feat(auth): Add support for partial-auth, by facilitating injection of authentication parameters in headers (#4802)

Co-authored-by: Jagan <[email protected]>

Author: NishantJoshi00

config/development.toml

@@ -174,6 +174,10 @@ validity = 1
 [api_keys]
 hash_key = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
 
+checksum_auth_context = "TEST"
+checksum_auth_key = "54455354"
+
+
 [connectors]
 aci.base_url = "https://eu-test.oppwa.com/"
 adyen.base_url = "https://checkout-test.adyen.com/"

crates/common_utils/src/crypto.rs

@@ -238,6 +238,43 @@ impl VerifySignature for HmacSha512 {
     }
 }
 
+///
+/// Blake3
+#[derive(Debug)]
+pub struct Blake3(String);
+
+impl Blake3 {
+    /// Create a new instance of Blake3 with a key
+    pub fn new(key: impl Into<String>) -> Self {
+        Self(key.into())
+    }
+}
+
+impl SignMessage for Blake3 {
+    fn sign_message(
+        &self,
+        secret: &[u8],
+        msg: &[u8],
+    ) -> CustomResult<Vec<u8>, errors::CryptoError> {
+        let key = blake3::derive_key(&self.0, secret);
+        let output = blake3::keyed_hash(&key, msg).as_bytes().to_vec();
+        Ok(output)
+    }
+}
+
+impl VerifySignature for Blake3 {
+    fn verify_signature(
+        &self,
+        secret: &[u8],
+        signature: &[u8],
+        msg: &[u8],
+    ) -> CustomResult<bool, errors::CryptoError> {
+        let key = blake3::derive_key(&self.0, secret);
+        let output = blake3::keyed_hash(&key, msg);
+        Ok(output.as_bytes() == signature)
+    }
+}
+
 /// Represents the GCM-AES-256 algorithm
 #[derive(Debug)]
 pub struct GcmAes256;

crates/masking/src/secret.rs

@@ -4,7 +4,7 @@
 
 use std::{fmt, marker::PhantomData};
 
-use crate::{strategy::Strategy, PeekInterface};
+use crate::{strategy::Strategy, PeekInterface, StrongSecret};
 
 ///
 /// Secret thing.
@@ -81,6 +81,14 @@ where
     {
         f(self.inner_secret).into()
     }
+
+    /// Convert to [`StrongSecret`]
+    pub fn into_strong(self) -> StrongSecret<SecretValue, MaskingStrategy>
+    where
+        SecretValue: zeroize::DefaultIsZeroes,
+    {
+        StrongSecret::new(self.inner_secret)
+    }
 }
 
 impl<SecretValue, MaskingStrategy> PeekInterface<SecretValue>

crates/router/Cargo.toml

@@ -38,6 +38,11 @@ merchant_account_v2 = ["api_models/merchant_account_v2", "diesel_models/merchant
 payment_v2 = ["api_models/payment_v2", "diesel_models/payment_v2", "hyperswitch_domain_models/payment_v2"]
 merchant_connector_account_v2 = ["api_models/merchant_connector_account_v2", "kgraph_utils/merchant_connector_account_v2"]
 
+# Partial Auth
+# The feature reduces the overhead of the router authenticating the merchant for every request, and trusts on `x-merchant-id` header to be present in the request.
+# This is named as partial-auth because the router will still try to authenticate if the `x-merchant-id` header is not present.
+partial-auth = []
+
 [dependencies]
 actix-cors = "0.6.5"
 actix-http = "3.6.0"

crates/router/src/compatibility/stripe/customers.rs

@@ -53,7 +53,7 @@ pub async fn customer_create(
         |state, auth, req, _| {
             customers::create_customer(state, auth.merchant_account, auth.key_store, req)
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -87,7 +87,7 @@ pub async fn customer_retrieve(
         |state, auth, req, _| {
             customers::retrieve_customer(state, auth.merchant_account, auth.key_store, req)
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -132,7 +132,7 @@ pub async fn customer_update(
         |state, auth, req, _| {
             customers::update_customer(state, auth.merchant_account, req, auth.key_store)
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -166,7 +166,7 @@ pub async fn customer_delete(
         |state, auth: auth::AuthenticationData, req, _| {
             customers::delete_customer(state, auth.merchant_account, req, auth.key_store)
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -208,7 +208,7 @@ pub async fn list_customer_payment_method_api(
                 None,
             )
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await

crates/router/src/compatibility/stripe/payment_intents.rs

@@ -1,4 +1,5 @@
 pub mod types;
+
 use actix_web::{web, HttpRequest, HttpResponse};
 use api_models::payments as payment_types;
 use error_stack::report;
@@ -71,7 +72,7 @@ pub async fn payment_intents_create(
                 api_types::HeaderPayload::default(),
             )
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         locking_action,
     ))
     .await
@@ -400,7 +401,7 @@ pub async fn payment_intents_capture(
                 api_types::HeaderPayload::default(),
             )
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         locking_action,
     ))
     .await
@@ -500,7 +501,7 @@ pub async fn payment_intent_list(
         |state, auth, req, _| {
             payments::list_payments(state, auth.merchant_account, auth.key_store, req)
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await

crates/router/src/compatibility/stripe/refunds.rs

@@ -1,4 +1,5 @@
 pub mod types;
+
 use actix_web::{web, HttpRequest, HttpResponse};
 use error_stack::report;
 use router_env::{instrument, tracing, Flow, Tag};
@@ -51,7 +52,7 @@ pub async fn refund_create(
         |state, auth, req, _| {
             refunds::refund_create_core(state, auth.merchant_account, auth.key_store, req)
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -101,7 +102,7 @@ pub async fn refund_retrieve_with_gateway_creds(
                 refunds::refund_retrieve_core,
             )
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -143,7 +144,7 @@ pub async fn refund_retrieve(
                 refunds::refund_retrieve_core,
             )
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await
@@ -175,7 +176,7 @@ pub async fn refund_update(
         &req,
         create_refund_update_req,
         |state, auth, req, _| refunds::refund_update_core(state, auth.merchant_account, req),
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await

crates/router/src/compatibility/stripe/setup_intents.rs

@@ -1,4 +1,5 @@
 pub mod types;
+
 use actix_web::{web, HttpRequest, HttpResponse};
 use api_models::payments as payment_types;
 use error_stack::report;
@@ -72,7 +73,7 @@ pub async fn setup_intents_create(
                 api_types::HeaderPayload::default(),
             )
         },
-        &auth::ApiKeyAuth,
+        &auth::HeaderAuth(auth::ApiKeyAuth),
         api_locking::LockAction::NotApplicable,
     ))
     .await

crates/router/src/configs/defaults.rs

@@ -8929,6 +8929,13 @@ impl Default for super::settings::ApiKeys {
             // Specifies the number of days before API key expiry when email reminders should be sent
             #[cfg(feature = "email")]
             expiry_reminder_days: vec![7, 3, 1],
+
+            // Hex-encoded key used for calculating checksum for partial auth
+            #[cfg(feature = "partial-auth")]
+            checksum_auth_key: String::new().into(),
+            // context used for blake3
+            #[cfg(feature = "partial-auth")]
+            checksum_auth_context: String::new().into(),
         }
     }
 }

crates/router/src/configs/secrets_transformers.rs

@@ -114,10 +114,24 @@ impl SecretsHandler for settings::ApiKeys {
         #[cfg(feature = "email")]
         let expiry_reminder_days = api_keys.expiry_reminder_days.clone();
 
+        #[cfg(feature = "partial-auth")]
+        let checksum_auth_context = secret_management_client
+            .get_secret(api_keys.checksum_auth_context.clone())
+            .await?;
+        #[cfg(feature = "partial-auth")]
+        let checksum_auth_key = secret_management_client
+            .get_secret(api_keys.checksum_auth_key.clone())
+            .await?;
+
         Ok(value.transition_state(|_| Self {
             hash_key,
             #[cfg(feature = "email")]
             expiry_reminder_days,
+
+            #[cfg(feature = "partial-auth")]
+            checksum_auth_key,
+            #[cfg(feature = "partial-auth")]
+            checksum_auth_context,
         }))
     }
 }