public async Task <PaymentDetails> ExecuteAsync(GetPaymentDetailsByPaymentIdQuery query) { var paymentDetails = await _paymentRepository.GetPaymentDetailsByPaymentIdAsync(query.PaymentId); var merchantId = _userSessionService.GetCurrentMerchantId(); if (paymentDetails != null && paymentDetails.MerchantId != merchantId) { // Depending on requirements you could choose to return null here // instead and log a warning or similar. // E.g throwing an exception could allow an attacker to validate paymentIds // but that may be considered irrelevant if a valid paymentId is of no use // to an attacker. var msg = $"Merchant {merchantId} is not permitted to view payments for merchant {paymentDetails.MerchantId}."; throw new NotPermittedException(msg); } return(paymentDetails); }
public async Task <AddPaymentCommandResult> ExecuteAsync(AddPaymentCommand command) { await InitializeExecution(command); // Assumption: the API would have some kind of auth that would allow us // to know the merchant making the API call. var merchantId = _userSessionService.GetCurrentMerchantId(); _logger.LogDebug("Adding payment for merchant {MerchantId}", merchantId); // store the payment attempt to ensure the request is captured even // if an exception occurs during payment e.g. the bank payment is successful // but updating the status in the data store fails due to a network error var paymentId = await _paymentRepository.StartPaymentAsync(merchantId, command); // Try and register the payment with the bank var addBankPaymentCommand = new AddBankPaymentCommand() { CreditCard = command.CreditCard, MerchantId = merchantId, PaymentId = paymentId }; var bankPaymentResponse = await _aquiringBankService.MakePaymentAsync(addBankPaymentCommand); // Update the payment attempt with the result await _paymentRepository.CompletePaymentAsync(paymentId, bankPaymentResponse); // return the result var result = new AddPaymentCommandResult() { PaymentId = paymentId, PaymentResult = bankPaymentResponse.Result }; _logger.LogDebug("Payment completed with a result of {Result} for paymentId {PaymentId}", bankPaymentResponse.Result, paymentId); return(result); }