Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor(core): inclusion of locker to store fingerprints #3630

Merged
merged 39 commits into from
Feb 21, 2024

Conversation

prajjwalkumar17
Copy link
Contributor

@prajjwalkumar17 prajjwalkumar17 commented Feb 12, 2024

Type of Change

Refactoring the present blocklist flow and storing the fingerprint on our locker end for more security and efficiency.
More details are here in this issue.

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring
  • Dependency updates
  • Documentation
  • CI/CD

Description

After this change we will store the fingerprints on our locker in fingerprints table. No more storing anything related to fingerprints in our DB. There will be only one table usable left for blocklsit which will be blocklist (stores all the fingerprints blocked by a merchant with their type and metadata).
Previously we were generating the fingerprints on our application end itself after this change we will have the fingerprints generated by our locker.
Fingerprint is generated for each and every card payment. Moreover we are storing fingerprint in all the attempt tables.
Now vouching for the scenarios were there are more than one attempt associated with one intent in that case we are adding the successful attempt's fingerprint in intent.

Required DB changes

purpose: support for addition of fingerprint_id in payment_attempt table
Query:
ALTER TABLE payment_attempt ADD COLUMN IF NOT EXISTS fingerprint_id VARCHAR(64);

So how does the whole flow works:

  1. Before confirmation of payment the payment instrument's fingerprint is cross-checked with the blocklist.
  2. If it is present in blocklist the payment will be blocked (status as false).
  3. This payment can be retried with another instrument and in case if succeeds the fingerprint will be added in intent.

Note: All successful attempts will have a fingerprint but intent's fingerprint will always be the successful attempt's fingerprint.

Other checkpoints under same hood

  • Instead of generating the fingerprint in application add support for /cards/fingerprint API call with hash_key.
  • whitelisting mentioned endpoint in proxy.
  • Storing the fingerprint in payment attempt and payment intent table.
  • Refactoring Block List checking using the fingerprint API.

Additional Changes

  • This PR modifies the API contract
  • This PR modifies the database schema
  • This PR modifies application configuration/environment variables

Motivation and Context

How did you test it?

Generating fingerprints

-> Toggle the blocklist guard from merchant account being used using /blocklist/toggle?status=true. More about
toggling guard here.
-> We need to create a payment.
-> While trying to confirm the payment it will have the fingerprint_id in the response. This can be used to block the
instrument. If the payment was able to be captured the fingerprint will be stored in the intent table as well

Blocking fingerprints

Refer to the attached postman collection for the API contracts for the blocklist APIs(Description). Currently we support blocking three types of resources i.e. card numbers (payment intrument), card bin, and extended card bin.
blocklist_api_postman.zip

For Card Bin and Extended Card Bin :-
1. Setup a Merchant Account and any Connector account
2. Make a payment with a certain card (ensure it succeeds)
3. Block the card's card bin or extended card bin
4. Try the payment again (should fail this time with an API response saying that the payment was blocked)

For Payment Instrument :-
1. Repeat steps 1 and 2 of previous section
2. In the payment confirm response, there will be an additional field called "fingerprint". This is the fingerprint id that can be used to block a particular payment method. Use this to block the card.
3. Try the payment again (should fail)

The respected curls are mentioned in the issue.

Checklist

  • I formatted the code cargo +nightly fmt --all
  • I addressed lints thrown by cargo clippy
  • I reviewed the submitted code
  • I added unit tests for my changes where possible
  • I added a CHANGELOG entry if applicable

@prajjwalkumar17 prajjwalkumar17 added A-core Area: Core flows M-database-changes Metadata: This PR involves database schema changes C-refactor Category: Refactor labels Feb 12, 2024
@prajjwalkumar17 prajjwalkumar17 self-assigned this Feb 12, 2024
@prajjwalkumar17 prajjwalkumar17 requested review from a team as code owners February 12, 2024 11:07
@prajjwalkumar17 prajjwalkumar17 changed the title refactor(blocklist): replacement of KMS with locker to encrpyt and store fingerprints refactor(core): inclusion of locker to store fingerprints Feb 12, 2024
@prajjwalkumar17 prajjwalkumar17 linked an issue Feb 12, 2024 that may be closed by this pull request
2 tasks
@prajjwalkumar17 prajjwalkumar17 added this to the February 2024 Release milestone Feb 12, 2024
@prajjwalkumar17 prajjwalkumar17 requested a review from a team as a code owner February 14, 2024 10:11
crates/router/src/core/blocklist/transformers.rs Outdated Show resolved Hide resolved
crates/router/src/core/blocklist/transformers.rs Outdated Show resolved Hide resolved
crates/router/src/core/blocklist/transformers.rs Outdated Show resolved Hide resolved
crates/router/src/core/blocklist/transformers.rs Outdated Show resolved Hide resolved
crates/router/src/core/blocklist/transformers.rs Outdated Show resolved Hide resolved
NishantJoshi00
NishantJoshi00 previously approved these changes Feb 19, 2024
Copy link
Member

@NishantJoshi00 NishantJoshi00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM,
just a question, can we also plan on deprecating the fingerprint id column in payment intent

@prajjwalkumar17
Copy link
Contributor Author

LGTM,
just a question, can we also plan on deprecating the fingerprint id column in payment intent

Well we are adding the fingerprint of the successful attempt in our intent so we are not going to depreciate it. Intents's fingerprint Will be used by dashboard to flag payments.
Btw why do you suggest for depreciation?

vspecky
vspecky previously approved these changes Feb 20, 2024
apoorvdixit88
apoorvdixit88 previously approved these changes Feb 20, 2024
NishantJoshi00
NishantJoshi00 previously approved these changes Feb 20, 2024
vspecky
vspecky previously approved these changes Feb 20, 2024
@likhinbopanna likhinbopanna added this pull request to the merge queue Feb 21, 2024
Merged via the queue into main with commit 7b0bce5 Feb 21, 2024
13 of 15 checks passed
@likhinbopanna likhinbopanna deleted the blocklist_locker_compatibility branch February 21, 2024 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-core Area: Core flows C-refactor Category: Refactor M-database-changes Metadata: This PR involves database schema changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Refactor]: Make use of Locker for generating/storing fingerprints
7 participants