From 7a359406a443fba497b7d8bc5eb555c374970bd0 Mon Sep 17 00:00:00 2001
From: Sahkal Poddar <sahkal.poddar@juspay.in>
Date: Thu, 23 Nov 2023 16:34:18 +0530
Subject: [PATCH 1/5] fix(router): added validation to check total orderDetails
 amount equal to amount in request

---
 crates/router/src/core/payments/helpers.rs    | 24 +++++++++++++++++++
 .../payments/operations/payment_confirm.rs    |  4 ++++
 .../payments/operations/payment_create.rs     |  4 ++++
 3 files changed, 32 insertions(+)

diff --git a/crates/router/src/core/payments/helpers.rs b/crates/router/src/core/payments/helpers.rs
index d813c96ce94b..9974c61556bc 100644
--- a/crates/router/src/core/payments/helpers.rs
+++ b/crates/router/src/core/payments/helpers.rs
@@ -3685,3 +3685,27 @@ pub async fn get_gsm_record(
         })
         .ok()
 }
+
+pub fn validate_order_details_amount(
+    order_details: &Vec<api_models::payments::OrderDetailsWithAmount>,
+    amount: Option<api_models::payments::Amount>,
+) -> Result<(), errors::ApiErrorResponse> {
+    let total_order_details_amount: i64 = order_details.iter().map(|order| order.amount).sum();
+    let amount: i64 = match amount {
+        Some(value) => value.into(),
+        None => {
+            return Err(errors::ApiErrorResponse::InvalidRequestData {
+                message: "Please provide amount if order details are provided".to_string(),
+            });
+        }
+    };
+
+    if total_order_details_amount != amount {
+        Err(errors::ApiErrorResponse::InvalidRequestData {
+            message: "Total sum of order details doesn't match amount in payment request"
+                .to_string(),
+        })
+    } else {
+        Ok(())
+    }
+}
diff --git a/crates/router/src/core/payments/operations/payment_confirm.rs b/crates/router/src/core/payments/operations/payment_confirm.rs
index 125787e1a30f..d96f1eb7c665 100644
--- a/crates/router/src/core/payments/operations/payment_confirm.rs
+++ b/crates/router/src/core/payments/operations/payment_confirm.rs
@@ -827,6 +827,10 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
     )> {
         helpers::validate_customer_details_in_request(request)?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(order_details, request.amount)?;
+        }
+
         let request_merchant_id = request.merchant_id.as_deref();
         helpers::validate_merchant_id(&merchant_account.merchant_id, request_merchant_id)
             .change_context(errors::ApiErrorResponse::InvalidDataFormat {
diff --git a/crates/router/src/core/payments/operations/payment_create.rs b/crates/router/src/core/payments/operations/payment_create.rs
index ccf9fc3fad1c..417d25c69025 100644
--- a/crates/router/src/core/payments/operations/payment_create.rs
+++ b/crates/router/src/core/payments/operations/payment_create.rs
@@ -522,6 +522,10 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
             )?;
         }
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(order_details, request.amount)?;
+        }
+
         let payment_id = request.payment_id.clone().ok_or(error_stack::report!(
             errors::ApiErrorResponse::PaymentNotFound
         ))?;

From a13e6cd0dd945935b533efed9a378febfb01f787 Mon Sep 17 00:00:00 2001
From: Sahkal Poddar <sahkal.poddar@juspay.in>
Date: Thu, 23 Nov 2023 17:00:20 +0530
Subject: [PATCH 2/5] refactor(router): fixed clippy issue

---
 crates/router/src/core/payments/helpers.rs                    | 2 +-
 crates/router/src/core/payments/operations/payment_confirm.rs | 2 +-
 crates/router/src/core/payments/operations/payment_create.rs  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/crates/router/src/core/payments/helpers.rs b/crates/router/src/core/payments/helpers.rs
index 9974c61556bc..47b8d18e7a4b 100644
--- a/crates/router/src/core/payments/helpers.rs
+++ b/crates/router/src/core/payments/helpers.rs
@@ -3687,7 +3687,7 @@ pub async fn get_gsm_record(
 }
 
 pub fn validate_order_details_amount(
-    order_details: &Vec<api_models::payments::OrderDetailsWithAmount>,
+    order_details: Vec<api_models::payments::OrderDetailsWithAmount>,
     amount: Option<api_models::payments::Amount>,
 ) -> Result<(), errors::ApiErrorResponse> {
     let total_order_details_amount: i64 = order_details.iter().map(|order| order.amount).sum();
diff --git a/crates/router/src/core/payments/operations/payment_confirm.rs b/crates/router/src/core/payments/operations/payment_confirm.rs
index d96f1eb7c665..8a53d373cdf1 100644
--- a/crates/router/src/core/payments/operations/payment_confirm.rs
+++ b/crates/router/src/core/payments/operations/payment_confirm.rs
@@ -828,7 +828,7 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
         helpers::validate_customer_details_in_request(request)?;
 
         if let Some(order_details) = &request.order_details {
-            helpers::validate_order_details_amount(order_details, request.amount)?;
+            helpers::validate_order_details_amount(order_details.to_owned(), request.amount)?;
         }
 
         let request_merchant_id = request.merchant_id.as_deref();
diff --git a/crates/router/src/core/payments/operations/payment_create.rs b/crates/router/src/core/payments/operations/payment_create.rs
index 417d25c69025..37afcb1ed01b 100644
--- a/crates/router/src/core/payments/operations/payment_create.rs
+++ b/crates/router/src/core/payments/operations/payment_create.rs
@@ -523,7 +523,7 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
         }
 
         if let Some(order_details) = &request.order_details {
-            helpers::validate_order_details_amount(order_details, request.amount)?;
+            helpers::validate_order_details_amount(order_details.to_owned(), request.amount)?;
         }
 
         let payment_id = request.payment_id.clone().ok_or(error_stack::report!(

From 81be07475f4997e516dfa9a2ce4639bc239ff4a5 Mon Sep 17 00:00:00 2001
From: Sahkal Poddar <sahkal.poddar@juspay.in>
Date: Thu, 23 Nov 2023 17:51:43 +0530
Subject: [PATCH 3/5] refactor(router): added validation in payment update

---
 crates/router/src/core/payments/operations/payment_update.rs | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/crates/router/src/core/payments/operations/payment_update.rs b/crates/router/src/core/payments/operations/payment_update.rs
index 75d3b6b82b4c..e6592ea8267e 100644
--- a/crates/router/src/core/payments/operations/payment_update.rs
+++ b/crates/router/src/core/payments/operations/payment_update.rs
@@ -612,6 +612,10 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
             .clone()
             .ok_or(report!(errors::ApiErrorResponse::PaymentNotFound))?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(order_details.to_owned(), request.amount)?;
+        }
+
         let request_merchant_id = request.merchant_id.as_deref();
         helpers::validate_merchant_id(&merchant_account.merchant_id, request_merchant_id)
             .change_context(errors::ApiErrorResponse::InvalidDataFormat {

From 0ff3767452c524d43350c0464b42e2bd733c893c Mon Sep 17 00:00:00 2001
From: Sahkal Poddar <sahkal.poddar@juspay.in>
Date: Fri, 24 Nov 2023 14:47:27 +0530
Subject: [PATCH 4/5] refactor(router): addressed pr comments

---
 crates/router/src/core/payments/helpers.rs            | 10 +---------
 .../src/core/payments/operations/payment_confirm.rs   | 11 +++++++----
 .../src/core/payments/operations/payment_create.rs    | 11 +++++++----
 .../src/core/payments/operations/payment_update.rs    | 11 +++++++----
 4 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/crates/router/src/core/payments/helpers.rs b/crates/router/src/core/payments/helpers.rs
index 47b8d18e7a4b..b2356d7f6499 100644
--- a/crates/router/src/core/payments/helpers.rs
+++ b/crates/router/src/core/payments/helpers.rs
@@ -3688,17 +3688,9 @@ pub async fn get_gsm_record(
 
 pub fn validate_order_details_amount(
     order_details: Vec<api_models::payments::OrderDetailsWithAmount>,
-    amount: Option<api_models::payments::Amount>,
+    amount: i64,
 ) -> Result<(), errors::ApiErrorResponse> {
     let total_order_details_amount: i64 = order_details.iter().map(|order| order.amount).sum();
-    let amount: i64 = match amount {
-        Some(value) => value.into(),
-        None => {
-            return Err(errors::ApiErrorResponse::InvalidRequestData {
-                message: "Please provide amount if order details are provided".to_string(),
-            });
-        }
-    };
 
     if total_order_details_amount != amount {
         Err(errors::ApiErrorResponse::InvalidRequestData {
diff --git a/crates/router/src/core/payments/operations/payment_confirm.rs b/crates/router/src/core/payments/operations/payment_confirm.rs
index c489bc8360d9..5f889108ccb6 100644
--- a/crates/router/src/core/payments/operations/payment_confirm.rs
+++ b/crates/router/src/core/payments/operations/payment_confirm.rs
@@ -102,6 +102,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
             utils::flatten_join_error(mandate_details_fut)
         )?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
         helpers::validate_customer_access(&payment_intent, auth_flow, request)?;
 
         helpers::validate_payment_status_against_not_allowed_statuses(
@@ -827,10 +834,6 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
     )> {
         helpers::validate_customer_details_in_request(request)?;
 
-        if let Some(order_details) = &request.order_details {
-            helpers::validate_order_details_amount(order_details.to_owned(), request.amount)?;
-        }
-
         let request_merchant_id = request.merchant_id.as_deref();
         helpers::validate_merchant_id(&merchant_account.merchant_id, request_merchant_id)
             .change_context(errors::ApiErrorResponse::InvalidDataFormat {
diff --git a/crates/router/src/core/payments/operations/payment_create.rs b/crates/router/src/core/payments/operations/payment_create.rs
index 37afcb1ed01b..c12f28e23390 100644
--- a/crates/router/src/core/payments/operations/payment_create.rs
+++ b/crates/router/src/core/payments/operations/payment_create.rs
@@ -186,6 +186,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
                 payment_id: payment_id.clone(),
             })?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
         payment_attempt = db
             .insert_payment_attempt(payment_attempt_new, storage_scheme)
             .await
@@ -522,10 +529,6 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
             )?;
         }
 
-        if let Some(order_details) = &request.order_details {
-            helpers::validate_order_details_amount(order_details.to_owned(), request.amount)?;
-        }
-
         let payment_id = request.payment_id.clone().ok_or(error_stack::report!(
             errors::ApiErrorResponse::PaymentNotFound
         ))?;
diff --git a/crates/router/src/core/payments/operations/payment_update.rs b/crates/router/src/core/payments/operations/payment_update.rs
index e6592ea8267e..1176eeb1dd3f 100644
--- a/crates/router/src/core/payments/operations/payment_update.rs
+++ b/crates/router/src/core/payments/operations/payment_update.rs
@@ -60,6 +60,13 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve>
             .await
             .to_not_found_response(errors::ApiErrorResponse::PaymentNotFound)?;
 
+        if let Some(order_details) = &request.order_details {
+            helpers::validate_order_details_amount(
+                order_details.to_owned(),
+                payment_intent.amount,
+            )?;
+        }
+
         payment_intent.setup_future_usage = request
             .setup_future_usage
             .or(payment_intent.setup_future_usage);
@@ -612,10 +619,6 @@ impl<F: Send + Clone, Ctx: PaymentMethodRetrieve> ValidateRequest<F, api::Paymen
             .clone()
             .ok_or(report!(errors::ApiErrorResponse::PaymentNotFound))?;
 
-        if let Some(order_details) = &request.order_details {
-            helpers::validate_order_details_amount(order_details.to_owned(), request.amount)?;
-        }
-
         let request_merchant_id = request.merchant_id.as_deref();
         helpers::validate_merchant_id(&merchant_account.merchant_id, request_merchant_id)
             .change_context(errors::ApiErrorResponse::InvalidDataFormat {

From bcb3893c8fa9e17f8cce73d5a1b4bf008e1ad742 Mon Sep 17 00:00:00 2001
From: Sahkal Poddar <sahkal.poddar@juspay.in>
Date: Fri, 24 Nov 2023 16:26:07 +0530
Subject: [PATCH 5/5] refactor(router): added quantity check for orderDetails

---
 crates/router/src/core/payments/helpers.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/crates/router/src/core/payments/helpers.rs b/crates/router/src/core/payments/helpers.rs
index b2356d7f6499..79ca1a6b177f 100644
--- a/crates/router/src/core/payments/helpers.rs
+++ b/crates/router/src/core/payments/helpers.rs
@@ -3690,7 +3690,10 @@ pub fn validate_order_details_amount(
     order_details: Vec<api_models::payments::OrderDetailsWithAmount>,
     amount: i64,
 ) -> Result<(), errors::ApiErrorResponse> {
-    let total_order_details_amount: i64 = order_details.iter().map(|order| order.amount).sum();
+    let total_order_details_amount: i64 = order_details
+        .iter()
+        .map(|order| order.amount * i64::from(order.quantity))
+        .sum();
 
     if total_order_details_amount != amount {
         Err(errors::ApiErrorResponse::InvalidRequestData {