fix: add client_secret validation in session and eligibility authentication apis

[sai-harsha-vardhan]

Type of Change

• Bugfix
• New feature
• Enhancement
• Refactoring
• Dependency updates
• Documentation
• CI/CD

Description

add client_secret validation in session and eligibility authentication apis

Additional Changes

• This PR modifies the API contract
• This PR modifies the database schema
• This PR modifies application configuration/environment variables

Motivation and Context

How did you test it?

Tested Manually

1. Create Authentication

CURL

curl --location 'localhost:8080/authentication' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'api-key: dev_BHQXedUtNZsBejYfbqatFds1CPlOVHusoBEneK94Ywm0MNsT2d5ezRlfPBHI7CHj' \
--data-raw '{
    "amount": 10,
    "currency": "USD",
    "customer_details" : {
        "id": "sahkal1243",
        "name": "sahkal",
        "email": "sahkalplanet@gmail.com",
        "phone":"7028323872831",
        "phone_country_code": "+91"
    },
    "authentication_connector": "ctp_visa"
}'

Response

{
    "authentication_id": "authn_c8PTzcxllMrOlBwNPSM7",
    "merchant_id": "merchant_1769688633",
    "status": "started",
    "client_secret": "authn_c8PTzcxllMrOlBwNPSM7_secret_keLFyoj9bDrlt1JuNsp7",
    "amount": 10,
    "currency": "USD",
    "authentication_connector": "ctp_visa",
    "force_3ds_challenge": false,
    "return_url": null,
    "created_at": "2026-01-29T12:11:26.464Z",
    "error_code": null,
    "error_message": null,
    "profile_id": "pro_5PUxpNPe5xN6F18usnwI",
    "psd2_sca_exemption_type": null,
    "acquirer_details": {
        "acquirer_bin": null,
        "acquirer_merchant_id": null,
        "merchant_country_code": null
    },
    "profile_acquirer_id": null,
    "customer_details": {
        "id": "sahkal1243",
        "name": "sahkal",
        "email": "sahkalplanet@gmail.com",
        "phone": "7028323872831",
        "phone_country_code": "+91",
        "tax_registration_id": null
    }
}

2. Authentication Session API with invalid client secret after expiry (15 mins)

CURL

curl --location 'localhost:8080/authentication/authn_c8PTzcxllMrOlBwNPSM7/enabled_authn_methods_token' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'api-key: pk_dev_ec1a137058a2452e954914e123d20ed9' \
--data '{   
    "client_secret": "authn_gxRPNNXn2VV03l2wmeNL_secret_r0DiLU8IjE3GHjpz5tNz"
}'

Response

{
    "error": {
        "type": "invalid_request",
        "message": "The provided client_secret has expired",
        "code": "IR_09"
    }
}

Checklist

• I formatted the code cargo +nightly fmt --all
• I addressed lints thrown by cargo clippy
• I reviewed the submitted code
• I added unit tests for my changes where possible

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
crates/router/src/core/unified_authentication_service.rs	0% smaller

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@00f0b71). Learn more about missing BASE report.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #11085   +/-   ##
=======================================
  Coverage        ?        0           
=======================================
  Files           ?        0           
  Lines           ?        0           
  Branches        ?        0           
=======================================
  Hits            ?        0           
  Misses          ?        0           
  Partials        ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.