docs(openapi): document security schemes (#676)

Co-authored-by: Arun Raj M <jarnura47@gmail.com>

crates/router/src/openapi.rs

@@ -64,7 +64,6 @@ Never share your secret api keys. Keep them guarded and secure.
         crate::routes::refunds::refunds_retrieve,
         crate::routes::refunds::refunds_update,
         crate::routes::refunds::refunds_list,
-        crate::routes::refunds::refunds_create,
         crate::routes::admin::merchant_account_create,
         crate::routes::admin::retrieve_merchant_account,
         crate::routes::admin::update_merchant_account,
@@ -142,6 +141,7 @@ Never share your secret api keys. Keep them guarded and secure.
         api_models::enums::MandateStatus,
         api_models::enums::PaymentExperience,
         api_models::enums::BankNames,
+        api_models::enums::CardNetwork,
         api_models::admin::PaymentConnectorCreate,
         api_models::admin::PaymentMethodsEnabled,
         api_models::payments::AddressDetails,
@@ -211,6 +211,52 @@ Never share your secret api keys. Keep them guarded and secure.
         crate::types::api::api_keys::RetrieveApiKeyResponse,
         crate::types::api::api_keys::RevokeApiKeyResponse,
         crate::types::api::api_keys::UpdateApiKeyRequest
-    ))
+    )),
+    modifiers(&SecurityAddon)
 )]
 pub struct ApiDoc;
+
+struct SecurityAddon;
+
+impl utoipa::Modify for SecurityAddon {
+    fn modify(&self, openapi: &mut utoipa::openapi::OpenApi) {
+        use utoipa::openapi::security::{ApiKey, ApiKeyValue, SecurityScheme};
+
+        if let Some(components) = openapi.components.as_mut() {
+            components.add_security_schemes_from_iter([
+                (
+                    "api_key",
+                    SecurityScheme::ApiKey(ApiKey::Header(ApiKeyValue::with_description(
+                        "api-key",
+                        "API keys are the most common method of authentication and can be obtained \
+                         from the HyperSwitch dashboard."
+                    ))),
+                ),
+                (
+                    "admin_api_key",
+                    SecurityScheme::ApiKey(ApiKey::Header(ApiKeyValue::with_description(
+                        "api-key",
+                        "Admin API keys allow you to perform some privileged actions such as \
+                         creating a merchant account and payment connector account."
+                    ))),
+                ),
+                (
+                    "publishable_key",
+                    SecurityScheme::ApiKey(ApiKey::Header(ApiKeyValue::with_description(
+                        "api-key",
+                        "Publishable keys are a type of keys that can be public and have limited \
+                         scope of usage."
+                    ))),
+                ),
+                (
+                    "ephemeral_key",
+                    SecurityScheme::ApiKey(ApiKey::Header(ApiKeyValue::with_description(
+                        "api-key",
+                        "Ephemeral keys provide temporary access to singular data, such as access \
+                         to a single customer object for a short period of time."
+                    ))),
+                ),
+            ]);
+        }
+    }
+}

crates/router/src/routes/admin.rs

@@ -21,7 +21,8 @@ use crate::{
         (status = 400, description = "Invalid data")
     ),
     tag = "Merchant Account",
-    operation_id = "Create a Merchant Account"
+    operation_id = "Create a Merchant Account",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::MerchantsAccountCreate))]
 pub async fn merchant_account_create(
@@ -52,7 +53,8 @@ pub async fn merchant_account_create(
         (status = 404, description = "Merchant account not found")
     ),
     tag = "Merchant Account",
-    operation_id = "Retrieve a Merchant Account"
+    operation_id = "Retrieve a Merchant Account",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::MerchantsAccountRetrieve))]
 pub async fn retrieve_merchant_account(
@@ -88,7 +90,8 @@ pub async fn retrieve_merchant_account(
         (status = 404, description = "Merchant account not found")
     ),
     tag = "Merchant Account",
-    operation_id = "Update a Merchant Account"
+    operation_id = "Update a Merchant Account",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::MerchantsAccountUpdate))]
 pub async fn update_merchant_account(
@@ -121,7 +124,8 @@ pub async fn update_merchant_account(
         (status = 404, description = "Merchant account not found")
     ),
     tag = "Merchant Account",
-    operation_id = "Delete a Merchant Account"
+    operation_id = "Delete a Merchant Account",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::MerchantsAccountDelete))]
 // #[delete("/{id}")]
@@ -157,7 +161,8 @@ pub async fn delete_merchant_account(
         (status = 400, description = "Missing Mandatory fields"),
     ),
     tag = "Merchant Connector Account",
-    operation_id = "Create a Merchant Connector"
+    operation_id = "Create a Merchant Connector",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentConnectorsCreate))]
 pub async fn payment_connector_create(
@@ -194,7 +199,8 @@ pub async fn payment_connector_create(
         (status = 401, description = "Unauthorized request")
     ),
     tag = "Merchant Connector Account",
-    operation_id = "Retrieve a Merchant Connector"
+    operation_id = "Retrieve a Merchant Connector",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentConnectorsRetrieve))]
 pub async fn payment_connector_retrieve(
@@ -236,7 +242,8 @@ pub async fn payment_connector_retrieve(
         (status = 401, description = "Unauthorized request")
     ),
     tag = "Merchant Connector Account",
-    operation_id = "List all Merchant Connectors"
+    operation_id = "List all Merchant Connectors",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentConnectorsList))]
 pub async fn payment_connector_list(
@@ -273,7 +280,8 @@ pub async fn payment_connector_list(
         (status = 401, description = "Unauthorized request")
     ),
    tag = "Merchant Connector Account",
-   operation_id = "Update a Merchant Connector"
+   operation_id = "Update a Merchant Connector",
+   security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentConnectorsUpdate))]
 pub async fn payment_connector_update(
@@ -312,7 +320,8 @@ pub async fn payment_connector_update(
         (status = 401, description = "Unauthorized request")
     ),
     tag = "Merchant Connector Account",
-    operation_id = "Delete a Merchant Connector"
+    operation_id = "Delete a Merchant Connector",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentConnectorsDelete))]
 pub async fn payment_connector_delete(

crates/router/src/routes/api_keys.rs

@@ -21,7 +21,8 @@ use crate::{
         (status = 400, description = "Invalid data")
     ),
     tag = "API Key",
-    operation_id = "Create an API Key"
+    operation_id = "Create an API Key",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::ApiKeyCreate))]
 pub async fn api_key_create(
@@ -57,7 +58,8 @@ pub async fn api_key_create(
         (status = 404, description = "API Key not found")
     ),
     tag = "API Key",
-    operation_id = "Retrieve an API Key"
+    operation_id = "Retrieve an API Key",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::ApiKeyRetrieve))]
 pub async fn api_key_retrieve(
@@ -90,7 +92,8 @@ pub async fn api_key_retrieve(
         (status = 404, description = "API Key not found")
     ),
     tag = "API Key",
-    operation_id = "Update an API Key"
+    operation_id = "Update an API Key",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::ApiKeyUpdate))]
 pub async fn api_key_update(
@@ -125,7 +128,8 @@ pub async fn api_key_update(
         (status = 404, description = "API Key not found")
     ),
     tag = "API Key",
-    operation_id = "Revoke an API Key"
+    operation_id = "Revoke an API Key",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::ApiKeyRevoke))]
 pub async fn api_key_revoke(
@@ -159,7 +163,8 @@ pub async fn api_key_revoke(
         (status = 200, description = "List of API Keys retrieved successfully", body = Vec<RetrieveApiKeyResponse>),
     ),
     tag = "API Key",
-    operation_id = "List all API Keys associated with a merchant account"
+    operation_id = "List all API Keys associated with a merchant account",
+    security(("admin_api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::ApiKeyList))]
 pub async fn api_key_list(

crates/router/src/routes/customers.rs

@@ -20,8 +20,9 @@ use crate::{
         (status = 200, description = "Customer Created", body = CustomerResponse),
         (status = 400, description = "Invalid data")
     ),
-     tag = "Customers",
-     operation_id = "Create a Customer"
+    tag = "Customers",
+    operation_id = "Create a Customer",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::CustomersCreate))]
 pub async fn customers_create(
@@ -52,7 +53,8 @@ pub async fn customers_create(
         (status = 404, description = "Customer was not found")
     ),
     tag = "Customers",
-     operation_id = "Retrieve a Customer"
+    operation_id = "Retrieve a Customer",
+    security(("api_key" = []), ("ephemeral_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::CustomersRetrieve))]
 pub async fn customers_retrieve(
@@ -95,7 +97,8 @@ pub async fn customers_retrieve(
         (status = 404, description = "Customer was not found")
     ),
     tag = "Customers",
-     operation_id = "Update a Customer"
+    operation_id = "Update a Customer",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::CustomersUpdate))]
 pub async fn customers_update(
@@ -129,7 +132,8 @@ pub async fn customers_update(
         (status = 404, description = "Customer was not found")
     ),
     tag = "Customers",
-     operation_id = "Delete a Customer"
+    operation_id = "Delete a Customer",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::CustomersDelete))]
 pub async fn customers_delete(

crates/router/src/routes/mandates.rs

@@ -23,7 +23,8 @@ use crate::{
         (status = 404, description = "Mandate does not exist in our records")
     ),
     tag = "Mandates",
-    operation_id = "Retrieve a Mandate"
+    operation_id = "Retrieve a Mandate",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::MandatesRetrieve))]
 // #[get("/{id}")]
@@ -60,7 +61,8 @@ pub async fn get_mandate(
         (status = 400, description = "Mandate does not exist in our records")
     ),
     tag = "Mandates",
-     operation_id = "Revoke a Mandate"
+    operation_id = "Revoke a Mandate",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::MandatesRevoke))]
 // #[post("/revoke/{id}")]

crates/router/src/routes/payment_methods.rs

@@ -21,7 +21,8 @@ use crate::{
         (status = 400, description = "Invalid Data")
     ),
     tag = "Payment Methods",
-    operation_id = "Create a Payment Method"
+    operation_id = "Create a Payment Method",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentMethodsCreate))]
 pub async fn create_payment_method_api(
@@ -63,7 +64,8 @@ pub async fn create_payment_method_api(
         (status = 404, description = "Payment Methods does not exist in records")
     ),
     tag = "Payment Methods",
-    operation_id = "List all Payment Methods for a Merchant"
+    operation_id = "List all Payment Methods for a Merchant",
+    security(("api_key" = []), ("publishable_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentMethodsList))]
 pub async fn list_payment_method_api(
@@ -110,7 +112,8 @@ pub async fn list_payment_method_api(
         (status = 404, description = "Payment Methods does not exist in records")
     ),
     tag = "Payment Methods",
-    operation_id = "List all Payment Methods for a Customer"
+    operation_id = "List all Payment Methods for a Customer",
+    security(("api_key" = []), ("ephemeral_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::CustomerPaymentMethodsList))]
 pub async fn list_customer_payment_method_api(
@@ -154,7 +157,8 @@ pub async fn list_customer_payment_method_api(
         (status = 404, description = "Payment Method does not exist in records")
     ),
     tag = "Payment Methods",
-    operation_id = "Retrieve a Payment method"
+    operation_id = "Retrieve a Payment method",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentMethodsRetrieve))]
 pub async fn payment_method_retrieve_api(
@@ -193,7 +197,8 @@ pub async fn payment_method_retrieve_api(
         (status = 404, description = "Payment Method does not exist in records")
     ),
     tag = "Payment Methods",
-    operation_id = "Update a Payment method"
+    operation_id = "Update a Payment method",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentMethodsUpdate))]
 pub async fn payment_method_update_api(
@@ -236,7 +241,8 @@ pub async fn payment_method_update_api(
         (status = 404, description = "Payment Method does not exist in records")
     ),
     tag = "Payment Methods",
-    operation_id = "Delete a Payment method"
+    operation_id = "Delete a Payment method",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentMethodsDelete))]
 pub async fn payment_method_delete_api(

crates/router/src/routes/payments.rs

@@ -22,7 +22,8 @@ use crate::{
         (status = 400, description = "Missing Mandatory fields")
     ),
     tag = "Payments",
-    operation_id = "Create a Payment"
+    operation_id = "Create a Payment",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentsCreate))]
 // #[post("")]
@@ -120,7 +121,8 @@ pub async fn payments_start(
         (status = 404, description = "No payment found")
     ),
     tag = "Payments",
-    operation_id = "Retrieve a Payment"
+    operation_id = "Retrieve a Payment",
+    security(("api_key" = []), ("publishable_key" = []))
 )]
 #[instrument(skip(state), fields(flow = ?Flow::PaymentsRetrieve))]
 // #[get("/{payment_id}")]
@@ -177,7 +179,8 @@ pub async fn payments_retrieve(
         (status = 400, description = "Missing mandatory fields")
     ),
     tag = "Payments",
-    operation_id = "Update a Payment"
+    operation_id = "Update a Payment",
+    security(("api_key" = []), ("publishable_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentsUpdate))]
 // #[post("/{payment_id}")]
@@ -236,7 +239,8 @@ pub async fn payments_update(
         (status = 400, description = "Missing mandatory fields")
     ),
     tag = "Payments",
-    operation_id = "Confirm a Payment"
+    operation_id = "Confirm a Payment",
+    security(("api_key" = []), ("publishable_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentsConfirm))]
 // #[post("/{payment_id}/confirm")]
@@ -296,7 +300,8 @@ pub async fn payments_confirm(
         (status = 400, description = "Missing mandatory fields")
     ),
     tag = "Payments",
-    operation_id = "Capture a Payment"
+    operation_id = "Capture a Payment",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentsCapture))]
 // #[post("/{payment_id}/capture")]
@@ -343,7 +348,8 @@ pub async fn payments_capture(
         (status = 400, description = "Missing mandatory fields")
     ),
     tag = "Payments",
-    operation_id = "Create Session tokens for a Payment"
+    operation_id = "Create Session tokens for a Payment",
+    security(("publishable_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentsSessionToken))]
 pub async fn payments_connector_session(
@@ -444,7 +450,8 @@ pub async fn payments_redirect_response(
         (status = 400, description = "Missing mandatory fields")
     ),
     tag = "Payments",
-    operation_id = "Cancel a Payment"
+    operation_id = "Cancel a Payment",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentsCancel))]
 // #[post("/{payment_id}/cancel")]
@@ -500,7 +507,8 @@ pub async fn payments_cancel(
         (status = 404, description = "No payments found")
     ),
     tag = "Payments",
-    operation_id = "List all Payments"
+    operation_id = "List all Payments",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::PaymentsList))]
 #[cfg(feature = "olap")]

crates/router/src/routes/refunds.rs

@@ -21,7 +21,8 @@ use crate::{
         (status = 400, description = "Missing Mandatory fields")
     ),
     tag = "Refunds",
-    operation_id = "Create a Refund"
+    operation_id = "Create a Refund",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::RefundsCreate))]
 // #[post("")]
@@ -55,7 +56,8 @@ pub async fn refunds_create(
         (status = 404, description = "Refund does not exist in our records")
     ),
     tag = "Refunds",
-    operation_id = "Retrieve a Refund"
+    operation_id = "Retrieve a Refund",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::RefundsRetrieve))]
 // #[get("/{id}")]
@@ -94,7 +96,8 @@ pub async fn refunds_retrieve(
         (status = 400, description = "Missing Mandatory fields")
     ),
     tag = "Refunds",
-    operation_id = "Update a Refund"
+    operation_id = "Update a Refund",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::RefundsUpdate))]
 // #[post("/{id}")]
@@ -138,7 +141,8 @@ pub async fn refunds_update(
         (status = 404, description = "Refund does not exist in our records")
     ),
     tag = "Refunds",
-    operation_id = "List all Refunds"
+    operation_id = "List all Refunds",
+    security(("api_key" = []))
 )]
 #[instrument(skip_all, fields(flow = ?Flow::RefundsList))]
 #[cfg(feature = "olap")]