fix(payment): disable payment update via client config (#7970)

2025-10-31 10:06:32 +08:00 · 2025-05-07 15:54:36 +05:30
parent 1e243fada1
commit cac8723495
3 changed files with 44 additions and 1 deletions
--- a/crates/common_utils/src/id_type/merchant.rs
+++ b/crates/common_utils/src/id_type/merchant.rs
@ -219,4 +219,11 @@ impl MerchantId {
            ),
        }
    }
+    /// allow payment update via client auth default should be false
+    pub fn get_payment_update_enabled_for_client_auth_key(&self) -> String {
+        format!(
+            "payment_update_enabled_for_client_auth_{}",
+            self.get_string_repr()
+        )
+    }
 }
--- a/crates/router/src/core/payments/helpers.rs
+++ b/crates/router/src/core/payments/helpers.rs
@ -7431,3 +7431,38 @@ pub async fn validate_allowed_payment_method_types_request(

    Ok(())
 }
+
+async fn get_payment_update_enabled_for_client_auth(
+    merchant_id: &id_type::MerchantId,
+    state: &SessionState,
+) -> bool {
+    let key = merchant_id.get_payment_update_enabled_for_client_auth_key();
+    let db = &*state.store;
+    let update_enabled = db.find_config_by_key(key.as_str()).await;
+
+    match update_enabled {
+        Ok(conf) => conf.config.to_lowercase() == "true",
+        Err(error) => {
+            logger::error!(?error);
+            false
+        }
+    }
+}
+
+pub async fn allow_payment_update_enabled_for_client_auth(
+    merchant_id: &id_type::MerchantId,
+    state: &SessionState,
+    auth_flow: services::AuthFlow,
+) -> Result<(), error_stack::Report<errors::ApiErrorResponse>> {
+    match auth_flow {
+        services::AuthFlow::Client => {
+            if get_payment_update_enabled_for_client_auth(merchant_id, state).await {
+                Ok(())
+            } else {
+                Err(errors::ApiErrorResponse::InternalServerError)
+                    .attach_printable("Client auth for payment update is not enabled.")
+            }
+        }
+        services::AuthFlow::Merchant => Ok(()),
+    }
+}
--- a/crates/router/src/core/payments/operations/payment_update.rs
+++ b/crates/router/src/core/payments/operations/payment_update.rs
@ -67,7 +67,8 @@ impl<F: Send + Clone + Sync> GetTracker<F, PaymentData<F>, api::PaymentsRequest>

        let db = &*state.store;
        let key_manager_state = &state.into();
-
+        helpers::allow_payment_update_enabled_for_client_auth(merchant_id, state, auth_flow)
+            .await?;
        payment_intent = db
            .find_payment_intent_by_payment_id_merchant_id(
                key_manager_state,