fix(router): Take merchant ID from headers in API Key - Revoke (v2) (#8808)

2025-10-27 19:46:48 +08:00 · 2025-08-05 13:14:47 +05:30
parent 4d4a81e9c7
commit d164954e22
2 changed files with 17 additions and 14 deletions
--- a/crates/router/src/core/api_keys.rs
+++ b/crates/router/src/core/api_keys.rs
@ -425,18 +425,18 @@ pub async fn update_api_key_expiry_task(
 #[instrument(skip_all)]
 pub async fn revoke_api_key(
    state: SessionState,
-    merchant_id: &common_utils::id_type::MerchantId,
+    merchant_id: common_utils::id_type::MerchantId,
    key_id: &common_utils::id_type::ApiKeyId,
 ) -> RouterResponse<api::RevokeApiKeyResponse> {
    let store = state.store.as_ref();

    let api_key = store
-        .find_api_key_by_merchant_id_key_id_optional(merchant_id, key_id)
+        .find_api_key_by_merchant_id_key_id_optional(&merchant_id, key_id)
        .await
        .to_not_found_response(errors::ApiErrorResponse::ApiKeyNotFound)?;

    let revoked = store
-        .revoke_api_key(merchant_id, key_id)
+        .revoke_api_key(&merchant_id, key_id)
        .await
        .to_not_found_response(errors::ApiErrorResponse::ApiKeyNotFound)?;

--- a/crates/router/src/routes/api_keys.rs
+++ b/crates/router/src/routes/api_keys.rs
@ -243,7 +243,9 @@ pub async fn api_key_revoke(
        state,
        &req,
        (&merchant_id, &key_id),
-        |state, _, (merchant_id, key_id), _| api_keys::revoke_api_key(state, merchant_id, key_id),
+        |state, _, (merchant_id, key_id), _| {
+            api_keys::revoke_api_key(state, merchant_id.clone(), key_id)
+        },
        auth::auth_type(
            &auth::PlatformOrgAdminAuthWithMerchantIdFromRoute {
                merchant_id_from_route: merchant_id.clone(),
@ -265,24 +267,25 @@ pub async fn api_key_revoke(
 pub async fn api_key_revoke(
    state: web::Data<AppState>,
    req: HttpRequest,
-    path: web::Path<(
-        common_utils::id_type::MerchantId,
-        common_utils::id_type::ApiKeyId,
-    )>,
+    path: web::Path<common_utils::id_type::ApiKeyId>,
 ) -> impl Responder {
    let flow = Flow::ApiKeyRevoke;
-    let (merchant_id, key_id) = path.into_inner();
+    let key_id = path.into_inner();

    Box::pin(api::server_wrap(
        flow,
        state,
        &req,
-        (&merchant_id, &key_id),
-        |state, _, (merchant_id, key_id), _| api_keys::revoke_api_key(state, merchant_id, key_id),
+        &key_id,
+        |state,
+         auth::AuthenticationDataWithoutProfile {
+             merchant_account, ..
+         },
+         key_id,
+         _| api_keys::revoke_api_key(state, merchant_account.get_id().to_owned(), key_id),
        auth::auth_type(
-            &auth::V2AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute {
-                merchant_id: merchant_id.clone(),
+            &auth::AdminApiAuthWithMerchantIdFromHeader,
+            &auth::JWTAuthMerchantFromHeader {
                required_permission: Permission::MerchantApiKeyWrite,
            },
            req.headers(),