fix(router): added validation to check total orderDetails amount equa…

…l to amount in request (#2965) Co-authored-by: Sahkal Poddar <[email protected]>
juspay · Nov 27, 2023 · 37532d4 · 37532d4
1 parent 04b7c03
commit 37532d4
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 0 deletions.
diff --git a/crates/router/src/core/payments/helpers.rs b/crates/router/src/core/payments/helpers.rs
@@ -3686,3 +3686,22 @@ pub async fn get_gsm_record(
         })
         .ok()
 }
+
+pub fn validate_order_details_amount(
+    order_details: Vec<api_models::payments::OrderDetailsWithAmount>,
+    amount: i64,
+) -> Result<(), errors::ApiErrorResponse> {
+    let total_order_details_amount: i64 = order_details
+        .iter()
+        .map(|order| order.amount * i64::from(order.quantity))
+        .sum();
+
+    if total_order_details_amount != amount {
+        Err(errors::ApiErrorResponse::InvalidRequestData {
+            message: "Total sum of order details doesn't match amount in payment request"
+                .to_string(),
+        })
+    } else {
+        Ok(())
+    }
+}
diff --git a/crates/router/src/core/payments/operations/payment_confirm.rs b/crates/router/src/core/payments/operations/payment_confirm.rs
@@ -102,6 +102,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
             utils::flatten_join_error(mandate_details_fut)
         )?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
         helpers::validate_customer_access(&payment_intent, auth_flow, request)?;
 
         helpers::validate_payment_status_against_not_allowed_statuses(

diff --git a/crates/router/src/core/payments/operations/payment_create.rs b/crates/router/src/core/payments/operations/payment_create.rs
@@ -186,6 +186,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
                 payment_id: payment_id.clone(),
             })?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
         payment_attempt = db
             .insert_payment_attempt(payment_attempt_new, storage_scheme)
             .await

diff --git a/crates/router/src/core/payments/operations/payment_update.rs b/crates/router/src/core/payments/operations/payment_update.rs
@@ -60,6 +60,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
             .await
             .to_not_found_response(errors::ApiErrorResponse::PaymentNotFound)?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
         payment_intent.setup_future_usage = request
             .setup_future_usage
             .or(payment_intent.setup_future_usage);