feat(payment_methods): Use Ephemeral auth for pm list and pm delete (#…

…4996)
juspay · Jun 13, 2024 · ad7886a · ad7886a
1 parent 18493bd
commit ad7886a
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 15 deletions.
diff --git a/crates/router/src/compatibility/stripe/customers.rs b/crates/router/src/compatibility/stripe/customers.rs
@@ -195,6 +195,7 @@ pub async fn list_customer_payment_method_api(
                 auth.key_store,
                 Some(req),
                 Some(&customer_id),
+                None,
             )
         },
         &auth::ApiKeyAuth,

diff --git a/crates/router/src/core/payment_methods/cards.rs b/crates/router/src/core/payment_methods/cards.rs
@@ -64,6 +64,7 @@ use crate::{
     pii::prelude::*,
     routes::{
         self,
+        app::SessionStateInfo,
         metrics::{self, request},
         payment_methods::ParentPaymentMethodToken,
     },
@@ -3107,10 +3108,25 @@ pub async fn do_list_customer_pm_fetch_customer_if_not_passed(
     key_store: domain::MerchantKeyStore,
     req: Option<api::PaymentMethodListRequest>,
     customer_id: Option<&id_type::CustomerId>,
+    ephemeral_api_key: Option<&str>,
 ) -> errors::RouterResponse<api::CustomerPaymentMethodsListResponse> {
     let db = state.store.as_ref();
     let limit = req.clone().and_then(|pml_req| pml_req.limit);
 
+    let auth_cust = if let Some(key) = ephemeral_api_key {
+        let key = state
+            .store()
+            .get_ephemeral_key(key)
+            .await
+            .change_context(errors::ApiErrorResponse::Unauthorized)?;
+
+        Some(key.customer_id.clone())
+    } else {
+        None
+    };
+
+    let customer_id = customer_id.or(auth_cust.as_ref());
+
     if let Some(customer_id) = customer_id {
         Box::pin(list_customer_payment_method(
             &state,

diff --git a/crates/router/src/routes/customers.rs b/crates/router/src/routes/customers.rs
@@ -47,7 +47,7 @@ pub async fn customers_retrieve(
     let auth = if auth::is_jwt_auth(req.headers()) {
         Box::new(auth::JWTAuth(Permission::CustomerRead))
     } else {
-        match auth::is_ephemeral_auth(req.headers(), &payload.customer_id) {
+        match auth::is_ephemeral_auth(req.headers()) {
             Ok(auth) => auth,
             Err(err) => return api::log_and_return_error_response(err),
         }

diff --git a/crates/router/src/routes/payment_methods.rs b/crates/router/src/routes/payment_methods.rs
@@ -139,7 +139,7 @@ pub async fn list_customer_payment_method_api(
     let payload = query_payload.into_inner();
     let customer_id = customer_id.into_inner().0;
 
-    let ephemeral_auth = match auth::is_ephemeral_auth(req.headers(), &customer_id) {
+    let ephemeral_auth = match auth::is_ephemeral_auth(req.headers()) {
         Ok(auth) => auth,
         Err(err) => return api::log_and_return_error_response(err),
     };
@@ -155,6 +155,7 @@ pub async fn list_customer_payment_method_api(
                 auth.key_store,
                 Some(req),
                 Some(&customer_id),
+                None,
             )
         },
         &*ephemeral_auth,
@@ -194,10 +195,12 @@ pub async fn list_customer_payment_method_api_client(
 ) -> HttpResponse {
     let flow = Flow::CustomerPaymentMethodsList;
     let payload = query_payload.into_inner();
-    let (auth, _) = match auth::check_client_secret_and_get_auth(req.headers(), &payload) {
-        Ok((auth, _auth_flow)) => (auth, _auth_flow),
-        Err(e) => return api::log_and_return_error_response(e),
-    };
+    let api_key = auth::get_api_key(req.headers()).ok();
+    let (auth, _, is_ephemeral_auth) =
+        match auth::get_ephemeral_or_other_auth(req.headers(), false, Some(&payload)).await {
+            Ok((auth, _auth_flow, is_ephemeral_auth)) => (auth, _auth_flow, is_ephemeral_auth),
+            Err(e) => return api::log_and_return_error_response(e),
+        };
 
     Box::pin(api::server_wrap(
         flow,
@@ -211,6 +214,7 @@ pub async fn list_customer_payment_method_api_client(
                 auth.key_store,
                 Some(req),
                 None,
+                is_ephemeral_auth.then_some(api_key).flatten(),
             )
         },
         &*auth,
@@ -291,6 +295,11 @@ pub async fn payment_method_delete_api(
     let pm = PaymentMethodId {
         payment_method_id: payment_method_id.into_inner().0,
     };
+    let ephemeral_auth = match auth::is_ephemeral_auth(req.headers()) {
+        Ok(auth) => auth,
+        Err(err) => return api::log_and_return_error_response(err),
+    };
+
     Box::pin(api::server_wrap(
         flow,
         state,
@@ -299,7 +308,7 @@ pub async fn payment_method_delete_api(
         |state, auth, req, _| {
             cards::delete_payment_method(state, auth.merchant_account, req, auth.key_store)
         },
-        &auth::ApiKeyAuth,
+        &*ephemeral_auth,
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -345,7 +354,7 @@ pub async fn default_payment_method_set_api(
     let pc = payload.clone();
     let customer_id = &pc.customer_id;
 
-    let ephemeral_auth = match auth::is_ephemeral_auth(req.headers(), customer_id) {
+    let ephemeral_auth = match auth::is_ephemeral_auth(req.headers()) {
         Ok(auth) => auth,
         Err(err) => return api::log_and_return_error_response(err),
     };

diff --git a/crates/router/src/services/authentication.rs b/crates/router/src/services/authentication.rs
@@ -5,7 +5,7 @@ use api_models::{
 };
 use async_trait::async_trait;
 use common_enums::TokenPurpose;
-use common_utils::{date_time, id_type};
+use common_utils::date_time;
 use error_stack::{report, ResultExt};
 use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
 use masking::PeekInterface;
@@ -440,7 +440,7 @@ where
 }
 
 #[derive(Debug)]
-pub struct EphemeralKeyAuth(pub id_type::CustomerId);
+pub struct EphemeralKeyAuth;
 
 #[async_trait]
 impl<A> AuthenticateAndFetch<AuthenticationData, A> for EphemeralKeyAuth
@@ -460,9 +460,6 @@ where
             .await
             .change_context(errors::ApiErrorResponse::Unauthorized)?;
 
-        if ephemeral_key.customer_id.ne(&self.0) {
-            return Err(report!(errors::ApiErrorResponse::InvalidEphemeralKey));
-        }
         MerchantIdAuth(ephemeral_key.merchant_id)
             .authenticate_and_fetch(request_headers, state)
             .await
@@ -1046,16 +1043,43 @@ where
     Ok((Box::new(ApiKeyAuth), api::AuthFlow::Merchant))
 }
 
+pub async fn get_ephemeral_or_other_auth<T>(
+    headers: &HeaderMap,
+    is_merchant_flow: bool,
+    payload: Option<&impl ClientSecretFetch>,
+) -> RouterResult<(
+    Box<dyn AuthenticateAndFetch<AuthenticationData, T>>,
+    api::AuthFlow,
+    bool,
+)>
+where
+    T: SessionStateInfo,
+    ApiKeyAuth: AuthenticateAndFetch<AuthenticationData, T>,
+    PublishableKeyAuth: AuthenticateAndFetch<AuthenticationData, T>,
+    EphemeralKeyAuth: AuthenticateAndFetch<AuthenticationData, T>,
+{
+    let api_key = get_api_key(headers)?;
+
+    if api_key.starts_with("epk") {
+        Ok((Box::new(EphemeralKeyAuth), api::AuthFlow::Client, true))
+    } else if is_merchant_flow {
+        Ok((Box::new(ApiKeyAuth), api::AuthFlow::Merchant, false))
+    } else {
+        let payload = payload.get_required_value("ClientSecretFetch")?;
+        let (auth, auth_flow) = check_client_secret_and_get_auth(headers, payload)?;
+        Ok((auth, auth_flow, false))
+    }
+}
+
 pub fn is_ephemeral_auth<A: SessionStateInfo + Sync>(
     headers: &HeaderMap,
-    customer_id: &id_type::CustomerId,
 ) -> RouterResult<Box<dyn AuthenticateAndFetch<AuthenticationData, A>>> {
     let api_key = get_api_key(headers)?;
 
     if !api_key.starts_with("epk") {
         Ok(Box::new(ApiKeyAuth))
     } else {
-        Ok(Box::new(EphemeralKeyAuth(customer_id.to_owned())))
+        Ok(Box::new(EphemeralKeyAuth))
     }
 }