Merge branch 'main' into partial_auth_lock

Author: hrithikesh026

CHANGELOG.md

@@ -4,6 +4,31 @@ All notable changes to HyperSwitch will be documented here.
 
 - - -
 
+## 2025.12.09.0
+
+### Features
+
+- **core:** Consume Card Holder Name in Payment Method Batch Migrations ([#10551](https://github.com/juspay/hyperswitch/pull/10551)) ([`a690a40`](https://github.com/juspay/hyperswitch/commit/a690a40bab3deae2f79ff9717b8eee81bec29462))
+- **platform:** Implement platform-connected setup for publishable key authentication ([#10475](https://github.com/juspay/hyperswitch/pull/10475)) ([`3831a52`](https://github.com/juspay/hyperswitch/commit/3831a526358bb79091bc51f7bfa7b4bd05518ccb))
+- **revenue_recovery:** Enable multiple retries for partial charged payments ([#9818](https://github.com/juspay/hyperswitch/pull/9818)) ([`e7fe480`](https://github.com/juspay/hyperswitch/commit/e7fe4804acd86ae0cc561cbe71d1ea227e4452cc))
+
+### Bug Fixes
+
+- Send customer_name to ucs during customer create ([#10561](https://github.com/juspay/hyperswitch/pull/10561)) ([`eb6080f`](https://github.com/juspay/hyperswitch/commit/eb6080fe1a6025acf631694278cadaad97c4ff2b))
+- Use proper masked deserialize method to deserialize ucs response ([#10566](https://github.com/juspay/hyperswitch/pull/10566)) ([`d42c447`](https://github.com/juspay/hyperswitch/commit/d42c447bd8d709dd451193540c140ce9fd2c5ce2))
+
+### Miscellaneous Tasks
+
+- **postman:** Update Postman collection files ([`f436d7b`](https://github.com/juspay/hyperswitch/commit/f436d7b80692588655f102eb3e02c1cabc534242))
+
+### Revert
+
+- **postman:** Postman tests for bluesnap and stripe failure scenarios ([#10527](https://github.com/juspay/hyperswitch/pull/10527)) ([`d84e66b`](https://github.com/juspay/hyperswitch/commit/d84e66b88cbb4ed9c4557b8fcb92ab6529769e9a))
+
+**Full Changelog:** [`2025.12.08.0...2025.12.09.0`](https://github.com/juspay/hyperswitch/compare/2025.12.08.0...2025.12.09.0)
+
+- - -
+
 ## 2025.12.08.0
 
 ### Features

crates/api_models/src/payment_methods.rs

@@ -2758,6 +2758,7 @@ pub struct TokenizedBankRedirectValue2 {
 pub struct PaymentMethodRecord {
     pub customer_id: id_type::CustomerId,
     pub name: Option<masking::Secret<String>>,
+    pub card_holder_name: Option<masking::Secret<String>>,
     pub email: Option<pii::Email>,
     pub phone: Option<masking::Secret<String>>,
     pub phone_country_code: Option<String>,
@@ -3028,7 +3029,7 @@ impl
                     .unwrap_or_else(|| record.card_number_masked.clone()),
                 card_exp_month: record.card_expiry_month.clone(),
                 card_exp_year: record.card_expiry_year.clone(),
-                card_holder_name: record.name.clone(),
+                card_holder_name: record.card_holder_name.clone().or(record.name.clone()),
                 card_network: None,
                 card_type: None,
                 card_issuer: None,
@@ -3046,7 +3047,7 @@ impl
                         .network_token_expiry_year
                         .clone()
                         .unwrap_or_default(),
-                    card_holder_name: record.name.clone(),
+                    card_holder_name: record.card_holder_name.clone().or(record.name.clone()),
                     nick_name: record.nick_name.clone(),
                     card_issuing_country: None,
                     card_network: None,

crates/router/src/core/unified_connector_service.rs

@@ -1741,7 +1741,7 @@ where
                 .unwrap_or(200);
 
             // Log the actual gRPC response
-            let grpc_response_body = serde_json::to_value(&grpc_response).unwrap_or_else(
+            let grpc_response_body = masking::masked_serialize(&grpc_response).unwrap_or_else(
                 |_| serde_json::json!({"error": "failed_to_serialize_grpc_response"}),
             );
 

crates/router/src/routes/payments.rs

@@ -857,7 +857,10 @@ pub async fn payments_post_session_tokens(
                 header_payload.clone(),
             )
         },
-        &auth::PublishableKeyAuth,
+        &auth::PublishableKeyAuth {
+            is_connected_allowed: false,
+            is_platform_allowed: false,
+        },
         locking_action,
     ))
     .await
@@ -1113,7 +1116,10 @@ pub async fn payments_dynamic_tax_calculation(
                 header_payload.clone(),
             )
         },
-        &auth::PublishableKeyAuth,
+        &auth::PublishableKeyAuth {
+            is_connected_allowed: false,
+            is_platform_allowed: false,
+        },
         locking_action,
     ))
     .await
@@ -1237,7 +1243,10 @@ pub async fn payments_connector_session(
                 header_payload.clone(),
             )
         },
-        &auth::HeaderAuth(auth::PublishableKeyAuth),
+        &auth::HeaderAuth(auth::PublishableKeyAuth {
+            is_connected_allowed: false,
+            is_platform_allowed: false,
+        }),
         locking_action,
     ))
     .await
@@ -2409,7 +2418,10 @@ pub async fn payments_external_authentication(
                 hyperswitch_domain_models::router_flow_types::Authenticate,
             >(state, platform, req)
         },
-        &auth::HeaderAuth(auth::PublishableKeyAuth),
+        &auth::HeaderAuth(auth::PublishableKeyAuth {
+            is_connected_allowed: false,
+            is_platform_allowed: false,
+        }),
         locking_action,
     ))
     .await

crates/router/src/routes/poll.rs

@@ -43,7 +43,10 @@ pub async fn retrieve_poll_status(
             let platform = auth.into();
             poll::retrieve_poll_status(state, req, platform)
         },
-        &auth::HeaderAuth(auth::PublishableKeyAuth),
+        &auth::HeaderAuth(auth::PublishableKeyAuth {
+            is_connected_allowed: false,
+            is_platform_allowed: false,
+        }),
         api_locking::LockAction::NotApplicable,
     ))
     .await

crates/router/src/services/authentication.rs

@@ -2731,8 +2731,11 @@ where
         api_auth
     }
 }
-#[derive(Debug)]
-pub struct PublishableKeyAuth;
+#[derive(Debug, Default)]
+pub struct PublishableKeyAuth {
+    pub is_connected_allowed: bool,
+    pub is_platform_allowed: bool,
+}
 
 #[cfg(feature = "partial-auth")]
 impl GetAuthType for PublishableKeyAuth {
@@ -2744,10 +2747,10 @@ impl GetAuthType for PublishableKeyAuth {
 #[cfg(feature = "partial-auth")]
 impl GetMerchantAccessFlags for PublishableKeyAuth {
     fn get_is_connected_allowed(&self) -> bool {
-        false // Publishable key doesn't support connected merchant operations currently
+        self.is_connected_allowed
     }
     fn get_is_platform_allowed(&self) -> bool {
-        false // Publishable key doesn't support platform merchant operations currently
+        self.is_platform_allowed
     }
 }
 
@@ -2762,29 +2765,45 @@ where
         request_headers: &HeaderMap,
         state: &A,
     ) -> RouterResult<(AuthenticationData, AuthenticationType)> {
-        if state.conf().platform.enabled {
-            throw_error_if_platform_merchant_authentication_required(request_headers)?;
-        }
-
         let publishable_key =
             get_api_key(request_headers).change_context(errors::ApiErrorResponse::Unauthorized)?;
-        state
+
+        // Find initiator merchant and key store
+        let (initiator_merchant, key_store) = state
             .store()
             .find_merchant_account_by_publishable_key(publishable_key)
             .await
-            .to_not_found_response(errors::ApiErrorResponse::Unauthorized)
-            .map(|(merchant_account, key_store)| {
-                let merchant_id = merchant_account.get_id().clone();
-                (
-                    AuthenticationData {
-                        merchant_account,
-                        platform_account_with_key_store: None,
-                        key_store,
-                        profile_id: None,
-                    },
-                    AuthenticationType::PublishableKey { merchant_id },
-                )
-            })
+            .to_not_found_response(errors::ApiErrorResponse::Unauthorized)?;
+
+        // Check access permissions using existing function
+        check_merchant_access(
+            state,
+            initiator_merchant.merchant_account_type,
+            self.is_connected_allowed,
+            self.is_platform_allowed,
+        )?;
+
+        // Resolve merchant relationships using existing function
+        let (merchant, key_store, platform_account_with_key_store) =
+            resolve_merchant_accounts_and_key_stores(
+                state,
+                request_headers,
+                initiator_merchant.clone(),
+                key_store,
+            )
+            .await?;
+
+        Ok((
+            AuthenticationData {
+                merchant_account: merchant,
+                platform_account_with_key_store,
+                key_store,
+                profile_id: None,
+            },
+            AuthenticationType::PublishableKey {
+                merchant_id: initiator_merchant.get_id().clone(),
+            },
+        ))
     }
 }
 
@@ -2805,25 +2824,51 @@ where
             get_id_type_by_key_from_headers(headers::X_PROFILE_ID.to_string(), request_headers)?
                 .get_required_value(headers::X_PROFILE_ID)?;
 
-        let (merchant_account, key_store) = state
+        // Find initiator merchant and key store
+        let (initiator_merchant, key_store) = state
             .store()
             .find_merchant_account_by_publishable_key(publishable_key)
             .await
             .to_not_found_response(errors::ApiErrorResponse::Unauthorized)?;
-        let merchant_id = merchant_account.get_id().clone();
+
+        // Check access permissions using existing function
+        check_merchant_access(
+            state,
+            initiator_merchant.merchant_account_type,
+            self.is_connected_allowed,
+            self.is_platform_allowed,
+        )?;
+
+        // Resolve merchant relationships using existing function
+        let (merchant, key_store, platform_account_with_key_store) =
+            resolve_merchant_accounts_and_key_stores(
+                state,
+                request_headers,
+                initiator_merchant.clone(),
+                key_store,
+            )
+            .await?;
+
+        // Find and validate profile after merchant resolution
         let profile = state
             .store()
-            .find_business_profile_by_merchant_id_profile_id(&key_store, &merchant_id, &profile_id)
+            .find_business_profile_by_merchant_id_profile_id(
+                &key_store,
+                merchant.get_id(),
+                &profile_id,
+            )
             .await
             .to_not_found_response(errors::ApiErrorResponse::Unauthorized)?;
         Ok((
             AuthenticationData {
-                merchant_account,
+                merchant_account: merchant,
+                platform_account_with_key_store,
                 key_store,
                 profile,
-                platform_account_with_key_store: None,
             },
-            AuthenticationType::PublishableKey { merchant_id },
+            AuthenticationType::PublishableKey {
+                merchant_id: initiator_merchant.get_id().clone(),
+            },
         ))
     }
 }
@@ -4228,7 +4273,10 @@ pub fn get_auth_type_and_flow<A: SessionStateInfo + Sync + Send>(
 
     if api_key.starts_with("pk_") {
         return Ok((
-            Box::new(HeaderAuth(PublishableKeyAuth)),
+            Box::new(HeaderAuth(PublishableKeyAuth {
+                is_connected_allowed: api_auth.is_connected_allowed,
+                is_platform_allowed: api_auth.is_platform_allowed,
+            })),
             api::AuthFlow::Client,
         ));
     }
@@ -4257,7 +4305,10 @@ where
                 field_name: "client_secret",
             })?;
         return Ok((
-            Box::new(HeaderAuth(PublishableKeyAuth)),
+            Box::new(HeaderAuth(PublishableKeyAuth {
+                is_connected_allowed: api_auth.is_connected_allowed,
+                is_platform_allowed: api_auth.is_platform_allowed,
+            })),
             api::AuthFlow::Client,
         ));
     }