Skip to content

Commit

Permalink
feat(auth): Add Authorization for JWT Authentication types (#2973)
Browse files Browse the repository at this point in the history
Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>
  • Loading branch information
ThisIsMani and hyperswitch-bot[bot] authored Nov 24, 2023
1 parent 4c1c6da commit 03c0a77
Show file tree
Hide file tree
Showing 20 changed files with 659 additions and 91 deletions.
29 changes: 24 additions & 5 deletions crates/router/src/analytics/routes.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,10 @@ use router_env::AnalyticsFlow;
use super::{core::*, payments, refunds, types::AnalyticsDomain};
use crate::{
core::api_locking,
services::{api, authentication as auth, authentication::AuthenticationData},
services::{
api, authentication as auth, authentication::AuthenticationData,
authorization::permissions::Permission,
},
AppState,
};

Expand Down Expand Up @@ -68,7 +71,11 @@ pub async fn get_payment_metrics(
|state, auth: AuthenticationData, req| {
payments::get_metrics(state.pool.clone(), auth.merchant_account, req)
},
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::Analytics),
req.headers(),
),
api_locking::LockAction::NotApplicable,
)
.await
Expand Down Expand Up @@ -98,7 +105,11 @@ pub async fn get_refunds_metrics(
|state, auth: AuthenticationData, req| {
refunds::get_metrics(state.pool.clone(), auth.merchant_account, req)
},
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::Analytics),
req.headers(),
),
api_locking::LockAction::NotApplicable,
)
.await
Expand All @@ -118,7 +129,11 @@ pub async fn get_payment_filters(
|state, auth: AuthenticationData, req| {
payment_filters_core(state.pool.clone(), req, auth.merchant_account)
},
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::Analytics),
req.headers(),
),
api_locking::LockAction::NotApplicable,
)
.await
Expand All @@ -138,7 +153,11 @@ pub async fn get_refund_filters(
|state, auth: AuthenticationData, req: GetRefundFilterRequest| {
refund_filter_core(state.pool.clone(), req, auth.merchant_account)
},
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::Analytics),
req.headers(),
),
api_locking::LockAction::NotApplicable,
)
.await
Expand Down
2 changes: 2 additions & 0 deletions crates/router/src/consts.rs
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,5 @@ pub const LOCKER_REDIS_EXPIRY_SECONDS: u32 = 60 * 15; // 15 minutes

#[cfg(any(feature = "olap", feature = "oltp"))]
pub const JWT_TOKEN_TIME_IN_SECS: u64 = 60 * 60 * 24 * 2; // 2 days

pub const ROLE_ID_ORGANIZATION_ADMIN: &str = "org_admin";
6 changes: 0 additions & 6 deletions crates/router/src/consts/user.rs
Original file line number Diff line number Diff line change
@@ -1,8 +1,2 @@
#[cfg(feature = "olap")]
pub const MAX_NAME_LENGTH: usize = 70;
#[cfg(feature = "olap")]
pub const MAX_COMPANY_NAME_LENGTH: usize = 70;

// USER ROLES
#[cfg(any(feature = "olap", feature = "oltp"))]
pub const ROLE_ID_ORGANIZATION_ADMIN: &str = "org_admin";
4 changes: 1 addition & 3 deletions crates/router/src/core/user.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,7 @@ use masking::{ExposeInterface, Secret};
use router_env::env;

use super::errors::{UserErrors, UserResponse};
use crate::{
consts::user as consts, routes::AppState, services::ApplicationResponse, types::domain,
};
use crate::{consts, routes::AppState, services::ApplicationResponse, types::domain};

pub async fn connect_account(
state: AppState,
Expand Down
37 changes: 30 additions & 7 deletions crates/router/src/routes/admin.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ use router_env::{instrument, tracing, Flow};
use super::app::AppState;
use crate::{
core::{admin::*, api_locking},
services::{api, authentication as auth},
services::{api, authentication as auth, authorization::permissions::Permission},
types::api::admin,
};

Expand Down Expand Up @@ -77,7 +77,10 @@ pub async fn retrieve_merchant_account(
|state, _, req| get_merchant_account(state, req),
auth::auth_type(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute { merchant_id },
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantAccountRead,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down Expand Up @@ -141,6 +144,7 @@ pub async fn update_merchant_account(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantAccountWrite,
},
req.headers(),
),
Expand Down Expand Up @@ -220,6 +224,7 @@ pub async fn payment_connector_create(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantConnectorAccountWrite,
},
req.headers(),
),
Expand Down Expand Up @@ -270,7 +275,10 @@ pub async fn payment_connector_retrieve(
},
auth::auth_type(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute { merchant_id },
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantConnectorAccountRead,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down Expand Up @@ -312,7 +320,10 @@ pub async fn payment_connector_list(
|state, _, merchant_id| list_payment_connectors(state, merchant_id),
auth::auth_type(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute { merchant_id },
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantConnectorAccountRead,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down Expand Up @@ -359,6 +370,7 @@ pub async fn payment_connector_update(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantConnectorAccountWrite,
},
req.headers(),
),
Expand Down Expand Up @@ -407,7 +419,10 @@ pub async fn payment_connector_delete(
|state, _, req| delete_payment_connector(state, req.merchant_id, req.merchant_connector_id),
auth::auth_type(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute { merchant_id },
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantConnectorAccountWrite,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down Expand Up @@ -460,6 +475,7 @@ pub async fn business_profile_create(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantAccountWrite,
},
req.headers(),
),
Expand All @@ -484,7 +500,10 @@ pub async fn business_profile_retrieve(
|state, _, profile_id| retrieve_business_profile(state, profile_id),
auth::auth_type(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute { merchant_id },
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantAccountRead,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand All @@ -511,6 +530,7 @@ pub async fn business_profile_update(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::MerchantAccountWrite,
},
req.headers(),
),
Expand Down Expand Up @@ -555,7 +575,10 @@ pub async fn business_profiles_list(
|state, _, merchant_id| list_business_profile(state, merchant_id),
auth::auth_type(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute { merchant_id },
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::MerchantAccountRead,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down
10 changes: 8 additions & 2 deletions crates/router/src/routes/api_keys.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ use router_env::{instrument, tracing, Flow};
use super::app::AppState;
use crate::{
core::{api_keys, api_locking},
services::{api, authentication as auth},
services::{api, authentication as auth, authorization::permissions::Permission},
types::api as api_types,
};

Expand Down Expand Up @@ -57,6 +57,7 @@ pub async fn api_key_create(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::ApiKeyWrite,
},
req.headers(),
),
Expand Down Expand Up @@ -101,6 +102,7 @@ pub async fn api_key_retrieve(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::ApiKeyRead,
},
req.headers(),
),
Expand Down Expand Up @@ -189,6 +191,7 @@ pub async fn api_key_revoke(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute {
merchant_id: merchant_id.clone(),
required_permission: Permission::ApiKeyWrite,
},
req.headers(),
),
Expand Down Expand Up @@ -237,7 +240,10 @@ pub async fn api_key_list(
},
auth::auth_type(
&auth::AdminApiAuth,
&auth::JWTAuthMerchantFromRoute { merchant_id },
&auth::JWTAuthMerchantFromRoute {
merchant_id,
required_permission: Permission::ApiKeyRead,
},
req.headers(),
),
api_locking::LockAction::NotApplicable,
Expand Down
38 changes: 31 additions & 7 deletions crates/router/src/routes/disputes.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ use actix_web::{web, HttpRequest, HttpResponse};
use api_models::disputes as dispute_models;
use router_env::{instrument, tracing, Flow};

use crate::core::api_locking;
use crate::{core::api_locking, services::authorization::permissions::Permission};
pub mod utils;

use super::app::AppState;
Expand Down Expand Up @@ -44,7 +44,11 @@ pub async fn retrieve_dispute(
&req,
dispute_id,
|state, auth, req| disputes::retrieve_dispute(state, auth.merchant_account, req),
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::DisputeRead),
req.headers(),
),
api_locking::LockAction::NotApplicable,
)
.await
Expand Down Expand Up @@ -87,7 +91,11 @@ pub async fn retrieve_disputes_list(
&req,
payload,
|state, auth, req| disputes::retrieve_disputes_list(state, auth.merchant_account, req),
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::DisputeRead),
req.headers(),
),
api_locking::LockAction::NotApplicable,
)
.await
Expand Down Expand Up @@ -125,7 +133,11 @@ pub async fn accept_dispute(
|state, auth, req| {
disputes::accept_dispute(state, auth.merchant_account, auth.key_store, req)
},
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::DisputeWrite),
req.headers(),
),
api_locking::LockAction::NotApplicable,
))
.await
Expand Down Expand Up @@ -158,7 +170,11 @@ pub async fn submit_dispute_evidence(
|state, auth, req| {
disputes::submit_evidence(state, auth.merchant_account, auth.key_store, req)
},
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::DisputeWrite),
req.headers(),
),
api_locking::LockAction::NotApplicable,
))
.await
Expand Down Expand Up @@ -199,7 +215,11 @@ pub async fn attach_dispute_evidence(
|state, auth, req| {
disputes::attach_evidence(state, auth.merchant_account, auth.key_store, req)
},
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::DisputeWrite),
req.headers(),
),
api_locking::LockAction::NotApplicable,
))
.await
Expand Down Expand Up @@ -235,7 +255,11 @@ pub async fn retrieve_dispute_evidence(
&req,
dispute_id,
|state, auth, req| disputes::retrieve_dispute_evidence(state, auth.merchant_account, req),
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::DisputeRead),
req.headers(),
),
api_locking::LockAction::NotApplicable,
))
.await
Expand Down
20 changes: 16 additions & 4 deletions crates/router/src/routes/files.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ use actix_multipart::Multipart;
use actix_web::{web, HttpRequest, HttpResponse};
use router_env::{instrument, tracing, Flow};

use crate::core::api_locking;
use crate::{core::api_locking, services::authorization::permissions::Permission};
pub mod transformers;

use super::app::AppState;
Expand Down Expand Up @@ -45,7 +45,11 @@ pub async fn files_create(
&req,
create_file_request,
|state, auth, req| files_create_core(state, auth.merchant_account, auth.key_store, req),
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::FileWrite),
req.headers(),
),
api_locking::LockAction::NotApplicable,
))
.await
Expand Down Expand Up @@ -83,7 +87,11 @@ pub async fn files_delete(
&req,
file_id,
|state, auth, req| files_delete_core(state, auth.merchant_account, req),
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::FileWrite),
req.headers(),
),
api_locking::LockAction::NotApplicable,
))
.await
Expand Down Expand Up @@ -121,7 +129,11 @@ pub async fn files_retrieve(
&req,
file_id,
|state, auth, req| files_retrieve_core(state, auth.merchant_account, auth.key_store, req),
auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
auth::auth_type(
&auth::ApiKeyAuth,
&auth::JWTAuth(Permission::FileRead),
req.headers(),
),
api_locking::LockAction::NotApplicable,
))
.await
Expand Down
Loading

0 comments on commit 03c0a77

Please sign in to comment.