feat(router): add three_ds decision rule execute api (#8148)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
2025-10-27 19:46:48 +08:00 · 2025-06-06 21:50:34 +05:30
parent 2c35639763
commit e90a95de6f
31 changed files with 1062 additions and 9 deletions
--- a/crates/router/src/consts.rs
+++ b/crates/router/src/consts.rs
@ -2,9 +2,9 @@ pub mod opensearch;
 #[cfg(feature = "olap")]
 pub mod user;
 pub mod user_role;
-
 use std::collections::HashSet;

+use api_models::enums::Country;
 use common_utils::consts;
 pub use hyperswitch_domain_models::consts::{
    CONNECTOR_MANDATE_REQUEST_REFERENCE_ID_LENGTH, ROUTING_ENABLED_PAYMENT_METHODS,
@ -243,3 +243,34 @@ pub const IRRELEVANT_PAYMENT_ATTEMPT_ID: &str = "irrelevant_payment_attempt_id";

 // Default payment method storing TTL in redis in seconds
 pub const DEFAULT_PAYMENT_METHOD_STORE_TTL: i64 = 86400; // 1 day
+
+// List of countries that are part of the PSD2 region
+pub const PSD2_COUNTRIES: [Country; 27] = [
+    Country::Austria,
+    Country::Belgium,
+    Country::Bulgaria,
+    Country::Croatia,
+    Country::Cyprus,
+    Country::Czechia,
+    Country::Denmark,
+    Country::Estonia,
+    Country::Finland,
+    Country::France,
+    Country::Germany,
+    Country::Greece,
+    Country::Hungary,
+    Country::Ireland,
+    Country::Italy,
+    Country::Latvia,
+    Country::Lithuania,
+    Country::Luxembourg,
+    Country::Malta,
+    Country::Netherlands,
+    Country::Poland,
+    Country::Portugal,
+    Country::Romania,
+    Country::Slovakia,
+    Country::Slovenia,
+    Country::Spain,
+    Country::Sweden,
+];
--- a/crates/router/src/core.rs
+++ b/crates/router/src/core.rs
@ -49,6 +49,7 @@ pub mod refunds_v2;
 pub mod debit_routing;
 pub mod routing;
 pub mod surcharge_decision_config;
+pub mod three_ds_decision_rule;
 #[cfg(feature = "olap")]
 pub mod user;
 #[cfg(feature = "olap")]
--- a/crates/router/src/core/payments/routing.rs
+++ b/crates/router/src/core/payments/routing.rs
@ -196,6 +196,9 @@ pub fn make_dsl_input_for_payouts(
        metadata,
        payment,
        payment_method,
+        acquirer_data: None,
+        customer_device_data: None,
+        issuer_data: None,
    })
 }

@ -308,6 +311,9 @@ pub fn make_dsl_input(
        payment: payment_input,
        payment_method: payment_method_input,
        mandate: mandate_data,
+        acquirer_data: None,
+        customer_device_data: None,
+        issuer_data: None,
    })
 }

@ -419,6 +425,9 @@ pub fn make_dsl_input(
        payment: payment_input,
        payment_method: payment_method_input,
        mandate: mandate_data,
+        acquirer_data: None,
+        customer_device_data: None,
+        issuer_data: None,
    })
 }

@ -1083,6 +1092,9 @@ pub async fn perform_session_flow_routing<'a>(
            mandate_type: None,
            payment_type: None,
        },
+        acquirer_data: None,
+        customer_device_data: None,
+        issuer_data: None,
    };

    for connector_data in session_input.chosen.iter() {
@ -1227,6 +1239,9 @@ pub async fn perform_session_flow_routing(
            mandate_type: None,
            payment_type: None,
        },
+        acquirer_data: None,
+        customer_device_data: None,
+        issuer_data: None,
    };

    for connector_data in session_input.chosen.iter() {
@ -1529,6 +1544,9 @@ pub fn make_dsl_input_for_surcharge(
        payment: payment_input,
        payment_method: payment_method_input,
        mandate: mandate_data,
+        acquirer_data: None,
+        customer_device_data: None,
+        issuer_data: None,
    };
    Ok(backend_input)
 }
--- a/crates/router/src/core/three_ds_decision_rule.rs
+++ b/crates/router/src/core/three_ds_decision_rule.rs
@ -0,0 +1,72 @@
+pub mod utils;
+
+use common_types::three_ds_decision_rule_engine::ThreeDSDecisionRule;
+use common_utils::ext_traits::ValueExt;
+use error_stack::ResultExt;
+use euclid::{
+    backend::{self, inputs as dsl_inputs, EuclidBackend},
+    frontend::ast,
+};
+use hyperswitch_domain_models::merchant_context::MerchantContext;
+use router_env::{instrument, tracing};
+
+use crate::{
+    core::{
+        errors,
+        errors::{RouterResponse, StorageErrorExt},
+    },
+    services,
+    types::transformers::ForeignFrom,
+    SessionState,
+};
+
+#[instrument(skip_all)]
+pub async fn execute_three_ds_decision_rule(
+    state: SessionState,
+    merchant_context: MerchantContext,
+    request: api_models::three_ds_decision_rule::ThreeDsDecisionRuleExecuteRequest,
+) -> RouterResponse<api_models::three_ds_decision_rule::ThreeDsDecisionRuleExecuteResponse> {
+    let db = state.store.as_ref();
+    // Retrieve the rule from database
+    let routing_algorithm = db
+        .find_routing_algorithm_by_algorithm_id_merchant_id(
+            &request.routing_id,
+            merchant_context.get_merchant_account().get_id(),
+        )
+        .await
+        .to_not_found_response(errors::ApiErrorResponse::ResourceIdNotFound)?;
+    let algorithm: Algorithm = routing_algorithm
+        .algorithm_data
+        .parse_value("Algorithm")
+        .change_context(errors::ApiErrorResponse::InternalServerError)
+        .attach_printable("Error parsing program from three_ds_decision rule algorithm")?;
+    let program: ast::Program<ThreeDSDecisionRule> = algorithm
+        .data
+        .parse_value("Program<ThreeDSDecisionRule>")
+        .change_context(errors::ApiErrorResponse::InternalServerError)
+        .attach_printable("Error parsing program from three_ds_decision rule algorithm")?;
+    // Construct backend input from request
+    let backend_input = dsl_inputs::BackendInput::foreign_from(request.clone());
+    // Initialize interpreter with the rule program
+    let interpreter = backend::VirInterpreterBackend::with_program(program)
+        .change_context(errors::ApiErrorResponse::InternalServerError)
+        .attach_printable("Error initializing DSL interpreter backend")?;
+    // Execute the rule
+    let result = interpreter
+        .execute(backend_input)
+        .change_context(errors::ApiErrorResponse::InternalServerError)
+        .attach_printable("Error executing 3DS decision rule")?;
+    // Apply PSD2 validations to the decision
+    let final_decision =
+        utils::apply_psd2_validations_during_execute(result.get_output().get_decision(), &request);
+    // Construct response
+    let response = api_models::three_ds_decision_rule::ThreeDsDecisionRuleExecuteResponse {
+        decision: final_decision,
+    };
+    Ok(services::ApplicationResponse::Json(response))
+}
+
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
+pub struct Algorithm {
+    data: serde_json::Value,
+}
--- a/crates/router/src/core/three_ds_decision_rule/utils.rs
+++ b/crates/router/src/core/three_ds_decision_rule/utils.rs
@ -0,0 +1,115 @@
+use api_models::three_ds_decision_rule as api_threedsecure;
+use common_types::three_ds_decision_rule_engine::ThreeDSDecision;
+use euclid::backend::inputs as dsl_inputs;
+
+use crate::{consts::PSD2_COUNTRIES, types::transformers::ForeignFrom};
+
+// function to apply PSD2 validations to the decision
+pub fn apply_psd2_validations_during_execute(
+    decision: ThreeDSDecision,
+    request: &api_models::three_ds_decision_rule::ThreeDsDecisionRuleExecuteRequest,
+) -> ThreeDSDecision {
+    let issuer_in_psd2 = request
+        .issuer
+        .as_ref()
+        .and_then(|issuer| issuer.country)
+        .map(|country| PSD2_COUNTRIES.contains(&country))
+        .unwrap_or(false);
+    let acquirer_in_psd2 = request
+        .acquirer
+        .as_ref()
+        .and_then(|acquirer| acquirer.country)
+        .map(|country| PSD2_COUNTRIES.contains(&country))
+        .unwrap_or(false);
+    if issuer_in_psd2 && acquirer_in_psd2 {
+        // If both issuer and acquirer are in PSD2 region
+        match decision {
+            // If the decision is to enforce no 3DS, override it to enforce 3DS
+            ThreeDSDecision::NoThreeDs => ThreeDSDecision::ChallengeRequested,
+            _ => decision,
+        }
+    } else {
+        // If PSD2 doesn't apply, exemptions cannot be applied
+        match decision {
+            ThreeDSDecision::NoThreeDs => ThreeDSDecision::NoThreeDs,
+            // For all other decisions (including exemptions), enforce challenge as exemptions are only valid in PSD2 regions
+            _ => ThreeDSDecision::ChallengeRequested,
+        }
+    }
+}
+
+impl ForeignFrom<api_threedsecure::PaymentData> for dsl_inputs::PaymentInput {
+    fn foreign_from(request_payment_data: api_threedsecure::PaymentData) -> Self {
+        Self {
+            amount: request_payment_data.amount,
+            currency: request_payment_data.currency,
+            authentication_type: None,
+            capture_method: None,
+            business_country: None,
+            billing_country: None,
+            business_label: None,
+            setup_future_usage: None,
+            card_bin: None,
+        }
+    }
+}
+
+impl ForeignFrom<Option<api_threedsecure::PaymentMethodMetaData>>
+    for dsl_inputs::PaymentMethodInput
+{
+    fn foreign_from(
+        request_payment_method_metadata: Option<api_threedsecure::PaymentMethodMetaData>,
+    ) -> Self {
+        Self {
+            payment_method: None,
+            payment_method_type: None,
+            card_network: request_payment_method_metadata.and_then(|pm| pm.card_network),
+        }
+    }
+}
+
+impl ForeignFrom<api_threedsecure::CustomerDeviceData> for dsl_inputs::CustomerDeviceDataInput {
+    fn foreign_from(request_customer_device_data: api_threedsecure::CustomerDeviceData) -> Self {
+        Self {
+            platform: request_customer_device_data.platform,
+            device_type: request_customer_device_data.device_type,
+            display_size: request_customer_device_data.display_size,
+        }
+    }
+}
+
+impl ForeignFrom<api_threedsecure::IssuerData> for dsl_inputs::IssuerDataInput {
+    fn foreign_from(request_issuer_data: api_threedsecure::IssuerData) -> Self {
+        Self {
+            name: request_issuer_data.name,
+            country: request_issuer_data.country,
+        }
+    }
+}
+
+impl ForeignFrom<api_threedsecure::AcquirerData> for dsl_inputs::AcquirerDataInput {
+    fn foreign_from(request_acquirer_data: api_threedsecure::AcquirerData) -> Self {
+        Self {
+            country: request_acquirer_data.country,
+            fraud_rate: request_acquirer_data.fraud_rate,
+        }
+    }
+}
+
+impl ForeignFrom<api_threedsecure::ThreeDsDecisionRuleExecuteRequest> for dsl_inputs::BackendInput {
+    fn foreign_from(request: api_threedsecure::ThreeDsDecisionRuleExecuteRequest) -> Self {
+        Self {
+            metadata: None,
+            payment: dsl_inputs::PaymentInput::foreign_from(request.payment),
+            payment_method: dsl_inputs::PaymentMethodInput::foreign_from(request.payment_method),
+            mandate: dsl_inputs::MandateData {
+                mandate_acceptance_type: None,
+                mandate_type: None,
+                payment_type: None,
+            },
+            acquirer_data: request.acquirer.map(ForeignFrom::foreign_from),
+            customer_device_data: request.customer_device.map(ForeignFrom::foreign_from),
+            issuer_data: request.issuer.map(ForeignFrom::foreign_from),
+        }
+    }
+}
--- a/crates/router/src/lib.rs
+++ b/crates/router/src/lib.rs
@ -145,7 +145,8 @@ pub fn mk_app(
            .service(routes::RelayWebhooks::server(state.clone()))
            .service(routes::Webhooks::server(state.clone()))
            .service(routes::Hypersense::server(state.clone()))
-            .service(routes::Relay::server(state.clone()));
+            .service(routes::Relay::server(state.clone()))
+            .service(routes::ThreeDsDecisionRule::server(state.clone()));

        #[cfg(feature = "oltp")]
        {
--- a/crates/router/src/routes.rs
+++ b/crates/router/src/routes.rs
@ -47,6 +47,7 @@ pub mod recon;
 pub mod refunds;
 #[cfg(feature = "olap")]
 pub mod routing;
+pub mod three_ds_decision_rule;
 pub mod tokenization;
 #[cfg(feature = "olap")]
 pub mod user;
@ -85,8 +86,8 @@ pub use self::app::{
    ApiKeys, AppState, ApplePayCertificatesMigration, Cache, Cards, Configs, ConnectorOnboarding,
    Customers, Disputes, EphemeralKey, FeatureMatrix, Files, Forex, Gsm, Health, Hypersense,
    Mandates, MerchantAccount, MerchantConnectorAccount, PaymentLink, PaymentMethods, Payments,
-    Poll, ProcessTracker, Profile, ProfileNew, Refunds, Relay, RelayWebhooks, SessionState, User,
-    Webhooks,
+    Poll, ProcessTracker, Profile, ProfileNew, Refunds, Relay, RelayWebhooks, SessionState,
+    ThreeDsDecisionRule, User, Webhooks,
 };
 #[cfg(feature = "olap")]
 pub use self::app::{Blocklist, Organization, Routing, Verify, WebhookEvents};
--- a/crates/router/src/routes/app.rs
+++ b/crates/router/src/routes/app.rs
@ -99,7 +99,7 @@ pub use crate::{
 use crate::{
    configs::{secrets_transformers, Settings},
    db::kafka_store::{KafkaStore, TenantID},
-    routes::hypersense as hypersense_routes,
+    routes::{hypersense as hypersense_routes, three_ds_decision_rule},
 };

 #[derive(Clone)]
@ -2183,6 +2183,20 @@ impl Gsm {
    }
 }

+pub struct ThreeDsDecisionRule;
+
+#[cfg(feature = "oltp")]
+impl ThreeDsDecisionRule {
+    pub fn server(state: AppState) -> Scope {
+        web::scope("/three_ds_decision")
+            .app_data(web::Data::new(state))
+            .service(
+                web::resource("/execute")
+                    .route(web::post().to(three_ds_decision_rule::execute_decision_rule)),
+            )
+    }
+}
+
 #[cfg(feature = "olap")]
 pub struct Verify;

--- a/crates/router/src/routes/lock_utils.rs
+++ b/crates/router/src/routes/lock_utils.rs
@ -44,6 +44,7 @@ pub enum ApiIdentifier {
    PaymentMethodSession,
    ProcessTracker,
    Proxy,
+    ThreeDsDecisionRule,
    GenericTokenization,
 }

@ -344,6 +345,7 @@ impl From<Flow> for ApiIdentifier {
            Flow::RevenueRecoveryRetrieve => Self::ProcessTracker,
            Flow::Proxy => Self::Proxy,

+            Flow::ThreeDsDecisionRuleExecute => Self::ThreeDsDecisionRule,
            Flow::TokenizationCreate | Flow::TokenizationRetrieve => Self::GenericTokenization,
        }
    }
--- a/crates/router/src/routes/three_ds_decision_rule.rs
+++ b/crates/router/src/routes/three_ds_decision_rule.rs
@ -0,0 +1,43 @@
+use actix_web::{web, Responder};
+use hyperswitch_domain_models::merchant_context::{Context, MerchantContext};
+use router_env::{instrument, tracing, Flow};
+
+use crate::{
+    self as app,
+    core::{api_locking, three_ds_decision_rule as three_ds_decision_rule_core},
+    services::{api, authentication as auth},
+};
+
+#[instrument(skip_all, fields(flow = ?Flow::ThreeDsDecisionRuleExecute))]
+#[cfg(feature = "oltp")]
+pub async fn execute_decision_rule(
+    state: web::Data<app::AppState>,
+    req: actix_web::HttpRequest,
+    payload: web::Json<api_models::three_ds_decision_rule::ThreeDsDecisionRuleExecuteRequest>,
+) -> impl Responder {
+    let flow = Flow::ThreeDsDecisionRuleExecute;
+    let payload = payload.into_inner();
+    Box::pin(api::server_wrap(
+        flow,
+        state,
+        &req,
+        payload,
+        |state, auth: auth::AuthenticationData, req, _| {
+            let merchant_context = MerchantContext::NormalMerchant(Box::new(Context(
+                auth.merchant_account,
+                auth.key_store,
+            )));
+            three_ds_decision_rule_core::execute_three_ds_decision_rule(
+                state,
+                merchant_context,
+                req,
+            )
+        },
+        &auth::HeaderAuth(auth::ApiKeyAuth {
+            is_connected_allowed: false,
+            is_platform_allowed: false,
+        }),
+        api_locking::LockAction::NotApplicable,
+    ))
+    .await
+}