report!(err)),
-    };
+    let (auth_type, auth_flow) =
+        match auth::check_client_secret_and_get_auth(req.headers(), &payload) {
+            Ok(auth) => auth,
+            Err(err) => return api::log_and_return_error_response(report!(err)),
+        };
 
     api::server_wrap(
         flow,
@@ -167,7 +169,7 @@ pub async fn payments_retrieve(
                 auth.key_store,
                 payments::PaymentStatus,
                 req,
-                api::AuthFlow::Merchant,
+                auth_flow,
                 payments::CallConnectorAction::Trigger,
             )
         },
diff --git a/crates/router/src/services/authentication.rs b/crates/router/src/services/authentication.rs
index 5744d1f899..c7aa5135af 100644
--- a/crates/router/src/services/authentication.rs
+++ b/crates/router/src/services/authentication.rs
@@ -372,6 +372,12 @@ impl ClientSecretFetch for api_models::cards_info::CardsInfoRequest {
     }
 }
 
+impl ClientSecretFetch for api_models::payments::PaymentsRetrieveRequest {
+    fn get_client_secret(&self) -> Option<&String> {
+        self.client_secret.as_ref()
+    }
+}
+
 pub fn get_auth_type_and_flow<A: AppStateInfo + Sync>(
     headers: &HeaderMap,
 ) -> RouterResult<(
diff --git a/openapi/openapi_spec.json b/openapi/openapi_spec.json
index abc252e2c9..72762cec29 100644
--- a/openapi/openapi_spec.json
+++ b/openapi/openapi_spec.json
@@ -6460,6 +6460,11 @@
             "type": "boolean",
             "description": "Decider to enable or disable the connector call for retrieve request",
             "nullable": true
+          },
+          "client_secret": {
+            "type": "string",
+            "description": "This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK",
+            "nullable": true
           }
         }
       },
@@ -7577,6 +7582,11 @@
               }
             ],
             "nullable": true
+          },
+          "client_secret": {
+            "type": "string",
+            "description": "This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK",
+            "nullable": true
           }
         }
       },