refactor(authentication): moved cavv storing from table to temp locker (#7978)

Co-authored-by: hyperswitch-bot[bot] <148525504+hyperswitch-bot[bot]@users.noreply.github.com>

Author: sahkal

crates/diesel_models/src/authentication.rs

@@ -129,7 +129,6 @@ pub enum AuthenticationUpdate {
         acquirer_country_code: Option<String>,
     },
     AuthenticationUpdate {
-        authentication_value: Option<String>,
         trans_status: common_enums::TransactionStatus,
         authentication_type: common_enums::DecoupledAuthenticationType,
         acs_url: Option<String>,
@@ -143,7 +142,6 @@ pub enum AuthenticationUpdate {
     },
     PostAuthenticationUpdate {
         trans_status: common_enums::TransactionStatus,
-        authentication_value: Option<String>,
         eci: Option<String>,
         authentication_status: common_enums::AuthenticationStatus,
     },
@@ -177,7 +175,6 @@ pub struct AuthenticationUpdateInternal {
     pub connector_metadata: Option<serde_json::Value>,
     pub maximum_supported_version: Option<common_utils::types::SemanticVersion>,
     pub threeds_server_transaction_id: Option<String>,
-    pub cavv: Option<String>,
     pub authentication_flow_type: Option<String>,
     pub message_version: Option<common_utils::types::SemanticVersion>,
     pub eci: Option<String>,
@@ -211,7 +208,6 @@ impl Default for AuthenticationUpdateInternal {
             connector_metadata: Default::default(),
             maximum_supported_version: Default::default(),
             threeds_server_transaction_id: Default::default(),
-            cavv: Default::default(),
             authentication_flow_type: Default::default(),
             message_version: Default::default(),
             eci: Default::default(),
@@ -247,7 +243,6 @@ impl AuthenticationUpdateInternal {
             connector_metadata,
             maximum_supported_version,
             threeds_server_transaction_id,
-            cavv,
             authentication_flow_type,
             message_version,
             eci,
@@ -282,7 +277,6 @@ impl AuthenticationUpdateInternal {
                 .or(source.maximum_supported_version),
             threeds_server_transaction_id: threeds_server_transaction_id
                 .or(source.threeds_server_transaction_id),
-            cavv: cavv.or(source.cavv),
             authentication_flow_type: authentication_flow_type.or(source.authentication_flow_type),
             message_version: message_version.or(source.message_version),
             eci: eci.or(source.eci),
@@ -369,7 +363,6 @@ impl From<AuthenticationUpdate> for AuthenticationUpdateInternal {
                 ..Default::default()
             },
             AuthenticationUpdate::AuthenticationUpdate {
-                authentication_value,
                 trans_status,
                 authentication_type,
                 acs_url,
@@ -381,7 +374,6 @@ impl From<AuthenticationUpdate> for AuthenticationUpdateInternal {
                 authentication_status,
                 ds_trans_id,
             } => Self {
-                cavv: authentication_value,
                 trans_status: Some(trans_status),
                 authentication_type: Some(authentication_type),
                 acs_url,
@@ -396,12 +388,10 @@ impl From<AuthenticationUpdate> for AuthenticationUpdateInternal {
             },
             AuthenticationUpdate::PostAuthenticationUpdate {
                 trans_status,
-                authentication_value,
                 eci,
                 authentication_status,
             } => Self {
                 trans_status: Some(trans_status),
-                cavv: authentication_value,
                 eci,
                 authentication_status: Some(authentication_status),
                 ..Default::default()

crates/hyperswitch_connectors/src/connectors/gpayments/gpayments_types.rs

@@ -196,7 +196,7 @@ pub struct GpaymentsAuthenticationSuccessResponse {
     pub acs_url: Option<url::Url>,
     #[serde(rename = "acsReferenceNumber")]
     pub acs_reference_number: String,
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
 }
 
 #[derive(Deserialize, Debug, Clone, Serialize, PartialEq)]
@@ -230,7 +230,7 @@ impl From<AuthStatus> for common_enums::TransactionStatus {
 #[derive(Debug, Deserialize, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct GpaymentsPostAuthenticationResponse {
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
     pub trans_status: AuthStatus,
     pub eci: Option<String>,
 }

crates/hyperswitch_connectors/src/connectors/netcetera/transformers.rs

@@ -633,7 +633,7 @@ pub struct NetceteraAuthenticationSuccessResponse {
     #[serde(rename = "threeDSServerTransID")]
     pub three_ds_server_trans_id: String,
     pub trans_status: common_enums::TransactionStatus,
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
     pub eci: Option<String>,
     pub acs_challenge_mandated: Option<ACSChallengeMandatedIndicator>,
     pub authentication_response: AuthenticationResponse,
@@ -693,7 +693,7 @@ pub struct ResultsResponseData {
 
     /// Payment System-specific value provided as part of the ACS registration for each supported DS.
     /// Authentication Value may be used to provide proof of authentication.
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
 
     /// Payment System-specific value provided by the ACS to indicate the results of the attempt to authenticate
     /// the Cardholder.

crates/hyperswitch_domain_models/src/router_request_types/authentication.rs

@@ -161,3 +161,9 @@ pub struct AcquirerDetails {
 pub struct ExternalThreeDSConnectorMetadata {
     pub pull_mechanism_for_external_3ds_enabled: Option<bool>,
 }
+
+#[derive(Clone, Debug)]
+pub struct AuthenticationStore {
+    pub cavv: Option<String>,
+    pub authentication: diesel_models::authentication::Authentication,
+}

crates/hyperswitch_domain_models/src/router_request_types/unified_authentication_service.rs

@@ -106,7 +106,7 @@ pub struct PreAuthenticationDetails {
 #[derive(Debug, Clone)]
 pub struct AuthenticationDetails {
     pub authn_flow_type: super::authentication::AuthNFlowType,
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
     pub trans_status: common_enums::TransactionStatus,
     pub connector_metadata: Option<serde_json::Value>,
     pub ds_trans_id: Option<String>,

crates/hyperswitch_domain_models/src/router_response_types.rs

@@ -536,14 +536,14 @@ pub enum AuthenticationResponseData {
     },
     AuthNResponse {
         authn_flow_type: AuthNFlowType,
-        authentication_value: Option<String>,
+        authentication_value: Option<masking::Secret<String>>,
         trans_status: common_enums::TransactionStatus,
         connector_metadata: Option<serde_json::Value>,
         ds_trans_id: Option<String>,
     },
     PostAuthNResponse {
         trans_status: common_enums::TransactionStatus,
-        authentication_value: Option<String>,
+        authentication_value: Option<masking::Secret<String>>,
         eci: Option<String>,
     },
 }

crates/hyperswitch_interfaces/src/authentication.rs

@@ -6,7 +6,7 @@ pub struct ExternalAuthenticationPayload {
     /// trans_status
     pub trans_status: common_enums::TransactionStatus,
     /// authentication_value
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<masking::Secret<String>>,
     /// eci
     pub eci: Option<String>,
 }

crates/router/src/connector/threedsecureio/transformers.rs

@@ -513,7 +513,7 @@ pub struct ThreedsecureioAuthenticationSuccessResponse {
     #[serde(rename = "acsSignedContent")]
     pub acs_signed_content: Option<String>,
     #[serde(rename = "authenticationValue")]
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -615,7 +615,7 @@ pub struct ThreedsecureioPostAuthenticationRequest {
 #[derive(Debug, Deserialize, Serialize)]
 #[serde(rename_all = "camelCase")]
 pub struct ThreedsecureioPostAuthenticationResponse {
-    pub authentication_value: Option<String>,
+    pub authentication_value: Option<Secret<String>>,
     pub trans_status: ThreedsecureioTransStatus,
     pub eci: Option<String>,
 }

crates/router/src/core/authentication.rs

@@ -42,6 +42,7 @@ pub async fn perform_authentication(
     psd2_sca_exemption_type: Option<common_enums::ScaExemptionType>,
     payment_id: common_utils::id_type::PaymentId,
     force_3ds_challenge: bool,
+    merchant_key_store: &hyperswitch_domain_models::merchant_key_store::MerchantKeyStore,
 ) -> CustomResult<api::authentication::AuthenticationResponse, ApiErrorResponse> {
     let router_data = transformers::construct_authentication_router_data(
         state,
@@ -74,8 +75,14 @@ pub async fn perform_authentication(
         router_data,
     ))
     .await?;
-    let authentication =
-        utils::update_trackers(state, response.clone(), authentication_data, None).await?;
+    let authentication = utils::update_trackers(
+        state,
+        response.clone(),
+        authentication_data,
+        None,
+        merchant_key_store,
+    )
+    .await?;
     response
         .response
         .map_err(|err| ApiErrorResponse::ExternalConnectorError {
@@ -94,7 +101,10 @@ pub async fn perform_post_authentication(
     business_profile: domain::Profile,
     authentication_id: String,
     payment_id: &common_utils::id_type::PaymentId,
-) -> CustomResult<storage::Authentication, ApiErrorResponse> {
+) -> CustomResult<
+    hyperswitch_domain_models::router_request_types::authentication::AuthenticationStore,
+    ApiErrorResponse,
+> {
     let (authentication_connector, three_ds_connector_account) =
         utils::get_authentication_connector_data(state, key_store, &business_profile).await?;
     let is_pull_mechanism_enabled =
@@ -112,7 +122,11 @@ pub async fn perform_post_authentication(
         .await
         .to_not_found_response(ApiErrorResponse::InternalServerError)
         .attach_printable_lazy(|| format!("Error while fetching authentication record with authentication_id {authentication_id}"))?;
-    if !authentication.authentication_status.is_terminal_status() && is_pull_mechanism_enabled {
+
+    let authentication_update = if !authentication.authentication_status.is_terminal_status()
+        && is_pull_mechanism_enabled
+    {
+        // trigger in case of authenticate flow
         let router_data = transformers::construct_post_authentication_router_data(
             state,
             authentication_connector.to_string(),
@@ -124,10 +138,28 @@ pub async fn perform_post_authentication(
         let router_data =
             utils::do_auth_connector_call(state, authentication_connector.to_string(), router_data)
                 .await?;
-        utils::update_trackers(state, router_data, authentication, None).await
+        utils::update_trackers(state, router_data, authentication, None, key_store).await?
     } else {
-        Ok(authentication)
-    }
+        // trigger in case of webhook flow
+        authentication
+    };
+
+    // getting authentication value from temp locker before moving ahead with authrisation
+    let tokenized_data = crate::core::payment_methods::vault::get_tokenized_data(
+        state,
+        &authentication_id,
+        false,
+        key_store.key.get_inner(),
+    )
+    .await?;
+
+    let authentication_store =
+        hyperswitch_domain_models::router_request_types::authentication::AuthenticationStore {
+            cavv: Some(tokenized_data.value1),
+            authentication: authentication_update,
+        };
+
+    Ok(authentication_store)
 }
 
 #[allow(clippy::too_many_arguments)]
@@ -140,7 +172,10 @@ pub async fn perform_pre_authentication(
     acquirer_details: Option<types::AcquirerDetails>,
     payment_id: common_utils::id_type::PaymentId,
     organization_id: common_utils::id_type::OrganizationId,
-) -> CustomResult<storage::Authentication, ApiErrorResponse> {
+) -> CustomResult<
+    hyperswitch_domain_models::router_request_types::authentication::AuthenticationStore,
+    ApiErrorResponse,
+> {
     let (authentication_connector, three_ds_connector_account) =
         utils::get_authentication_connector_data(state, key_store, business_profile).await?;
     let authentication_connector_name = authentication_connector.to_string();
@@ -176,13 +211,21 @@ pub async fn perform_pre_authentication(
         )
         .await?;
 
-        let updated_authentication =
-            utils::update_trackers(state, router_data, authentication, acquirer_details.clone())
-                .await?;
+        let updated_authentication = utils::update_trackers(
+            state,
+            router_data,
+            authentication,
+            acquirer_details.clone(),
+            key_store,
+        )
+        .await?;
         // from version call response, we will get to know the maximum supported 3ds version.
         // If the version is not greater than or equal to 3DS 2.0, We should not do the successive pre authentication call.
         if !updated_authentication.is_separate_authn_required() {
-            return Ok(updated_authentication);
+            return Ok(hyperswitch_domain_models::router_request_types::authentication::AuthenticationStore{
+                authentication: updated_authentication,
+                cavv: None, // since cavv wont be present in pre_authentication step
+            });
         }
         updated_authentication
     } else {
@@ -201,5 +244,19 @@ pub async fn perform_pre_authentication(
     let router_data =
         utils::do_auth_connector_call(state, authentication_connector_name, router_data).await?;
 
-    utils::update_trackers(state, router_data, authentication, acquirer_details).await
+    let authentication_update = utils::update_trackers(
+        state,
+        router_data,
+        authentication,
+        acquirer_details,
+        key_store,
+    )
+    .await?;
+
+    Ok(
+        hyperswitch_domain_models::router_request_types::authentication::AuthenticationStore {
+            authentication: authentication_update,
+            cavv: None, // since cavv wont be present in pre_authentication step
+        },
+    )
 }

crates/router/src/core/authentication/utils.rs

@@ -1,5 +1,7 @@
+use common_utils::ext_traits::AsyncExt;
 use error_stack::ResultExt;
 use hyperswitch_domain_models::router_data_v2::ExternalAuthenticationFlowData;
+use masking::ExposeInterface;
 
 use crate::{
     consts,
@@ -53,6 +55,7 @@ pub async fn update_trackers<F: Clone, Req>(
     router_data: RouterData<F, Req, AuthenticationResponseData>,
     authentication: storage::Authentication,
     acquirer_details: Option<super::types::AcquirerDetails>,
+    merchant_key_store: &hyperswitch_domain_models::merchant_key_store::MerchantKeyStore,
 ) -> RouterResult<storage::Authentication> {
     let authentication_update = match router_data.response {
         Ok(response) => match response {
@@ -91,10 +94,23 @@ pub async fn update_trackers<F: Clone, Req>(
                 connector_metadata,
                 ds_trans_id,
             } => {
+                authentication_value
+                    .async_map(|auth_val| {
+                        crate::core::payment_methods::vault::create_tokenize(
+                            state,
+                            auth_val.expose(),
+                            None,
+                            authentication.authentication_id.clone(),
+                            merchant_key_store.key.get_inner(),
+                        )
+                    })
+                    .await
+                    .transpose()?;
+
                 let authentication_status =
                     common_enums::AuthenticationStatus::foreign_from(trans_status.clone());
+
                 storage::AuthenticationUpdate::AuthenticationUpdate {
-                    authentication_value,
                     trans_status,
                     acs_url: authn_flow_type.get_acs_url(),
                     challenge_request: authn_flow_type.get_challenge_request(),
@@ -111,14 +127,27 @@ pub async fn update_trackers<F: Clone, Req>(
                 trans_status,
                 authentication_value,
                 eci,
-            } => storage::AuthenticationUpdate::PostAuthenticationUpdate {
-                authentication_status: common_enums::AuthenticationStatus::foreign_from(
-                    trans_status.clone(),
-                ),
-                trans_status,
-                authentication_value,
-                eci,
-            },
+            } => {
+                authentication_value
+                    .async_map(|auth_val| {
+                        crate::core::payment_methods::vault::create_tokenize(
+                            state,
+                            auth_val.expose(),
+                            None,
+                            authentication.authentication_id.clone(),
+                            merchant_key_store.key.get_inner(),
+                        )
+                    })
+                    .await
+                    .transpose()?;
+                storage::AuthenticationUpdate::PostAuthenticationUpdate {
+                    authentication_status: common_enums::AuthenticationStatus::foreign_from(
+                        trans_status.clone(),
+                    ),
+                    trans_status,
+                    eci,
+                }
+            }
             AuthenticationResponseData::PreAuthVersionCallResponse {
                 maximum_supported_3ds_version,
             } => storage::AuthenticationUpdate::PreAuthenticationVersionCallUpdate {