feat(auth): Add Authorization for JWT Authentication types

crates/router/src/analytics/routes.rs

@@ -8,7 +8,10 @@ use router_env::AnalyticsFlow;
 use super::{core::*, payments, refunds, types::AnalyticsDomain};
 use crate::{
     core::api_locking,
-    services::{api, authentication as auth, authentication::AuthenticationData},
+    services::{
+        api, authentication as auth, authentication::AuthenticationData,
+        authorization::permissions::Permission,
+    },
     AppState,
 };
 
@@ -68,7 +71,11 @@ pub async fn get_payment_metrics(
         |state, auth: AuthenticationData, req| {
             payments::get_metrics(state.pool.clone(), auth.merchant_account, req)
         },
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::Analytics),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     )
     .await
@@ -98,7 +105,11 @@ pub async fn get_refunds_metrics(
         |state, auth: AuthenticationData, req| {
             refunds::get_metrics(state.pool.clone(), auth.merchant_account, req)
         },
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::Analytics),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     )
     .await
@@ -118,7 +129,11 @@ pub async fn get_payment_filters(
         |state, auth: AuthenticationData, req| {
             payment_filters_core(state.pool.clone(), req, auth.merchant_account)
         },
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::Analytics),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     )
     .await
@@ -138,7 +153,11 @@ pub async fn get_refund_filters(
         |state, auth: AuthenticationData, req: GetRefundFilterRequest| {
             refund_filter_core(state.pool.clone(), req, auth.merchant_account)
         },
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::Analytics),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     )
     .await

crates/router/src/consts.rs

@@ -1,4 +1,3 @@
-#[cfg(feature = "olap")]
 pub mod user;
 
 // ID generation

crates/router/src/consts/user.rs

@@ -4,5 +4,4 @@ pub const MAX_NAME_LENGTH: usize = 70;
 pub const MAX_COMPANY_NAME_LENGTH: usize = 70;
 
 // USER ROLES
-#[cfg(any(feature = "olap", feature = "oltp"))]
 pub const ROLE_ID_ORGANIZATION_ADMIN: &str = "org_admin";

crates/router/src/routes/admin.rs

@@ -4,7 +4,7 @@ use router_env::{instrument, tracing, Flow};
 use super::app::AppState;
 use crate::{
     core::{admin::*, api_locking},
-    services::{api, authentication as auth},
+    services::{api, authentication as auth, authorization::permissions::Permission},
     types::api::admin,
 };
 
@@ -77,7 +77,10 @@ pub async fn retrieve_merchant_account(
         |state, _, req| get_merchant_account(state, req),
         auth::auth_type(
             &auth::AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute { merchant_id },
+            &auth::JWTAuthMerchantFromRoute {
+                merchant_id,
+                required_permission: Permission::MerchantAccountRead,
+            },
             req.headers(),
         ),
         api_locking::LockAction::NotApplicable,
@@ -141,6 +144,7 @@ pub async fn update_merchant_account(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::MerchantAccountWrite,
             },
             req.headers(),
         ),
@@ -220,6 +224,7 @@ pub async fn payment_connector_create(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::MerchantConnectorAccountWrite,
             },
             req.headers(),
         ),
@@ -270,7 +275,10 @@ pub async fn payment_connector_retrieve(
         },
         auth::auth_type(
             &auth::AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute { merchant_id },
+            &auth::JWTAuthMerchantFromRoute {
+                merchant_id,
+                required_permission: Permission::MerchantConnectorAccountRead,
+            },
             req.headers(),
         ),
         api_locking::LockAction::NotApplicable,
@@ -312,7 +320,10 @@ pub async fn payment_connector_list(
         |state, _, merchant_id| list_payment_connectors(state, merchant_id),
         auth::auth_type(
             &auth::AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute { merchant_id },
+            &auth::JWTAuthMerchantFromRoute {
+                merchant_id,
+                required_permission: Permission::MerchantConnectorAccountRead,
+            },
             req.headers(),
         ),
         api_locking::LockAction::NotApplicable,
@@ -359,6 +370,7 @@ pub async fn payment_connector_update(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::MerchantConnectorAccountWrite,
             },
             req.headers(),
         ),
@@ -407,7 +419,10 @@ pub async fn payment_connector_delete(
         |state, _, req| delete_payment_connector(state, req.merchant_id, req.merchant_connector_id),
         auth::auth_type(
             &auth::AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute { merchant_id },
+            &auth::JWTAuthMerchantFromRoute {
+                merchant_id,
+                required_permission: Permission::MerchantConnectorAccountWrite,
+            },
             req.headers(),
         ),
         api_locking::LockAction::NotApplicable,
@@ -460,6 +475,7 @@ pub async fn business_profile_create(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::MerchantAccountWrite,
             },
             req.headers(),
         ),
@@ -484,7 +500,10 @@ pub async fn business_profile_retrieve(
         |state, _, profile_id| retrieve_business_profile(state, profile_id),
         auth::auth_type(
             &auth::AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute { merchant_id },
+            &auth::JWTAuthMerchantFromRoute {
+                merchant_id,
+                required_permission: Permission::MerchantAccountRead,
+            },
             req.headers(),
         ),
         api_locking::LockAction::NotApplicable,
@@ -511,6 +530,7 @@ pub async fn business_profile_update(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::MerchantAccountWrite,
             },
             req.headers(),
         ),
@@ -555,7 +575,10 @@ pub async fn business_profiles_list(
         |state, _, merchant_id| list_business_profile(state, merchant_id),
         auth::auth_type(
             &auth::AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute { merchant_id },
+            &auth::JWTAuthMerchantFromRoute {
+                merchant_id,
+                required_permission: Permission::MerchantAccountRead,
+            },
             req.headers(),
         ),
         api_locking::LockAction::NotApplicable,

crates/router/src/routes/api_keys.rs

@@ -4,7 +4,7 @@ use router_env::{instrument, tracing, Flow};
 use super::app::AppState;
 use crate::{
     core::{api_keys, api_locking},
-    services::{api, authentication as auth},
+    services::{api, authentication as auth, authorization::permissions::Permission},
     types::api as api_types,
 };
 
@@ -57,6 +57,7 @@ pub async fn api_key_create(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::ApiKeyWrite,
             },
             req.headers(),
         ),
@@ -101,6 +102,7 @@ pub async fn api_key_retrieve(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::ApiKeyRead,
             },
             req.headers(),
         ),
@@ -189,6 +191,7 @@ pub async fn api_key_revoke(
             &auth::AdminApiAuth,
             &auth::JWTAuthMerchantFromRoute {
                 merchant_id: merchant_id.clone(),
+                required_permission: Permission::ApiKeyWrite,
             },
             req.headers(),
         ),
@@ -237,7 +240,10 @@ pub async fn api_key_list(
         },
         auth::auth_type(
             &auth::AdminApiAuth,
-            &auth::JWTAuthMerchantFromRoute { merchant_id },
+            &auth::JWTAuthMerchantFromRoute {
+                merchant_id,
+                required_permission: Permission::ApiKeyRead,
+            },
             req.headers(),
         ),
         api_locking::LockAction::NotApplicable,

crates/router/src/routes/disputes.rs

@@ -3,7 +3,7 @@ use actix_web::{web, HttpRequest, HttpResponse};
 use api_models::disputes as dispute_models;
 use router_env::{instrument, tracing, Flow};
 
-use crate::core::api_locking;
+use crate::{core::api_locking, services::authorization::permissions::Permission};
 pub mod utils;
 
 use super::app::AppState;
@@ -44,7 +44,11 @@ pub async fn retrieve_dispute(
         &req,
         dispute_id,
         |state, auth, req| disputes::retrieve_dispute(state, auth.merchant_account, req),
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::DisputeRead),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     )
     .await
@@ -87,7 +91,11 @@ pub async fn retrieve_disputes_list(
         &req,
         payload,
         |state, auth, req| disputes::retrieve_disputes_list(state, auth.merchant_account, req),
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::DisputeRead),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     )
     .await
@@ -125,7 +133,11 @@ pub async fn accept_dispute(
         |state, auth, req| {
             disputes::accept_dispute(state, auth.merchant_account, auth.key_store, req)
         },
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::DisputeWrite),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -158,7 +170,11 @@ pub async fn submit_dispute_evidence(
         |state, auth, req| {
             disputes::submit_evidence(state, auth.merchant_account, auth.key_store, req)
         },
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::DisputeWrite),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -199,7 +215,11 @@ pub async fn attach_dispute_evidence(
         |state, auth, req| {
             disputes::attach_evidence(state, auth.merchant_account, auth.key_store, req)
         },
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::DisputeWrite),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -235,7 +255,11 @@ pub async fn retrieve_dispute_evidence(
         &req,
         dispute_id,
         |state, auth, req| disputes::retrieve_dispute_evidence(state, auth.merchant_account, req),
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::DisputeRead),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     ))
     .await

crates/router/src/routes/files.rs

@@ -2,7 +2,7 @@ use actix_multipart::Multipart;
 use actix_web::{web, HttpRequest, HttpResponse};
 use router_env::{instrument, tracing, Flow};
 
-use crate::core::api_locking;
+use crate::{core::api_locking, services::authorization::permissions::Permission};
 pub mod transformers;
 
 use super::app::AppState;
@@ -45,7 +45,11 @@ pub async fn files_create(
         &req,
         create_file_request,
         |state, auth, req| files_create_core(state, auth.merchant_account, auth.key_store, req),
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::FileWrite),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -83,7 +87,11 @@ pub async fn files_delete(
         &req,
         file_id,
         |state, auth, req| files_delete_core(state, auth.merchant_account, req),
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::FileWrite),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -121,7 +129,11 @@ pub async fn files_retrieve(
         &req,
         file_id,
         |state, auth, req| files_retrieve_core(state, auth.merchant_account, auth.key_store, req),
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::FileRead),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     ))
     .await

crates/router/src/routes/mandates.rs

@@ -4,7 +4,7 @@ use router_env::{instrument, tracing, Flow};
 use super::app::AppState;
 use crate::{
     core::{api_locking, mandate},
-    services::{api, authentication as auth},
+    services::{api, authentication as auth, authorization::permissions::Permission},
     types::api::mandates,
 };
 
@@ -122,7 +122,11 @@ pub async fn retrieve_mandates_list(
         &req,
         payload,
         |state, auth, req| mandate::retrieve_mandates_list(state, auth.merchant_account, req),
-        auth::auth_type(&auth::ApiKeyAuth, &auth::JWTAuth, req.headers()),
+        auth::auth_type(
+            &auth::ApiKeyAuth,
+            &auth::JWTAuth(Permission::MandateRead),
+            req.headers(),
+        ),
         api_locking::LockAction::NotApplicable,
     )
     .await