feat(payments): add client_secret auth for payments retrieve (#1663)

2025-10-28 04:04:55 +08:00 · 2023-07-10 13:21:10 +05:30
parent be5d55c98f
commit b428298030
9 changed files with 52 additions and 14 deletions
--- a/crates/api_models/src/payments.rs
+++ b/crates/api_models/src/payments.rs
@ -1790,6 +1790,8 @@ pub struct PaymentsRetrieveRequest {
    /// Merchant connector details used to make payments.
    #[schema(value_type = Option<MerchantConnectorDetailsWrap>)]
    pub merchant_connector_details: Option<admin::MerchantConnectorDetailsWrap>,
+    /// This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK
+    pub client_secret: Option<String>,
 }

 #[derive(Debug, Default, Eq, PartialEq, serde::Deserialize, serde::Serialize, Clone, ToSchema)]
@ -2181,6 +2183,8 @@ pub struct PaymentRetrieveBody {
    pub merchant_id: Option<String>,
    /// Decider to enable or disable the connector call for retrieve request
    pub force_sync: Option<bool>,
+    /// This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK
+    pub client_secret: Option<String>,
 }

 #[derive(Default, Debug, serde::Deserialize, serde::Serialize, Clone, ToSchema)]
--- a/crates/router/src/compatibility/stripe/payment_intents.rs
+++ b/crates/router/src/compatibility/stripe/payment_intents.rs
@ -70,6 +70,7 @@ pub async fn payment_intents_retrieve(
    state: web::Data<routes::AppState>,
    req: HttpRequest,
    path: web::Path<String>,
+    query_payload: web::Query<types::StripePaymentRetrieveBody>,
 ) -> HttpResponse {
    let payload = payment_types::PaymentsRetrieveRequest {
        resource_id: api_types::PaymentIdType::PaymentIntentId(path.to_string()),
@ -78,12 +79,14 @@ pub async fn payment_intents_retrieve(
        connector: None,
        param: None,
        merchant_connector_details: None,
+        client_secret: query_payload.client_secret.clone(),
    };

-    let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers()) {
-        Ok(auth) => auth,
-        Err(err) => return api::log_and_return_error_response(report!(err)),
-    };
+    let (auth_type, auth_flow) =
+        match auth::check_client_secret_and_get_auth(req.headers(), &payload) {
+            Ok(auth) => auth,
+            Err(err) => return api::log_and_return_error_response(report!(err)),
+        };

    let flow = Flow::PaymentsRetrieve;

--- a/crates/router/src/compatibility/stripe/payment_intents/types.rs
+++ b/crates/router/src/compatibility/stripe/payment_intents/types.rs
@ -718,3 +718,8 @@ pub(crate) fn into_stripe_next_action(
        }
    })
 }
+
+#[derive(Deserialize, Clone)]
+pub struct StripePaymentRetrieveBody {
+    pub client_secret: Option<String>,
+}
--- a/crates/router/src/compatibility/stripe/setup_intents.rs
+++ b/crates/router/src/compatibility/stripe/setup_intents.rs
@ -6,7 +6,10 @@ use error_stack::report;
 use router_env::{instrument, tracing, Flow};

 use crate::{
-    compatibility::{stripe::errors, wrap},
+    compatibility::{
+        stripe::{errors, payment_intents::types as stripe_payment_types},
+        wrap,
+    },
    core::payments,
    routes,
    services::{api, authentication as auth},
@ -71,6 +74,7 @@ pub async fn setup_intents_retrieve(
    state: web::Data<routes::AppState>,
    req: HttpRequest,
    path: web::Path<String>,
+    query_payload: web::Query<stripe_payment_types::StripePaymentRetrieveBody>,
 ) -> HttpResponse {
    let payload = payment_types::PaymentsRetrieveRequest {
        resource_id: api_types::PaymentIdType::PaymentIntentId(path.to_string()),
@ -79,12 +83,14 @@ pub async fn setup_intents_retrieve(
        connector: None,
        param: None,
        merchant_connector_details: None,
+        client_secret: query_payload.client_secret.clone(),
    };

-    let (auth_type, auth_flow) = match auth::get_auth_type_and_flow(req.headers()) {
-        Ok(auth) => auth,
-        Err(err) => return api::log_and_return_error_response(report!(err)),
-    };
+    let (auth_type, auth_flow) =
+        match auth::check_client_secret_and_get_auth(req.headers(), &payload) {
+            Ok(auth) => auth,
+            Err(err) => return api::log_and_return_error_response(report!(err)),
+        };

    let flow = Flow::PaymentsRetrieve;

--- a/crates/router/src/core/payments.rs
+++ b/crates/router/src/core/payments.rs
@ -486,6 +486,7 @@ impl PaymentRedirectFlow for PaymentRedirectSync {
                    encoded_data: None,
                }
            }),
+            client_secret: None,
        };
        payments_core::<api::PSync, api::PaymentsResponse, _, _, _>(
            state,
--- a/crates/router/src/core/webhooks.rs
+++ b/crates/router/src/core/webhooks.rs
@ -55,6 +55,7 @@ pub async fn payments_incoming_webhook_flow<W: api::OutgoingWebhookType>(
                    connector: None,
                    param: None,
                    merchant_connector_details: None,
+                    client_secret: None,
                },
                services::AuthFlow::Merchant,
                consume_or_trigger_flow,
--- a/crates/router/src/routes/payments.rs
+++ b/crates/router/src/routes/payments.rs
@ -148,12 +148,14 @@ pub async fn payments_retrieve(
        resource_id: payment_types::PaymentIdType::PaymentIntentId(path.to_string()),
        merchant_id: json_payload.merchant_id.clone(),
        force_sync: json_payload.force_sync.unwrap_or(false),
+        client_secret: json_payload.client_secret.clone(),
        ..Default::default()
    };
-    let (auth_type, _auth_flow) = match auth::get_auth_type_and_flow(req.headers()) {
-        Ok(auth) => auth,
-        Err(err) => return api::log_and_return_error_response(report!(err)),
-    };
+    let (auth_type, auth_flow) =
+        match auth::check_client_secret_and_get_auth(req.headers(), &payload) {
+            Ok(auth) => auth,
+            Err(err) => return api::log_and_return_error_response(report!(err)),
+        };

    api::server_wrap(
        flow,
@ -167,7 +169,7 @@ pub async fn payments_retrieve(
                auth.key_store,
                payments::PaymentStatus,
                req,
-                api::AuthFlow::Merchant,
+                auth_flow,
                payments::CallConnectorAction::Trigger,
            )
        },
--- a/crates/router/src/services/authentication.rs
+++ b/crates/router/src/services/authentication.rs
@ -372,6 +372,12 @@ impl ClientSecretFetch for api_models::cards_info::CardsInfoRequest {
    }
 }

+impl ClientSecretFetch for api_models::payments::PaymentsRetrieveRequest {
+    fn get_client_secret(&self) -> Option<&String> {
+        self.client_secret.as_ref()
+    }
+}
+
 pub fn get_auth_type_and_flow<A: AppStateInfo + Sync>(
    headers: &HeaderMap,
 ) -> RouterResult<(
--- a/openapi/openapi_spec.json
+++ b/openapi/openapi_spec.json
@ -6460,6 +6460,11 @@
            "type": "boolean",
            "description": "Decider to enable or disable the connector call for retrieve request",
            "nullable": true
+          },
+          "client_secret": {
+            "type": "string",
+            "description": "This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK",
+            "nullable": true
          }
        }
      },
@ -7577,6 +7582,11 @@
              }
            ],
            "nullable": true
+          },
+          "client_secret": {
+            "type": "string",
+            "description": "This is a token which expires after 15 minutes, used from the client to authenticate and create sessions from the SDK",
+            "nullable": true
          }
        }
      },