Merchant-specific DNS names Support for access (#195)

armando-rodriguez-cko · david-ruiz-cko · web-flow · commit e68dd948be0a · 2026-01-28T11:57:51.000+01:00
* Subdomain added for access validation endpoint

* Access domain test updates

---------

Co-authored-by: david ruiz &lt;david.ruiz@checkout.com&gt;
diff --git a/configuration/environment.go b/configuration/environment.go
@@ -15,26 +15,34 @@ type Environment interface {
 }
 
 type EnvironmentSubdomain struct {
-	ApiUrl string
+	ApiUrl           string
+	AuthorizationUrl string
 }
 
 func NewEnvironmentSubdomain(environment Environment, subdomain string) *EnvironmentSubdomain {
-	apiUrl := addSubdomainToApiUrlEnvironment(environment, subdomain)
-	return &EnvironmentSubdomain{ApiUrl: apiUrl}
+	apiUrl := createUrlWithSubdomain(environment.BaseUri(), subdomain)
+	authorizationUrl := createUrlWithSubdomain(environment.AuthorizationUri(), subdomain)
+	return &EnvironmentSubdomain{
+		ApiUrl:           apiUrl,
+		AuthorizationUrl: authorizationUrl,
+	}
 }
 
-func addSubdomainToApiUrlEnvironment(environment Environment, subdomain string) string {
-	apiUrl := environment.BaseUri()
-
-	newEnvironment := apiUrl
+// createUrlWithSubdomain applies subdomain transformation to any given URI.
+// If the subdomain is valid (alphanumeric pattern), prepends it to the host.
+// Otherwise, returns the original URI unchanged.
+func createUrlWithSubdomain(originalUrl string, subdomain string) string {
+	newEnvironment := originalUrl
 
 	regex := regexp.MustCompile("^[0-9a-z]+$")
 
 	if regex.MatchString(subdomain) {
-		merchantApiUrl, _ := url.Parse(apiUrl)
-		merchantApiUrl.Host = subdomain + "." + merchantApiUrl.Host
-
-		newEnvironment = merchantApiUrl.String()
+		merchantUrl, err := url.Parse(originalUrl)
+		if err != nil {
+			return newEnvironment
+		}
+		merchantUrl.Host = subdomain + "." + merchantUrl.Host
+		newEnvironment = merchantUrl.String()
 	}
 
 	return newEnvironment
diff --git a/nas/checkout_oauth_sdk_builder.go b/nas/checkout_oauth_sdk_builder.go
@@ -62,7 +62,11 @@ func (b *CheckoutOAuthSdkBuilder) Build() (*Api, error) {
 	}
 
 	if b.AuthorizationUri == "" {
-		b.AuthorizationUri = b.SdkBuilder.Environment.AuthorizationUri()
+		if b.EnvironmentSubdomain != nil {
+			b.AuthorizationUri = b.EnvironmentSubdomain.AuthorizationUrl
+		} else {
+			b.AuthorizationUri = b.SdkBuilder.Environment.AuthorizationUri()
+		}
 	}
 
 	sdkCredentials, err := configuration.NewOAuthSdkCredentials(
diff --git a/test/configuration_api_test.go b/test/configuration_api_test.go
@@ -15,14 +15,19 @@ func TestShouldCreateConfigurationWithSubdomain(t *testing.T) {
 	environment := configuration.Sandbox()
 
 	testCases := []struct {
-		subdomain   string
-		expectedUrl string
+		subdomain       string
+		expectedApiUrl  string
+		expectedAuthUrl string
 	}{
-		{"a", "https://a.api.sandbox.checkout.com"},
-		{"ab", "https://ab.api.sandbox.checkout.com"},
-		{"abc", "https://abc.api.sandbox.checkout.com"},
-		{"abc1", "https://abc1.api.sandbox.checkout.com"},
-		{"12345domain", "https://12345domain.api.sandbox.checkout.com"},
+		{"a", "https://a.api.sandbox.checkout.com", "https://a.access.sandbox.checkout.com/connect/token"},
+		{"ab", "https://ab.api.sandbox.checkout.com", "https://ab.access.sandbox.checkout.com/connect/token"},
+		{"abc", "https://abc.api.sandbox.checkout.com", "https://abc.access.sandbox.checkout.com/connect/token"},
+		{"abc1", "https://abc1.api.sandbox.checkout.com", "https://abc1.access.sandbox.checkout.com/connect/token"},
+		{"12345domain", "https://12345domain.api.sandbox.checkout.com", "https://12345domain.access.sandbox.checkout.com/connect/token"},
+		{"a1b2c3d4", "https://a1b2c3d4.api.sandbox.checkout.com", "https://a1b2c3d4.access.sandbox.checkout.com/connect/token"},
+		{"12345678", "https://12345678.api.sandbox.checkout.com", "https://12345678.access.sandbox.checkout.com/connect/token"},
+		{"abcdefgh", "https://abcdefgh.api.sandbox.checkout.com", "https://abcdefgh.access.sandbox.checkout.com/connect/token"},
+		{"1234doma", "https://1234doma.api.sandbox.checkout.com", "https://1234doma.access.sandbox.checkout.com/connect/token"},
 	}
 
 	for _, tc := range testCases {
@@ -31,7 +36,8 @@ func TestShouldCreateConfigurationWithSubdomain(t *testing.T) {
 			config := configuration.NewConfigurationWithSubdomain(credentials, environment, subdomain, &http.Client{}, nil)
 
 			assert.NotNil(t, config)
-			assert.Equal(t, tc.expectedUrl, config.EnvironmentSubdomain.ApiUrl)
+			assert.Equal(t, tc.expectedApiUrl, config.EnvironmentSubdomain.ApiUrl)
+			assert.Equal(t, tc.expectedAuthUrl, config.EnvironmentSubdomain.AuthorizationUrl)
 		})
 	}
 }
@@ -41,14 +47,15 @@ func TestShouldCreateConfigurationWithBadSubdomain(t *testing.T) {
 	environment := configuration.Sandbox()
 
 	testCases := []struct {
-		subdomain   string
-		expectedUrl string
+		subdomain       string
+		expectedApiUrl  string
+		expectedAuthUrl string
 	}{
-		{"", "https://api.sandbox.checkout.com"},
-		{"  ", "https://api.sandbox.checkout.com"},
-		{" - ", "https://api.sandbox.checkout.com"},
-		{"a b", "https://api.sandbox.checkout.com"},
-		{"ab c1", "https://api.sandbox.checkout.com"},
+		{"", "https://api.sandbox.checkout.com", "https://access.sandbox.checkout.com/connect/token"},
+		{"  ", "https://api.sandbox.checkout.com", "https://access.sandbox.checkout.com/connect/token"},
+		{" - ", "https://api.sandbox.checkout.com", "https://access.sandbox.checkout.com/connect/token"},
+		{"a b", "https://api.sandbox.checkout.com", "https://access.sandbox.checkout.com/connect/token"},
+		{"ab c1", "https://api.sandbox.checkout.com", "https://access.sandbox.checkout.com/connect/token"},
 	}
 
 	for _, tc := range testCases {
@@ -57,7 +64,21 @@ func TestShouldCreateConfigurationWithBadSubdomain(t *testing.T) {
 			config := configuration.NewConfigurationWithSubdomain(credentials, environment, subdomain, &http.Client{}, nil)
 
 			assert.NotNil(t, config)
-			assert.Equal(t, tc.expectedUrl, config.EnvironmentSubdomain.ApiUrl)
+			assert.Equal(t, tc.expectedApiUrl, config.EnvironmentSubdomain.ApiUrl)
+			assert.Equal(t, tc.expectedAuthUrl, config.EnvironmentSubdomain.AuthorizationUrl)
 		})
 	}
 }
+
+func TestShouldCreateConfigurationWithSubdomainForProduction(t *testing.T) {
+	credentials := new(mocks.CredentialsMock)
+	environment := configuration.Production()
+	subdomain := "1234prod"
+
+	subdomain_env := configuration.NewEnvironmentSubdomain(environment, subdomain)
+	config := configuration.NewConfigurationWithSubdomain(credentials, environment, subdomain_env, &http.Client{}, nil)
+
+	assert.NotNil(t, config)
+	assert.Equal(t, "https://1234prod.api.checkout.com", config.EnvironmentSubdomain.ApiUrl)
+	assert.Equal(t, "https://1234prod.access.checkout.com/connect/token", config.EnvironmentSubdomain.AuthorizationUrl)
+}
diff --git a/test/configuration_test.go b/test/configuration_test.go
@@ -77,3 +77,42 @@ func TestGetAccessToken(t *testing.T) {
 		})
 	}
 }
+
+func TestGetAccessTokenWithSubdomain(t *testing.T) {
+	cases := []struct {
+		name             string
+		inputCredentials *configuration.OAuthSdkCredentials
+		expectedAuthUri  string
+		checker          func(*configuration.OAuthAccessToken, error)
+	}{
+		{
+			name: "when OAuth credentials are created with subdomain-aware authorization URI then use subdomain",
+			inputCredentials: &configuration.OAuthSdkCredentials{
+				ClientId:         "invalid_client_id",
+				ClientSecret:     "invalid_client_secret",
+				AuthorizationUri: "https://1234doma.access.sandbox.checkout.com/connect/token",
+				Scopes:           []string{configuration.Gateway},
+				Log:              log.New(os.Stderr, "checkout-sdk-go - ", log.LstdFlags),
+			},
+			expectedAuthUri: "https://1234doma.access.sandbox.checkout.com/connect/token",
+			checker: func(token *configuration.OAuthAccessToken, err error) {
+				assert.NotNil(t, err)
+				assert.Nil(t, token)
+				chkErr := err.(errors.CheckoutAuthorizationError)
+				assert.Equal(t, "invalid_client", chkErr.Error())
+				// This test verifies that OAuth credentials are created with the subdomain-aware authorization URI
+				// The failure is expected since we're using fake credentials, but the important part is that
+				// the subdomain logic is triggered in the OAuth flow
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equal(t, tc.expectedAuthUri, tc.inputCredentials.AuthorizationUri)
+			err := tc.inputCredentials.GetAccessToken()
+
+			tc.checker(tc.inputCredentials.AccessToken, err)
+		})
+	}
+}
diff --git a/test/oauth_sdk_api_test.go b/test/oauth_sdk_api_test.go
@@ -72,3 +72,19 @@ func TestOauthCheckoutSdks(t *testing.T) {
 	}
 
 }
+
+func TestOauthCheckoutSdkWithSubdomain(t *testing.T) {
+	// This test verifies that OAuth credentials are created with the subdomain-aware authorization URI
+	// The failure is expected since we're using fake credentials, but the important part is that
+	// the subdomain logic is triggered in the OAuth flow
+	_, err := checkout.Builder().
+		OAuth().
+		WithClientCredentials("client_id", "client_secret").
+		WithScopes([]string{configuration.Gateway}).
+		WithEnvironment(configuration.Sandbox()).
+		WithEnvironmentSubdomain("1234doma").
+		Build()
+
+	assert.NotNil(t, err)
+	assert.Contains(t, err.Error(), "invalid_client")
+}

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,11 @@ func (b CheckoutOAuthSdkBuilder) Build() (Api, error) {`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`if b.AuthorizationUri == "" {`
`65`		`- b.AuthorizationUri = b.SdkBuilder.Environment.AuthorizationUri()`
	`65`	`+ if b.EnvironmentSubdomain != nil {`
	`66`	`+ b.AuthorizationUri = b.EnvironmentSubdomain.AuthorizationUrl`
	`67`	`+ } else {`
	`68`	`+ b.AuthorizationUri = b.SdkBuilder.Environment.AuthorizationUri()`
	`69`	`+ }`
`66`	`70`	`}`
`67`	`71`
`68`	`72`	`sdkCredentials, err := configuration.NewOAuthSdkCredentials(`