Skip to content

refactor(payments): Add platform merchant account checks for payment intent #7204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Feb 14, 2025
Merged

refactor(payments): Add platform merchant account checks for payment intent #7204

merged 7 commits into from
Feb 14, 2025

Conversation

ThisIsMani
Copy link
Contributor

@ThisIsMani ThisIsMani commented Feb 6, 2025
edited
Loading

Type of Change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

Currently payment_intent stores platform_merchant_id. This can be used to identify if the payment was created by platform merchant.

If the payment was initialized by platform merchant, the merchant who is the owner of the payment should not be able to do any operations on the payment and vice versa.

So, we need those validations on payment intents to check if the current merchant can be allowed to perform those operations even if the authentication module allows it.

These payment ops are modified in the process.

Operation Validation Added Auth Used
Payment Approve Yes JWT + API Key
Payment Cancel Yes API Key
Payment Capture Yes API Key
Complete Authorize No Client Secret + API Key
Payment Confirm No Client Secret + API Key
Payment Reject Yes API Key
Payment Post Session Tokens No Publishable Key Auth
Payment Session No Publishable Key Auth
Payment Start No Merchant ID Auth
Payment Status No Client Secret + API Key + JWT
Payment Update No Publishable Key Auth + API Key
Payment Update Intent Yes API Key
Payment Incremental Authorization Yes API Key
Payment Session Update / Tax Calculation No Publishable Key Auth
Payment Create No API Key + JWT
Payment Intent Create No API Key + JWT
Payment Session Intent No Publishable Key Auth
Payment Get Intent Yes API Key
Payment Confirm Intent No Publishable Key Auth
Payment Get Yes API Key + JWT
Payment Capture V2 Yes API Key + JWT
Payment Get Intent Yes API Key

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

Closes #7203.

How did you test it?

  1. Create two merchant accounts and make one platform. Refer feat(core): implemented platform merchant account #6882 to know what is a platform merchant and how to create a platform merchant account.
  2. Create a payment for normal merchant account using platform merchant account 
    curl --location 'http://localhost:8080/payments' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'x-connected-merchant-id: merchant_1739261637' \
--header 'api-key: PLATFORM_API_KEY' \
--data '{
    "amount": 6545,
    "currency": "USD"
}'
  3. Try to make any of the above mentioned operations using normal merchant account and it will throw error. Using payment cancel as an example. 
    curl --location 'http://localhost:8080/payments/pay_Hj5V6MPOVqIL44ODkX1j/cancel' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'api-key: NORMAL_MERCHANT_API_KEY' \
--data '{
  "cancellation_reason": "requested_by_customer"
}'
    {
    "error": {
        "type": "invalid_request",
        "message": "Invalid platform account operation",
        "code": "IR_44"
    }
}
    • And the API should work if hit with platform merchant account api key
    curl --location 'http://localhost:8080/payments/pay_Hj5V6MPOVqIL44ODkX1j/cancel' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'x-connected-merchant-id: merchant_1739261637' \
--header 'api-key: PLATFORM_API_KEY' \
--data '{
  "cancellation_reason": "requested_by_customer"
}'

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible

@ThisIsMani ThisIsMani added A-core Area: Core flows S-waiting-on-review Status: This PR has been implemented and needs to be reviewed C-refactor Category: Refactor labels Feb 6, 2025
@ThisIsMani ThisIsMani self-assigned this Feb 6, 2025
@ThisIsMani ThisIsMani requested review from a team as code owners February 6, 2025 13:49
@semanticdiff-com SemanticDiff.com
Copy link

semanticdiff-com bot commented Feb 6, 2025
edited
Loading

Review changes with  SemanticDiff

Changed Files
File Status
  crates/router/src/core/payments/operations/payment_capture_v2.rs  43% smaller
  crates/router/src/core/payments/operations/payment_get.rs  43% smaller
  crates/router/src/core/payments/operations/payment_update_intent.rs  2% smaller
  crates/router/src/core/payments/operations/payment_session_intent.rs  2% smaller
  crates/router/src/core/payments/operations/payment_approve.rs  0% smaller
  crates/router/src/core/payments/operations/payment_cancel.rs  0% smaller
  crates/router/src/core/payments/operations/payment_capture.rs  0% smaller
  crates/router/src/core/payments/operations/payment_complete_authorize.rs  0% smaller
  crates/router/src/core/payments/operations/payment_confirm.rs  0% smaller
  crates/router/src/core/payments/operations/payment_confirm_intent.rs  0% smaller
  crates/router/src/core/payments/operations/payment_get_intent.rs  0% smaller
  crates/router/src/core/payments/operations/payment_post_session_tokens.rs  0% smaller
  crates/router/src/core/payments/operations/payment_reject.rs  0% smaller
  crates/router/src/core/payments/operations/payment_session.rs  0% smaller
  crates/router/src/core/payments/operations/payment_start.rs  0% smaller
  crates/router/src/core/payments/operations/payment_status.rs  0% smaller
  crates/router/src/core/payments/operations/payment_update.rs  0% smaller
  crates/router/src/core/payments/operations/payments_incremental_authorization.rs  0% smaller
  crates/router/src/core/payments/operations/tax_calculation.rs  0% smaller
  crates/router/src/core/utils.rs  0% smaller
  crates/router/src/routes/payment_methods.rs  0% smaller

Narayanbhat166
Narayanbhat166 reviewed Feb 7, 2025
View reviewed changes
crates/router/src/core/payments/helpers.rs Outdated
@@ -3419,6 +3419,27 @@ pub(crate) fn validate_payment_status_against_not_allowed_statuses(
})
}

pub fn validate_platform_merchant(
data_platform_merchant_id: Option<&id_type::MerchantId>,
auth_platform_merchant_id: Option<&id_type::MerchantId>,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can add a trait function to get the platform merchant id and then any generic that implements this trait can be passed to this function

Narayanbhat166
Narayanbhat166 reviewed Feb 7, 2025
View reviewed changes
Narayanbhat166
Narayanbhat166 previously approved these changes Feb 10, 2025
View reviewed changes
apoorvdixit88
apoorvdixit88 previously approved these changes Feb 10, 2025
View reviewed changes
@maverox maverox self-requested a review February 11, 2025 12:01
@Gnanasundari24 Gnanasundari24 added this pull request to the merge queue Feb 14, 2025
Merged via the queue into main with commit 12ef8ee Feb 14, 2025
21 of 24 checks passed
@Gnanasundari24 Gnanasundari24 deleted the platform-checks-pi branch February 14, 2025 10:05
@SanchithHegde SanchithHegde removed the S-waiting-on-review Status: This PR has been implemented and needs to be reviewed label Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jarnura jarnura jarnura approved these changes

@maverox maverox maverox approved these changes

@apoorvdixit88 apoorvdixit88 apoorvdixit88 approved these changes

@racnan racnan racnan approved these changes

@sai-harsha-vardhan sai-harsha-vardhan Awaiting requested review from sai-harsha-vardhan

+2 more reviewers

@Narayanbhat166 Narayanbhat166 Narayanbhat166 approved these changes

@Chethan-rao Chethan-rao Chethan-rao approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@ThisIsMani ThisIsMani

Labels
A-core Area: Core flows C-refactor Category: Refactor
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(vsaas): Add platform merchant validations for payment intent
9 participants
@ThisIsMani @jarnura @maverox @Narayanbhat166 @apoorvdixit88 @Chethan-rao @racnan @SanchithHegde @Gnanasundari24