juspay/hyperswitch

[BUG] invalidate `payout_token` once the txn is processed

Open

#6,005 opened on Sep 24, 2024

View on GitHub
 (8 comments) (0 reactions) (1 assignee)Rust (42,690 stars) (4,676 forks)batch import
C-bugS-awaiting-triagegood first issue

Description

Bug Description

payout_token can be used for processing payout txns for saved payout methods. This is a short lived token which is generated by customer's PM list API. These tokens should only be used once. However, these are not being invalidated post usage.

Expected Behavior

Tokens should only be used once per payout request. These must be invalidated after completing the payout txn. Same tokens should not be allowed to be consumed for multiple payouts.

Token generated -> Token attached to a payout

Actual Behavior

Same token is being across multiple payout txns. Moreover, these are not being invalidated once the txn reaches the end of it's lifecycle.

Steps To Reproduce

  1. Save a payout method
  2. List customer payment methods for generating payment_token
  3. Use this payout_token in payout create APIs
  4. Complete the payout txn
  5. Use this as payout_token again - should be allowed. Ideal scenario is throwing an error stating Invalid token

Have you spent some time checking if this bug has been raised before?

  • I checked and didn't find a similar issue

Have you read the Contributing Guidelines?

Contributor guide

Tech stack
rust
Domain
backendapisecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-2 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic Rust knowledgePayment token concepts
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
50
Research direction
Investigate the payout token generation and validation logic, likely in the `crates/router/src/core/payments/` directory. Check the `Payouts` flow to see where the token is stored and used. The invalidation should happen after successful payout transaction completion. Review similar patterns for `payment token` invalidation if present.