From 990d379aece2ff56b96320b7800251f5ea21d2f4 Mon Sep 17 00:00:00 2001
From: Simone Infante <simone.infante@pagopa.it>
Date: Tue, 18 Jun 2024 19:48:56 +0200
Subject: [PATCH 01/12] family & friends proposal

---
 .../ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl   | 2 +-
 .../shared-app/api/session-wallet/v1/_base_policy.xml.tpl     | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
index 5e8bdf83c2..affb6c2315 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
@@ -20,7 +20,7 @@
         </choose>
 
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}" || !"{{pay-wallet-family-friends-users}}".Contains((string)context.Request.Headers.GetValueOrDefault("x-user-id","")) )">
                 <set-variable name="idPsp" value="@((string)((JObject) context.Variables["body"])["pspId"])" />
                 <set-variable name="idWallet" value="@{
                     string walletIdUUID = (string)context.Variables["walletId"];
diff --git a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
index 8d220ee68a..0932f24fdd 100644
--- a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
+++ b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
@@ -2,9 +2,9 @@
     <inbound>
       <base />
       <set-variable name="walletToken"  value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))"  />
-     
+      <!-- Maybe to add backend-io get user to check family & friends -->
       <choose>
-        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}" || !"{{pay-wallet-family-friends-users}}".Contains((string)context.Request.Headers.GetValueOrDefault("x-user-id","")) )">
           <!-- Session PM START-->
           <send-request ignore-error="true" timeout="10" response-variable-name="pm-session-body" mode="new">
               <set-url>@($"{{pm-host}}/pp-restapi-CD/v1/users/actions/start-session?token={(string)context.Variables["walletToken"]}")</set-url>

From f42f8642b13894a5486e4e1a4becaf0bb3b70b8d Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Wed, 19 Jun 2024 14:30:27 +0200
Subject: [PATCH 02/12] feat: start session famly&friends

---
 src/domains/ecommerce-common/README.md        |   6 +
 .../04_apim_io_payment_wallet.tf              |  14 ++
 src/domains/pay-wallet-app/README.md          |   1 +
 .../session-wallet/v1/_base_policy.xml.tpl    | 194 ++++++++++--------
 4 files changed, 133 insertions(+), 82 deletions(-)

diff --git a/src/domains/ecommerce-common/README.md b/src/domains/ecommerce-common/README.md
index b5c6498715..84471267a1 100644
--- a/src/domains/ecommerce-common/README.md
+++ b/src/domains/ecommerce-common/README.md
@@ -81,11 +81,16 @@
 | [azurerm_monitor_metric_alert.queue_storage_account_average_messge_count](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
 | [azurerm_monitor_metric_alert.redis_cache_used_memory_exceeded](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_metric_alert) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert.ecommerce_authorization_outcome_notification_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
+| [azurerm_monitor_scheduled_query_rules_alert.ecommerce_authorization_outcome_notification_alert-v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert.ecommerce_deadletter_filling_rate_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert.ecommerce_for_checkout_availability](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
+| [azurerm_monitor_scheduled_query_rules_alert.ecommerce_for_checkout_availability-v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert.ecommerce_payment_methods_start_session_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
+| [azurerm_monitor_scheduled_query_rules_alert.ecommerce_payment_methods_start_session_alert-v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert.ecommerce_transactions_service_auth_request_ko](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
+| [azurerm_monitor_scheduled_query_rules_alert.ecommerce_transactions_service_auth_request_ko-v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert.ecommerce_transactions_service_user_receipts_ko](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
+| [azurerm_monitor_scheduled_query_rules_alert.ecommerce_transactions_service_user_receipts_ko-v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
 | [azurerm_monitor_scheduled_query_rules_alert.ecommerce_transient_enqueue_rate_alert](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_scheduled_query_rules_alert) | resource |
 | [azurerm_private_dns_a_record.ingress](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_a_record) | resource |
 | [azurerm_private_endpoint.storage_deadletter_private_endpoint](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
@@ -127,6 +132,7 @@
 | [azuread_service_principal.iac_plan_legacy](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/service_principal) | data source |
 | [azuread_service_principal.iac_principal](https://registry.terraform.io/providers/hashicorp/azuread/2.38.0/docs/data-sources/service_principal) | data source |
 | [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
+| [azurerm_api_management.apim_v2](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
 | [azurerm_application_insights.application_insights](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_key_vault_secret.monitor_ecommerce_opsgenie_webhook_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault_secret) | data source |
diff --git a/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf b/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
index cac0ca577e..8abd8e9f5c 100644
--- a/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
+++ b/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
@@ -126,3 +126,17 @@ resource "azurerm_api_management_api_operation_policy" "update_applications_for_
 
   xml_content = file("./api/io-payment-wallet/v1/_update_applications.xml.tpl")
 }
+
+
+resource "azurerm_api_management_named_value" "pay_wallet_family_friends_user_ids" {
+  name                = "pay-wallet-family-friends-user-ids"
+  api_management_name = local.pagopa_apim_name
+  resource_group_name = local.pagopa_apim_rg
+  display_name        = "pay-wallet-family-friends-user-ids"
+  value               = "<TO_UPDATE_MANUALLY_BY_PORTAL>"
+  lifecycle {
+    ignore_changes = [
+      value,
+    ]
+  }
+}
diff --git a/src/domains/pay-wallet-app/README.md b/src/domains/pay-wallet-app/README.md
index 5ad6966bd4..338edb9f1b 100644
--- a/src/domains/pay-wallet-app/README.md
+++ b/src/domains/pay-wallet-app/README.md
@@ -57,6 +57,7 @@
 | [azurerm_api_management_api_version_set.wallet_outcomes_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource |
 | [azurerm_api_management_api_version_set.wallet_webview_api](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_version_set) | resource |
 | [azurerm_api_management_group.payment-wallet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_group) | resource |
+| [azurerm_api_management_named_value.pay_wallet_family_friends_user_ids](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
 | [azurerm_api_management_named_value.wallet-jwt-signing-key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
 | [azurerm_api_management_named_value.wallet_personal_data_vault_api_key](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_named_value) | resource |
 | [azurerm_key_vault_secret.aks_apiserver_url](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret) | resource |
diff --git a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
index 0932f24fdd..a14a0d6c54 100644
--- a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
+++ b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
@@ -3,47 +3,121 @@
       <base />
       <set-variable name="walletToken"  value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))"  />
       <!-- Maybe to add backend-io get user to check family & friends -->
+      <!-- Session PM START-->
+      <send-request ignore-error="true" timeout="10" response-variable-name="pm-session-body" mode="new">
+          <set-url>@($"{{pm-host}}/pp-restapi-CD/v1/users/actions/start-session?token={(string)context.Variables["walletToken"]}")</set-url>
+          <set-method>GET</set-method>
+      </send-request>
       <choose>
-          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}" || !"{{pay-wallet-family-friends-users}}".Contains((string)context.Request.Headers.GetValueOrDefault("x-user-id","")) )">
-          <!-- Session PM START-->
-          <send-request ignore-error="true" timeout="10" response-variable-name="pm-session-body" mode="new">
-              <set-url>@($"{{pm-host}}/pp-restapi-CD/v1/users/actions/start-session?token={(string)context.Variables["walletToken"]}")</set-url>
-              <set-method>GET</set-method>
-          </send-request>
-          <choose>
-              <when condition="@(((IResponse)context.Variables["pm-session-body"]).StatusCode == 401)">
-                  <return-response>
-                      <set-status code="401" reason="Unauthorized" />
-                      <set-header name="Content-Type" exists-action="override">
-                          <value>application/json</value>
-                      </set-header>
-                      <set-body>
-                          {
-                              "title": "Unauthorized",
-                              "status": 401,
-                              "detail": "Invalid session token"
-                          }
-                      </set-body>
-                  </return-response>
-              </when>
-              <when condition="@(((IResponse)context.Variables["pm-session-body"]).StatusCode != 200)">
+          <when condition="@(((IResponse)context.Variables["pm-session-body"]).StatusCode == 401)">
+              <return-response>
+                  <set-status code="401" reason="Unauthorized" />
+                  <set-header name="Content-Type" exists-action="override">
+                      <value>application/json</value>
+                  </set-header>
+                  <set-body>
+                      {
+                          "title": "Unauthorized",
+                          "status": 401,
+                          "detail": "Invalid session token"
+                      }
+                  </set-body>
+              </return-response>
+          </when>
+          <when condition="@(((IResponse)context.Variables["pm-session-body"]).StatusCode != 200)">
+              <return-response>
+                  <set-status code="502" reason="Bad Gateway" />
+                  <set-header name="Content-Type" exists-action="override">
+                      <value>application/json</value>
+                  </set-header>
+                  <set-body>
+                      {
+                          "title": "Error starting session",
+                          "status": 502,
+                          "detail": "There was an error starting session for input wallet token"
+                      }
+                  </set-body>
+              </return-response>
+          </when>
+      </choose>
+      <set-variable name="pmSession" value="@(((IResponse)context.Variables["pm-session-body"]).Body.As<JObject>())" />
+      <!-- Session PM END-->
+      <set-variable name="userFiscalCode" value="@{
+          String userFiscalCode = ((JObject)context.Variables["pmSession"])?["data"]?["user"]?["fiscalCode"]?.ToString();
+          return userFiscalCode;
+      }" 
+      />
+      <choose>
+          <when condition="@(String.IsNullOrEmpty((String)context.Variables["userFiscalCode"]))">
+              <return-response>
+                <set-status code="502" reason="Bad Gateway" />
+                <set-header name="Content-Type" exists-action="override">
+                  <value>application/json</value>
+                </set-header>
+                <set-body>
+                    {
+                        "title": "Error starting session",
+                        "status": 502,
+                        "detail": "Cannot tokenize user fiscal code: PM start-session fiscalCode is null"
+                    }
+                </set-body>
+              </return-response>
+          </when>
+          <otherwise>
+              <!-- Post Token PDV : START-->
+              <send-request ignore-error="true" timeout="10" response-variable-name="pdv-token" mode="new">
+                <set-url>${pdv_api_base_path}/tokens</set-url>
+                <set-method>PUT</set-method>
+                <set-header name="x-api-key" exists-action="override">
+                    <value>{{wallet-session-personal-data-vault-api-key}}</value>
+                </set-header>
+                <set-body>@{
+                  return new JObject(
+                          new JProperty("pii", (string)context.Variables["userFiscalCode"])
+                      ).ToString();
+                    }</set-body>
+              </send-request>
+              <choose>
+                <when condition="@(((IResponse)context.Variables["pdv-token"]).StatusCode != 200)">
                   <return-response>
-                      <set-status code="502" reason="Bad Gateway" />
-                      <set-header name="Content-Type" exists-action="override">
-                          <value>application/json</value>
-                      </set-header>
-                      <set-body>
-                          {
-                              "title": "Error starting session",
-                              "status": 502,
-                              "detail": "There was an error starting session for input wallet token"
-                          }
-                      </set-body>
+                    <set-status code="502" reason="Bad Gateway" />
+                     <set-body>
+                      {
+                          "title": "Error starting session",
+                          "status": 502,
+                          "detail": "Error during fiscal code tokenization"
+                      }
+                  </set-body>
                   </return-response>
-              </when>
-          </choose>
-          <set-variable name="pmSession" value="@(((IResponse)context.Variables["pm-session-body"]).Body.As<JObject>())" />
-          <!-- Session PM END-->
+                </when>
+              </choose>
+
+              <set-variable name="pdvToken" value="@(((IResponse)context.Variables["pdv-token"]).Body.As<JObject>())" />
+              <!-- used as jwt claims  https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims -->      
+              <set-variable name="userId" value="@((string)((JObject)context.Variables["pdvToken"])["token"])" />
+              <choose>
+                <when condition="@(String.IsNullOrEmpty((string)context.Variables["userId"]))">
+                    <return-response>
+                        <set-status code="502" />
+                        <set-header name="Content-Type" exists-action="override">
+                            <value>application/json</value>
+                        </set-header>
+                        <set-body>@{
+                    return new JObject(
+                      new JProperty("title", "Bad gateway - Invalid PDV response"),
+                      new JProperty("status", 502),
+                      new JProperty("detail", "Cannot tokenize fiscal code")
+                    ).ToString();
+                  }</set-body>
+                    </return-response>
+                </when>
+              </choose>
+              <!-- Post Token PDV : END-->
+            </otherwise>
+      </choose>
+      <choose>
+          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["userId"])))">
+          <!-- Session PM START-->
           <!-- pagoPA platform wallet JWT session token : START -->
           <set-variable name="x-jwt-token" value="@(((JObject)context.Variables["pmSession"])["data"]["sessionToken"].ToString())" />
           <!-- pagoPA platform wallet JWT session token : END -->
@@ -94,50 +168,6 @@
             </choose>
             <set-variable name="userAuthBody" value="@(((IResponse)context.Variables["user-auth-body"]).Body.As<JObject>())" />
             <!-- Get User IO : END-->
-            <!-- Post Token PDV : START-->
-            <send-request ignore-error="true" timeout="10" response-variable-name="pdv-token" mode="new">
-              <set-url>${pdv_api_base_path}/tokens</set-url>
-              <set-method>PUT</set-method>
-              <set-header name="x-api-key" exists-action="override">
-                  <value>{{wallet-session-personal-data-vault-api-key}}</value>
-              </set-header>
-              <set-body>@{
-                JObject requestBody = (JObject)context.Variables["userAuthBody"];
-                return new JObject(
-                        new JProperty("pii",  (string)requestBody["fiscal_code"])
-                    ).ToString();
-                  }</set-body>
-            </send-request>
-            <choose>
-              <when condition="@(((IResponse)context.Variables["pdv-token"]).StatusCode != 200)">
-                <return-response>
-                  <set-status code="502" reason="Bad Gateway" />
-                </return-response>
-              </when>
-            </choose>
-
-            <set-variable name="pdvToken" value="@(((IResponse)context.Variables["pdv-token"]).Body.As<JObject>())" />
-            <!-- used as jwt claims  https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims -->      
-            <set-variable name="userId" value="@((string)((JObject)context.Variables["pdvToken"])["token"])" />
-            <choose>
-              <when condition="@(String.IsNullOrEmpty((string)context.Variables["userId"]))">
-                  <return-response>
-                      <set-status code="502" />
-                      <set-header name="Content-Type" exists-action="override">
-                          <value>application/json</value>
-                      </set-header>
-                      <set-body>@{
-                  return new JObject(
-                    new JProperty("title", "Bad gateway - Invalid PDV response"),
-                    new JProperty("status", 502),
-                    new JProperty("detail", "Cannot tokenize fiscal code")
-                  ).ToString();
-                }</set-body>
-                  </return-response>
-              </when>
-            </choose>
-            <!-- Post Token PDV : END-->
-
             <!-- pagoPA platform wallet JWT session token : START -->
             <!-- Token JWT START-->
                   <set-variable name="x-jwt-token" value="@{

From 82ed81a63f83270b1f1dc703a627e6438b68571a Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Wed, 19 Jun 2024 17:14:03 +0200
Subject: [PATCH 03/12] feat: add family&friends check for all policy

---
 .../v1/_base_policy-jwt.xml                   |  8 +++---
 .../api/ecommerce-io/v2/_auth_request.xml.tpl |  5 ++--
 .../api/ecommerce-io/v2/_base_policy.xml.tpl  |  5 +++-
 .../v2/_calculate_fees_policy.xml.tpl         |  2 +-
 .../v2/_delete_transaction.xml.tpl            |  2 +-
 .../v2/_get_wallets_by_user_with_pm.xml.tpl   |  2 +-
 .../ecommerce-io/v2/get_transaction.xml.tpl   |  2 +-
 .../ecommerce-io/v2/post_transactions.xml.tpl |  6 ++---
 .../pay-wallet-app/.terraform.lock.hcl        | 21 +++++++++++++++
 src/domains/pay-wallet-app/00_data.tf         |  4 +++
 .../04_apim_io_payment_wallet.tf              | 27 +++++++++++++++++++
 src/domains/pay-wallet-app/99_main.tf         |  4 +++
 ..._policy_user_id_from_session_token.tpl.xml | 16 +++++++++++
 .../io-payment-wallet/v1/_base_policy.xml.tpl |  5 +++-
 .../v1/_delete_wallet.xml.tpl                 |  2 +-
 .../v1/_get_payment_methods.xml.tpl           |  2 +-
 .../v1/_get_wallets_by_user.xml.tpl           |  2 +-
 .../_get_wallets_by_user_and_walletId.xml.tpl |  2 +-
 .../v1/_post_wallets.xml.tpl                  |  4 +--
 .../v1/_update_applications.xml.tpl           |  2 +-
 20 files changed, 100 insertions(+), 23 deletions(-)
 create mode 100644 src/domains/pay-wallet-app/00_data.tf
 create mode 100644 src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml

diff --git a/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml b/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml
index 42584ed9ce..af89b0b317 100644
--- a/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml
+++ b/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml
@@ -1,7 +1,6 @@
 <policies>
     <inbound>
         <base />
-
             <!-- ForIO start =============== "x-continuation-token:undefined" -H "x-request-id:undefined" -->
             <choose>
                 <when condition="@( ((string)context.Request.Headers.GetValueOrDefault("x-continuation-token","")).Equals("") || ((string)context.Request.Headers.GetValueOrDefault("x-continuation-token","")).Equals("undefined") )">
@@ -14,10 +13,11 @@
                 </when>
             </choose>
             <!-- ForIO stop =============== "x-continuation-token:undefined" -H "x-request-id:undefined" -->
-
-
+            <!-- fragment to read user id from session token jwt claims. it return userId as sessionTokenUserId variable taken from jwt claims. if the session token
+             is an opaque token a "session-token-not-found" string is returned-->                
+            <include-fragment fragment-id="pay-wallet-user-id-from-session-token" />
             <choose>
-                <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))"> 
+                <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )"> 
                     <include-fragment fragment-id="pm-chk-wallet-session" />
                 </when>
                 <otherwise>
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
index affb6c2315..b9b54133b8 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
@@ -18,9 +18,8 @@
                 </set-header>
             </otherwise>
         </choose>
-
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}" || !"{{pay-wallet-family-friends-users}}".Contains((string)context.Request.Headers.GetValueOrDefault("x-user-id","")) )">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}" || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <set-variable name="idPsp" value="@((string)((JObject) context.Variables["body"])["pspId"])" />
                 <set-variable name="idWallet" value="@{
                     string walletIdUUID = (string)context.Variables["walletId"];
@@ -218,7 +217,7 @@
     <outbound>
         <base />
         <choose>
-            <when condition="@("false".Equals("{{enable-pm-ecommerce-io}}") && context.Response.StatusCode == 200)">
+            <when condition="@( ("false".Equals("{{enable-pm-ecommerce-io}}") || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) ) && context.Response.StatusCode == 200)">
                 <set-body>@{
                     JObject inBody = context.Response.Body.As<JObject>(preserveContent: true);
                     var authorizationUrl = (string)inBody["authorizationUrl"];
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl
index 3ebd65cc00..c9124038fc 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl
@@ -12,9 +12,12 @@
     <!-- Delete headers required for backend service END -->
 
     <rate-limit-by-key calls="150" renewal-period="10" counter-key="@(context.Request.Headers.GetValueOrDefault("X-Forwarded-For"))" />
+    <!-- fragment to read user id from session token jwt claims. it return userId as sessionTokenUserId variable taken from jwt claims. if the session token
+             is an opaque token a "session-token-not-found" string is returned-->  
+    <include-fragment fragment-id="pay-wallet-user-id-from-session-token" />
     <!-- Session eCommerce START-->
         <choose>
-          <when condition="@("false".Equals("{{enable-pm-ecommerce-io}}"))">
+          <when condition="@("false".Equals("{{enable-pm-ecommerce-io}}") || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
             <!-- Check JWT START-->
             <include-fragment fragment-id="jwt-chk-wallet-session" />
             <!-- Check JWT END-->
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_calculate_fees_policy.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_calculate_fees_policy.xml.tpl
index db45472422..6b8da79a3f 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_calculate_fees_policy.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_calculate_fees_policy.xml.tpl
@@ -45,7 +45,7 @@
             </otherwise>
         </choose>
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <set-variable name="sessionToken" value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))" />
                 <set-variable name="body" value="@(context.Request.Body.As<JObject>(preserveContent: true))" />
                 <set-variable name="walletId" value="@((string)((JObject) context.Variables["body"])["walletId"])" />
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_delete_transaction.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_delete_transaction.xml.tpl
index 966d1cfa17..5b5e87fc28 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_delete_transaction.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_delete_transaction.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
         <base />
         <choose>
-        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
             <set-variable  name="sessionToken"  value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))"  />
             <set-variable name="requestTransactionId" value="@{
                 var transactionId = context.Request.MatchedParameters.GetValueOrDefault("transactionId","");
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_get_wallets_by_user_with_pm.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_get_wallets_by_user_with_pm.xml.tpl
index 7bf84c9b46..af6655a0ff 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_get_wallets_by_user_with_pm.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_get_wallets_by_user_with_pm.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
         <base />
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <set-variable  name="sessionToken"  value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))"  />
 
                 <!-- START get user wallets -->
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/get_transaction.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/get_transaction.xml.tpl
index d96ca36a62..f54f5090d3 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/get_transaction.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/get_transaction.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
         <base />
         <choose>
-        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
             <set-variable name="requestTransactionId" value="@{
                 var transactionId = context.Request.MatchedParameters.GetValueOrDefault("transactionId","");
                 return transactionId;
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/post_transactions.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/post_transactions.xml.tpl
index 5bc22a5870..db34046ed2 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/post_transactions.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/post_transactions.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
         <base />
         <choose>
-          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
             <set-backend-service base-url="{{pagopa-appservice-proxy-url}}" />
             <rewrite-uri template="/payment-activations" />
             <set-variable name="body" value="@(context.Request.Body.As<JObject>(preserveContent: true))" />
@@ -102,7 +102,7 @@
     <outbound>
         <base />
         <choose>
-          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
             <set-variable name="pagopaProxyResponseBody" value="@(context.Response.Body.As<JObject>())" />
             <choose>
               <when condition="@(context.Response.StatusCode == 200)">
@@ -153,7 +153,7 @@
     <on-error>
         <base />
         <choose>
-          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+          <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
             <set-body>
             {
               "status": 502,
diff --git a/src/domains/pay-wallet-app/.terraform.lock.hcl b/src/domains/pay-wallet-app/.terraform.lock.hcl
index 80fe8f2b7e..792c4b3f64 100644
--- a/src/domains/pay-wallet-app/.terraform.lock.hcl
+++ b/src/domains/pay-wallet-app/.terraform.lock.hcl
@@ -1,6 +1,26 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
+provider "registry.terraform.io/azure/azapi" {
+  version     = "1.3.0"
+  constraints = "<= 1.3.0"
+  hashes = [
+    "h1:OWZNYEGEIunmpxEcbGveH+kkdELQfMCUYxLt1b25UOc=",
+    "zh:0923b297c5b71ed584e5f3a0b2393e80244076e85102a90438159833353274b0",
+    "zh:11fa2922aa98ca55beaf7cc33c7edbde81bbd405fdfea2955276c7f5a8537240",
+    "zh:14af830fb6091d084bfc2711c8e9c7bf05aa3c56fe8fd8e2fb4eddeb345be88d",
+    "zh:25258425ecbffbdf09b0c8131d2c680cddd19b504e0036ee5f83972dcae7df0a",
+    "zh:2922b535fe4d4f0963189548f2f8360a0aaf951fd411354f2269a111d8a0c1ad",
+    "zh:32c9360305e00c25d0f9d0a84dfbdbad8da2465be769a9c1f11f132c0225358e",
+    "zh:4ddd3ee23c340d5000839d8d30ba7f94e695476d63075f95cfb041e67d8f6ef6",
+    "zh:5c1514392a5c3dd51084aa70cb6c4dcc8b027c4508b5e4eb9f8c3990fd403213",
+    "zh:6b3ecac7099ab86c007b5ad636bd029f5e5f3e9bd06b0f74c82f0451a7995ecc",
+    "zh:6cb7081745b378e910e0cf09fb5717a2ad35e629ce3e07415d6682c1c1407872",
+    "zh:7107eda5125c1b983380f1f6418c592fb7fb2eb5b589ad0e08f6c47341f36318",
+    "zh:c6fa7af32a7a47d23a85e0eea4d4cbb065378ae75aed8c9c628fb625b04bc619",
+  ]
+}
+
 provider "registry.terraform.io/hashicorp/azuread" {
   version     = "2.47.0"
   constraints = "<= 2.47.0"
@@ -29,6 +49,7 @@ provider "registry.terraform.io/hashicorp/azurerm" {
   version     = "3.45.0"
   constraints = ">= 3.30.0, ~> 3.30, <= 3.45.0, <= 3.95.0, <= 3.97.1"
   hashes = [
+    "h1:VQWxV5+qelZeUCjpdLvZ7iAom4RvG+fVVgK6ELvw/cs=",
     "h1:gQLNY1I5e9kcle1p/VYEWb0eteQ/t5kUfnqVu2/GBNY=",
     "zh:04c5dbb8845366ce5eb0dc2d55e151270cc2c0ace20993867fdae9af43b953ad",
     "zh:2589585da615ccae341400d45d672ee3fae413fdd88449b5befeff12a85a44b2",
diff --git a/src/domains/pay-wallet-app/00_data.tf b/src/domains/pay-wallet-app/00_data.tf
new file mode 100644
index 0000000000..ae7bbf3b32
--- /dev/null
+++ b/src/domains/pay-wallet-app/00_data.tf
@@ -0,0 +1,4 @@
+data "azurerm_api_management" "apim" {
+  name                = "${local.product}-apim"
+  resource_group_name = "${local.product}-api-rg"
+}
diff --git a/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf b/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
index 8abd8e9f5c..7357219c82 100644
--- a/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
+++ b/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
@@ -140,3 +140,30 @@ resource "azurerm_api_management_named_value" "pay_wallet_family_friends_user_id
     ]
   }
 }
+
+
+#######################################################################
+## Fragment policy to extract user id from session token             ##
+#######################################################################
+
+resource "azapi_resource" "pay_wallet_fragment_user_id_from_session_token" {
+
+  # provider  = azapi.apim
+  type      = "Microsoft.ApiManagement/service/policyFragments@2022-04-01-preview"
+  name      = "pay-wallet-user-id-from-session-token"
+  parent_id = data.azurerm_api_management.apim.id
+
+  body = jsonencode({
+    properties = {
+      description = "Component that extract userId from JWT session token"
+      format      = "rawxml"
+      value = templatefile("./api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml", {
+      })
+
+    }
+  })
+
+  lifecycle {
+    ignore_changes = [output]
+  }
+}
diff --git a/src/domains/pay-wallet-app/99_main.tf b/src/domains/pay-wallet-app/99_main.tf
index 2835595f8a..5faabf1825 100644
--- a/src/domains/pay-wallet-app/99_main.tf
+++ b/src/domains/pay-wallet-app/99_main.tf
@@ -20,6 +20,10 @@ terraform {
       source  = "hashicorp/helm"
       version = "<= 2.12.0"
     }
+    azapi = {
+      source  = "azure/azapi"
+      version = "<= 1.3.0"
+    }
   }
 
   backend "azurerm" {}
diff --git a/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
new file mode 100644
index 0000000000..a7a8484e74
--- /dev/null
+++ b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
@@ -0,0 +1,16 @@
+<fragment>
+    <set-variable name="sessionToken" value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))" />
+    <set-variable name="sessionTokenUserId" value="@{
+        string sessionToken = (string)context.Variables["sessionToken"];
+            try {
+                string[] sessionTokenParts = sessionToken.Split('.');
+                string sessionTokenBody = sessionTokenParts.Length >1 ? sessionTokenParts[1] : "";
+                byte[] data = Convert.FromBase64String(sessionTokenBody);
+                string decodedString = System.Text.Encoding.UTF8.GetString(data);
+                Dictionary<string,string> parsed = JsonConvert.DeserializeObject<Dictionary<string,string>>(decodedString);
+                return parsed?["userId"];
+            } catch(Exception){
+            return "session-token-not-found";
+            }
+    }" />
+</fragment>
\ No newline at end of file
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_base_policy.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_base_policy.xml.tpl
index a4ca40dcb8..f755c4d77b 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_base_policy.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_base_policy.xml.tpl
@@ -1,8 +1,11 @@
 <policies>
     <inbound>
       <base />
+      <!-- fragment to read user id from session token jwt claims. it return userId as sessionTokenUserId variable taken from jwt claims. if the session token
+      is an opaque token a "session-token-not-found" string is returned-->  
+      <include-fragment fragment-id="pay-wallet-user-id-from-session-token" />
       <choose>
-        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
           <set-variable name="sessionToken" value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))" />
         </when>
         <otherwise>
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_delete_wallet.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_delete_wallet.xml.tpl
index 488077b9ce..1c57d097b0 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_delete_wallet.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_delete_wallet.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
         <base />
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <!-- START delete wallet -->
                 <set-variable name="idWalletPM" value="@{
                     string walletId = context.Request.MatchedParameters["walletId"];
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl
index 2fdeb3d7f0..3d742fb862 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
     <base />
     <choose>
-      <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))"> 
+      <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )"> 
         <include-fragment fragment-id="pm-chk-wallet-session" />
       </when>
     </choose>
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user.xml.tpl
index 36d7663de0..fe4a043774 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
     <base />
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <!-- START get user wallets -->
                 <send-request ignore-error="false" timeout="10" response-variable-name="pmWalletResponse">
                     <set-url>{{pm-host}}/pp-restapi-CD/v3/wallet</set-url>
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl
index f0c845082b..e1d62b4860 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
     <base />
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <set-variable name="walletId" value="@{
                     string walletIdUUID = (string)context.Request.MatchedParameters["walletId"];
                     string walletIdHex = walletIdUUID.Substring(walletIdUUID.Length-17 , 17).Replace("-" , "");
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl
index 5919cc24d8..a30d336ead 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
     <base />
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <!-- Extract payment method name for create redirectUrl -->
                 <set-variable name="requestBody" value="@(context.Request.Body.As<JObject>(preserveContent: true))" />
                 <set-variable name="paymentMethodId" value="@((string)((JObject) context.Variables["requestBody"])["paymentMethodId"])" />
@@ -83,7 +83,7 @@
     <outbound>
       <base />
         <choose>
-            <when condition="@(("false".Equals("{{enable-pm-ecommerce-io}}")) && (context.Response.StatusCode == 201))">
+            <when condition="@(("false".Equals("{{enable-pm-ecommerce-io}}")  || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) ) && (context.Response.StatusCode == 201))">
                 <!-- Token JWT START-->
                 <set-variable name="walletId" value="@((string)((context.Response.Body.As<JObject>(preserveContent: true))["walletId"]))" />
                 <set-variable name="x-jwt-token" value="@{
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_update_applications.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_update_applications.xml.tpl
index d579ade5b1..1d05867878 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_update_applications.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_update_applications.xml.tpl
@@ -2,7 +2,7 @@
     <inbound>
     <base />
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}"))">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <!-- START payment status wallet -->
                 <set-variable name="requestBody" value="@(context.Request.Body.As<JObject>(preserveContent: true))" />
                 <set-variable name="idWalletPM" value="@{

From 8935442b4bb5c27bee6e89d285da0e6f281f8349 Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Wed, 19 Jun 2024 17:17:17 +0200
Subject: [PATCH 04/12] fix: policy syntax

---
 .../ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
index b9b54133b8..47837be145 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
@@ -19,7 +19,7 @@
             </otherwise>
         </choose>
         <choose>
-            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}" || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
+            <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <set-variable name="idPsp" value="@((string)((JObject) context.Variables["body"])["pspId"])" />
                 <set-variable name="idWallet" value="@{
                     string walletIdUUID = (string)context.Variables["walletId"];

From 8c53fbc5828cd338ca401eb995781f1fe5c81ac1 Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Wed, 19 Jun 2024 17:19:48 +0200
Subject: [PATCH 05/12] fix: precommit

---
 src/domains/pay-wallet-app/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/domains/pay-wallet-app/README.md b/src/domains/pay-wallet-app/README.md
index 338edb9f1b..ac1b3c4f99 100644
--- a/src/domains/pay-wallet-app/README.md
+++ b/src/domains/pay-wallet-app/README.md
@@ -6,6 +6,7 @@
 
 | Name | Version |
 |------|---------|
+| <a name="requirement_azapi"></a> [azapi](#requirement\_azapi) | <= 1.3.0 |
 | <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | <= 2.47.0 |
 | <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.95.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | <= 2.12.0 |
@@ -34,6 +35,7 @@
 
 | Name | Type |
 |------|------|
+| [azapi_resource.pay_wallet_fragment_user_id_from_session_token](https://registry.terraform.io/providers/azure/azapi/latest/docs/resources/resource) | resource |
 | [azurerm_api_management_api_operation_policy.create_wallet_pm](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
 | [azurerm_api_management_api_operation_policy.delete_io_wallets](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
 | [azurerm_api_management_api_operation_policy.delete_wallet](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_api_operation_policy) | resource |
@@ -73,6 +75,7 @@
 | [azuread_group.adgroup_developers](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_externals](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
 | [azuread_group.adgroup_security](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |
+| [azurerm_api_management.apim](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/api_management) | data source |
 | [azurerm_application_insights.application_insights_italy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/application_insights) | data source |
 | [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
 | [azurerm_key_vault.kv](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |

From 6ff48a0f1eca3d083f8ec8d3782df4ffd4a6c70e Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Wed, 19 Jun 2024 18:06:04 +0200
Subject: [PATCH 06/12] fix: minor policy fix

---
 .../ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl    | 2 +-
 .../ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl     | 2 +-
 .../_fragment_policy_user_id_from_session_token.tpl.xml        | 3 ++-
 .../api/io-payment-wallet/v1/_post_wallets.xml.tpl             | 2 +-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
index 47837be145..7eac7ea38f 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_auth_request.xml.tpl
@@ -217,7 +217,7 @@
     <outbound>
         <base />
         <choose>
-            <when condition="@( ("false".Equals("{{enable-pm-ecommerce-io}}") || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) ) && context.Response.StatusCode == 200)">
+            <when condition="@( ("false".Equals("{{enable-pm-ecommerce-io}}") && "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) ) && context.Response.StatusCode == 200)">
                 <set-body>@{
                     JObject inBody = context.Response.Body.As<JObject>(preserveContent: true);
                     var authorizationUrl = (string)inBody["authorizationUrl"];
diff --git a/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl b/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl
index c9124038fc..bd35e67b51 100644
--- a/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl
+++ b/src/domains/ecommerce-app/api/ecommerce-io/v2/_base_policy.xml.tpl
@@ -17,7 +17,7 @@
     <include-fragment fragment-id="pay-wallet-user-id-from-session-token" />
     <!-- Session eCommerce START-->
         <choose>
-          <when condition="@("false".Equals("{{enable-pm-ecommerce-io}}") || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
+          <when condition="@("false".Equals("{{enable-pm-ecommerce-io}}") && "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
             <!-- Check JWT START-->
             <include-fragment fragment-id="jwt-chk-wallet-session" />
             <!-- Check JWT END-->
diff --git a/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
index a7a8484e74..3920155ea8 100644
--- a/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
+++ b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
@@ -8,7 +8,8 @@
                 byte[] data = Convert.FromBase64String(sessionTokenBody);
                 string decodedString = System.Text.Encoding.UTF8.GetString(data);
                 Dictionary<string,string> parsed = JsonConvert.DeserializeObject<Dictionary<string,string>>(decodedString);
-                return parsed?["userId"];
+                string userId = (string)parsed?["userId"];
+                return String.IsNullOrEmpty(userId) ? "session-token-not-found" : userId;
             } catch(Exception){
             return "session-token-not-found";
             }
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl
index a30d336ead..2846ee7773 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_post_wallets.xml.tpl
@@ -83,7 +83,7 @@
     <outbound>
       <base />
         <choose>
-            <when condition="@(("false".Equals("{{enable-pm-ecommerce-io}}")  || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) ) && (context.Response.StatusCode == 201))">
+            <when condition="@(("false".Equals("{{enable-pm-ecommerce-io}}") && "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) ) && (context.Response.StatusCode == 201))">
                 <!-- Token JWT START-->
                 <set-variable name="walletId" value="@((string)((context.Response.Body.As<JObject>(preserveContent: true))["walletId"]))" />
                 <set-variable name="x-jwt-token" value="@{

From 9845bb6aba4da2aff613c6858567865b1d0832c5 Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Wed, 19 Jun 2024 18:23:47 +0200
Subject: [PATCH 07/12] fix: policy condition

---
 .../api/transaction-service/v1/_base_policy-jwt.xml             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml b/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml
index af89b0b317..1abba51187 100644
--- a/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml
+++ b/src/domains/bizevents-app/api/transaction-service/v1/_base_policy-jwt.xml
@@ -17,7 +17,7 @@
              is an opaque token a "session-token-not-found" string is returned-->                
             <include-fragment fragment-id="pay-wallet-user-id-from-session-token" />
             <choose>
-                <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || "{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )"> 
+                <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )"> 
                     <include-fragment fragment-id="pm-chk-wallet-session" />
                 </when>
                 <otherwise>

From fb879194ed03275582dbbc46b433b49210af6132 Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Thu, 20 Jun 2024 21:45:13 +0200
Subject: [PATCH 08/12] fix: add policy comment

---
 .../_fragment_policy_user_id_from_session_token.tpl.xml  | 1 +
 .../api/session-wallet/v1/_base_policy.xml.tpl           | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
index 3920155ea8..2efd18a116 100644
--- a/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
+++ b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
@@ -1,5 +1,6 @@
 <fragment>
     <set-variable name="sessionToken" value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))" />
+    <!--try to retrieve user id from session token if the session token is a JWT token and have userId claim-->
     <set-variable name="sessionTokenUserId" value="@{
         string sessionToken = (string)context.Variables["sessionToken"];
             try {
diff --git a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
index a14a0d6c54..b6a30091e9 100644
--- a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
+++ b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
@@ -2,7 +2,11 @@
     <inbound>
       <base />
       <set-variable name="walletToken"  value="@(context.Request.Headers.GetValueOrDefault("Authorization", "").Replace("Bearer ",""))"  />
-      <!-- Maybe to add backend-io get user to check family & friends -->
+      <!-- Perform PM start api call: for family&friends handling NPG flow must be activated only for 
+        users that have been enabled in pay-wallet-family-friends-user-ids named value (list of user id = PDV fiscal code tokenization)
+        For family&friends flow we expect that all clients will go with PM flow except the ones in the above list, that will be restricted
+        to few selected users. Anticipating PM start session will prevent further api calls.
+       -->
       <!-- Session PM START-->
       <send-request ignore-error="true" timeout="10" response-variable-name="pm-session-body" mode="new">
           <set-url>@($"{{pm-host}}/pp-restapi-CD/v1/users/actions/start-session?token={(string)context.Variables["walletToken"]}")</set-url>
@@ -42,6 +46,7 @@
       </choose>
       <set-variable name="pmSession" value="@(((IResponse)context.Variables["pm-session-body"]).Body.As<JObject>())" />
       <!-- Session PM END-->
+      <!-- user fiscal code tokenization with PDV START -->
       <set-variable name="userFiscalCode" value="@{
           String userFiscalCode = ((JObject)context.Variables["pmSession"])?["data"]?["user"]?["fiscalCode"]?.ToString();
           return userFiscalCode;
@@ -115,9 +120,9 @@
               <!-- Post Token PDV : END-->
             </otherwise>
       </choose>
+      <!-- user fiscal code tokenization with PDV END -->
       <choose>
           <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["userId"])))">
-          <!-- Session PM START-->
           <!-- pagoPA platform wallet JWT session token : START -->
           <set-variable name="x-jwt-token" value="@(((JObject)context.Variables["pmSession"])["data"]["sessionToken"].ToString())" />
           <!-- pagoPA platform wallet JWT session token : END -->

From bbb03b86f5ebe78e64ad1a94ba61b9222c185927 Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Fri, 21 Jun 2024 12:06:58 +0200
Subject: [PATCH 09/12] fix: fragment policy b64 padding decode

---
 .../_fragment_policy_user_id_from_session_token.tpl.xml     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
index 2efd18a116..e296510d9e 100644
--- a/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
+++ b/src/domains/pay-wallet-app/api/fragments/_fragment_policy_user_id_from_session_token.tpl.xml
@@ -6,13 +6,13 @@
             try {
                 string[] sessionTokenParts = sessionToken.Split('.');
                 string sessionTokenBody = sessionTokenParts.Length >1 ? sessionTokenParts[1] : "";
-                byte[] data = Convert.FromBase64String(sessionTokenBody);
+                byte[] data = Convert.FromBase64String(sessionTokenBody + "==");
                 string decodedString = System.Text.Encoding.UTF8.GetString(data);
                 Dictionary<string,string> parsed = JsonConvert.DeserializeObject<Dictionary<string,string>>(decodedString);
                 string userId = (string)parsed?["userId"];
-                return String.IsNullOrEmpty(userId) ? "session-token-not-found" : userId;
+                return String.IsNullOrEmpty(userId) ? "user-id-not-found" : userId;
             } catch(Exception){
-            return "session-token-not-found";
+            return "user-id-not-found";
             }
     }" />
 </fragment>
\ No newline at end of file

From 0b60b0553ab738dcb683963f9312c7cf9dead93f Mon Sep 17 00:00:00 2001
From: Giovanni Berti <giovanni.berti@pagopa.it>
Date: Fri, 21 Jun 2024 15:42:31 +0200
Subject: [PATCH 10/12] [CHK-2970] feat: force payment method statuses when
 using wallet API via PM (#2174)

Co-authored-by: Pietro Tota <115724836+pietro-tota@users.noreply.github.com>
---
 .../04_apim_io_payment_wallet.tf              |  6 +++-
 src/domains/pay-wallet-app/99_variables.tf    |  6 ++++
 src/domains/pay-wallet-app/README.md          |  1 +
 .../v1/_get_payment_methods.xml.tpl           | 28 +++++++++++++++++++
 .../env/itn-dev/terraform.tfvars              |  3 +-
 .../env/itn-prod/terraform.tfvars             |  3 +-
 .../env/itn-uat/terraform.tfvars              |  3 +-
 7 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf b/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
index 7357219c82..6ab08f58ed 100644
--- a/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
+++ b/src/domains/pay-wallet-app/04_apim_io_payment_wallet.tf
@@ -84,7 +84,11 @@ resource "azurerm_api_management_api_operation_policy" "get_payment_methods_for_
   api_management_name = local.pagopa_apim_name
   operation_id        = "getAllPaymentMethodsForIO"
 
-  xml_content = templatefile("./api/io-payment-wallet/v1/_get_payment_methods.xml.tpl", { ecommerce_hostname = local.ecommerce_hostname }
+  xml_content = templatefile("./api/io-payment-wallet/v1/_get_payment_methods.xml.tpl",
+    {
+      ecommerce_hostname                   = local.ecommerce_hostname
+      enabled_payment_wallet_method_ids_pm = var.enabled_payment_wallet_method_ids_pm
+    }
   )
 }
 
diff --git a/src/domains/pay-wallet-app/99_variables.tf b/src/domains/pay-wallet-app/99_variables.tf
index 4970525d7a..95e6f85798 100644
--- a/src/domains/pay-wallet-app/99_variables.tf
+++ b/src/domains/pay-wallet-app/99_variables.tf
@@ -149,3 +149,9 @@ variable "payment_wallet_migrations_enabled" {
   default     = false
   description = "Payment wallet migrations enabled"
 }
+
+variable "enabled_payment_wallet_method_ids_pm" {
+  type        = string
+  default     = ""
+  description = "Comma separated list of eCommerce payment method ids that are enabled with PM APIs"
+}
diff --git a/src/domains/pay-wallet-app/README.md b/src/domains/pay-wallet-app/README.md
index ac1b3c4f99..17bcf749d3 100644
--- a/src/domains/pay-wallet-app/README.md
+++ b/src/domains/pay-wallet-app/README.md
@@ -98,6 +98,7 @@
 | <a name="input_dns_zone_internal_prefix"></a> [dns\_zone\_internal\_prefix](#input\_dns\_zone\_internal\_prefix) | The dns subdomain. | `string` | `null` | no |
 | <a name="input_dns_zone_prefix"></a> [dns\_zone\_prefix](#input\_dns\_zone\_prefix) | The wallet dns subdomain. | `string` | `null` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | n/a | `string` | n/a | yes |
+| <a name="input_enabled_payment_wallet_method_ids_pm"></a> [enabled\_payment\_wallet\_method\_ids\_pm](#input\_enabled\_payment\_wallet\_method\_ids\_pm) | Comma separated list of eCommerce payment method ids that are enabled with PM APIs | `string` | `""` | no |
 | <a name="input_env"></a> [env](#input\_env) | n/a | `string` | n/a | yes |
 | <a name="input_env_short"></a> [env\_short](#input\_env\_short) | n/a | `string` | n/a | yes |
 | <a name="input_external_domain"></a> [external\_domain](#input\_external\_domain) | Domain for delegation | `string` | `null` | no |
diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl
index 3d742fb862..372a549889 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_payment_methods.xml.tpl
@@ -10,6 +10,34 @@
     </inbound>
     <outbound>
       <base />
+      <choose>
+        <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}")  || !"{{pay-wallet-family-friends-user-ids}}".Contains((string)context.Variables["sessionTokenUserId"]))">
+          <set-body>@{
+            JObject response = context.Response.Body.As<JObject>();
+
+            if (context.Response.StatusCode != 200) {
+              return response.ToString();
+            }
+
+            string enabled_payment_wallet_method_ids_pm = "${enabled_payment_wallet_method_ids_pm}";
+            string[] values = enabled_payment_wallet_method_ids_pm.Split(',');
+            HashSet<string> pmEnabledMethods = new HashSet<string>(values);
+
+            foreach (var method in ((JArray) response["paymentMethods"])) {
+              string id = (string) method["id"];
+              if (pmEnabledMethods.Contains(id)) {
+                method["status"] = "ENABLED";
+                method["methodManagement"] = "ONBOARDABLE_ONLY";
+              } else {
+                method["status"] = "DISABLED";
+              }
+            }
+
+            return response.ToString();
+          }
+          </set-body>
+        </when>
+      </choose>
     </outbound>
     <backend>
       <base />
diff --git a/src/domains/pay-wallet-app/env/itn-dev/terraform.tfvars b/src/domains/pay-wallet-app/env/itn-dev/terraform.tfvars
index f97f5ea7f9..8343a4b085 100644
--- a/src/domains/pay-wallet-app/env/itn-dev/terraform.tfvars
+++ b/src/domains/pay-wallet-app/env/itn-dev/terraform.tfvars
@@ -41,4 +41,5 @@ tls_cert_check_helm = {
 pdv_api_base_path    = "https://api.uat.tokenizer.pdv.pagopa.it/tokenizer/v1"
 io_backend_base_path = "http://{{aks-lb-nexi}}/pmmockservice/pmmockserviceapi"
 
-payment_wallet_migrations_enabled = true
+payment_wallet_migrations_enabled    = true
+enabled_payment_wallet_method_ids_pm = "9d735400-9450-4f7e-9431-8c1e7fa2a339,148ff003-46a6-4790-9376-b0e057352e45,ab2c39be-91ad-4c87-944a-a08f30e92cad"
diff --git a/src/domains/pay-wallet-app/env/itn-prod/terraform.tfvars b/src/domains/pay-wallet-app/env/itn-prod/terraform.tfvars
index 59beb22ebb..811ae181fa 100644
--- a/src/domains/pay-wallet-app/env/itn-prod/terraform.tfvars
+++ b/src/domains/pay-wallet-app/env/itn-prod/terraform.tfvars
@@ -43,4 +43,5 @@ io_backend_base_path = "https://api-app.io.pagopa.it"
 
 payment_wallet_with_pm_enabled = true
 
-payment_wallet_migrations_enabled = true
+payment_wallet_migrations_enabled    = true
+enabled_payment_wallet_method_ids_pm = "6920b555-c972-4e2b-980c-b0e0037a111a,0ff153c2-4c5e-49a5-8720-788b6f190264,b63dbc2b-0b89-4431-a196-a5d73ff7ce9c"
diff --git a/src/domains/pay-wallet-app/env/itn-uat/terraform.tfvars b/src/domains/pay-wallet-app/env/itn-uat/terraform.tfvars
index 9ff6622a3b..1b833d216e 100644
--- a/src/domains/pay-wallet-app/env/itn-uat/terraform.tfvars
+++ b/src/domains/pay-wallet-app/env/itn-uat/terraform.tfvars
@@ -41,4 +41,5 @@ tls_cert_check_helm = {
 pdv_api_base_path    = "https://api.uat.tokenizer.pdv.pagopa.it/tokenizer/v1"
 io_backend_base_path = "https://api-app.io.pagopa.it"
 
-payment_wallet_migrations_enabled = true
+payment_wallet_migrations_enabled    = true
+enabled_payment_wallet_method_ids_pm = "f25399bf-c56f-4bd2-adc9-7aef87410609,0d1450f4-b993-4f89-af5a-1770a45f5d71,5bdc0d63-a5b8-4221-bbb1-3e8b45a1b40f"

From 3a6f2c9919f8f5bec430f187258461eedb99d1fe Mon Sep 17 00:00:00 2001
From: ciuffagianluca <113357981+ciuffagianluca@users.noreply.github.com>
Date: Fri, 21 Jun 2024 15:43:39 +0200
Subject: [PATCH 11/12] fix(wallet-app): wallet not found pm (#2184)

* feat: force payment method statuses when using wallet API via PM

* feat: force payment method statuses when using wallet API via PM

* fix wallet not found

* fix get wallet by id vs pm policy

* fix: fix enum variant according to OpenAPI spec

* refactor: use payment method ids to select PM methods instead of payment type codes

---------

Co-authored-by: Giovanni Berti <giovanni.berti@pagopa.it>
Co-authored-by: Pietro Tota <115724836+pietro-tota@users.noreply.github.com>
Co-authored-by: Gianluca Ciuffa <gianlucaciuffa@MBP-di-Gianluca.homenet.telecomitalia.it>
---
 .../_get_wallets_by_user_and_walletId.xml.tpl | 71 +++++++++++--------
 1 file changed, 40 insertions(+), 31 deletions(-)

diff --git a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl
index e1d62b4860..b2f9c80f83 100644
--- a/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl
+++ b/src/domains/pay-wallet-app/api/io-payment-wallet/v1/_get_wallets_by_user_and_walletId.xml.tpl
@@ -1,6 +1,6 @@
 <policies>
     <inbound>
-    <base />
+        <base />
         <choose>
             <when condition="@("true".Equals("{{enable-pm-ecommerce-io}}") || !"{{pay-wallet-family-friends-user-ids}}".Contains(((string)context.Variables["sessionTokenUserId"])) )">
                 <set-variable name="walletId" value="@{
@@ -23,13 +23,11 @@
                             <set-header name="Content-Type" exists-action="override">
                                 <value>application/json</value>
                             </set-header>
-                            <set-body>
-                                {
+                            <set-body>{
                                 "title": "Error retrieving user wallet data",
                                 "status": 502,
                                 "detail": "There was an error retrieving user wallet data"
-                                }
-                            </set-body>
+                                }</set-body>
                         </return-response>
                     </when>
                 </choose>
@@ -42,13 +40,11 @@
                             <set-header name="Content-Type" exists-action="override">
                                 <value>application/json</value>
                             </set-header>
-                            <set-body>
-                                {
+                            <set-body>{
                                 "title": "Wallet not found",
                                 "status": 404,
                                 "detail": "No wallet found for input wallet token"
-                                }
-                            </set-body>
+                                }</set-body>
                         </return-response>
                     </when>
                 </choose>
@@ -64,29 +60,21 @@
                 <choose>
                     <when condition="@(((IResponse)context.Variables["paymentMethodsResponse"]).StatusCode != 200)">
                         <return-response>
-                        <set-status code="502" reason="Bad Gateway" />
-                        <set-header name="Content-Type" exists-action="override">
-                            <value>application/json</value>
-                        </set-header>
-                        <set-body>
-                            {
+                            <set-status code="502" reason="Bad Gateway" />
+                            <set-header name="Content-Type" exists-action="override">
+                                <value>application/json</value>
+                            </set-header>
+                            <set-body>{
                                 "title": "Error retrieving eCommerce payment methods",
                                 "status": 502,
                                 "detail": "There was an error retrieving eCommerce payment methods"
-                            }
-                        </set-body>
+                            }</set-body>
                         </return-response>
                     </when>
                 </choose>
                 <set-variable name="paymentMethodsResponseBody" value="@(((IResponse)context.Variables["paymentMethodsResponse"]).Body.As<JObject>())" />
                 <!-- END get payment methods -->
-                <return-response>
-                    <set-status code="200" />
-                    <set-header name="Content-Type" exists-action="override">
-                        <value>application/json</value>
-                    </set-header>
-                    <set-body>
-                        @{
+                <set-variable name="walletResponseBody" value="@{
                             JObject pmWalletResponse = (JObject)context.Variables["pmUserWalletResponseBody"];
                             var walletApplications = new List<String>{"PAGOPA"};
                             var eCommerceWalletTypes = new Dictionary<string, string>
@@ -178,12 +166,33 @@
             
                                     return result;
             
-                                }).Single();
-            
-                            return walletResult.ToString();
-                        }
-                    </set-body>
-                </return-response>
+                                }).SingleOrDefault();
+                                return walletResult;
+                        }" />
+                <choose>
+                    <when condition="@((context.Variables["walletResponseBody"]) != null)">
+                        <return-response>
+                            <set-status code="200" />
+                            <set-header name="Content-Type" exists-action="override">
+                                <value>application/json</value>
+                            </set-header>
+                            <set-body>@(((JObject)context.Variables["walletResponseBody"]).ToString())</set-body>
+                        </return-response>
+                    </when>
+                    <otherwise>
+                        <return-response>
+                            <set-status code="404" />
+                            <set-header name="Content-Type" exists-action="override">
+                                <value>application/json</value>
+                            </set-header>
+                            <set-body>{
+                                "title": "Wallet not found",
+                                "status": 404,
+                                "detail": "Wallet not found"
+                            }</set-body>
+                        </return-response>
+                    </otherwise>
+                </choose>
             </when>
         </choose>
     </inbound>
@@ -196,4 +205,4 @@
     <on-error>
         <base />
     </on-error>
-</policies>
+</policies>
\ No newline at end of file

From bc8804272480c7b54ac6a4e33e153c7eb336d5f0 Mon Sep 17 00:00:00 2001
From: Pietro Tota <pietro.tota@pagopa.it>
Date: Fri, 21 Jun 2024 16:05:37 +0200
Subject: [PATCH 12/12] feat: skip io get user

---
 .../api/session-wallet/v1/_base_policy.xml.tpl     | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
index b6a30091e9..21049910fb 100644
--- a/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
+++ b/src/domains/shared-app/api/session-wallet/v1/_base_policy.xml.tpl
@@ -128,7 +128,7 @@
           <!-- pagoPA platform wallet JWT session token : END -->
         </when>
         <otherwise>
-            <!-- Get User IO : START-->
+            <!-- Get User IO 
             <send-request ignore-error="true" timeout="10" response-variable-name="user-auth-body" mode="new">
               <set-url>@("${io_backend_base_path}/pagopa/api/v1/user?version=20200114")</set-url> 
               <set-method>GET</set-method>
@@ -172,7 +172,7 @@
               </when>
             </choose>
             <set-variable name="userAuthBody" value="@(((IResponse)context.Variables["user-auth-body"]).Body.As<JObject>())" />
-            <!-- Get User IO : END-->
+            Get User IO : END-->
             <!-- pagoPA platform wallet JWT session token : START -->
             <!-- Token JWT START-->
                   <set-variable name="x-jwt-token" value="@{
@@ -188,11 +188,11 @@
                     String userId = ((string)context.Variables.GetValueOrDefault("userId","")); 
                     
                     // Read email and pass it to the JWT. By now the email in shared as is. It MUST be encoded (by pdv) but POST transaction need to updated to not match email address as email field
-                    JObject userAuth = (JObject)context.Variables["userAuthBody"];
-                    String spidEmail = (String)userAuth["spid_email"];
-                    String noticeEmail = (String)userAuth["notice_email"];
-                    String email = String.IsNullOrEmpty(noticeEmail) ? spidEmail : noticeEmail;
-                    
+                    // JObject userAuth = (JObject)context.Variables["userAuthBody"];
+                    // String spidEmail = (String)userAuth["spid_email"];
+                    // String noticeEmail = (String)userAuth["notice_email"];
+                    // String email = String.IsNullOrEmpty(noticeEmail) ? spidEmail : noticeEmail;
+                    String email = ((JObject)context.Variables["pmSession"])["data"]["user"]["notificationEmail"].ToString();
                     var payload = new { iat, exp, jti, email, userId}; 
                     var jwtPayloadBase64UrlEncoded = Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(payload))).Replace("/", "_").Replace("+", "-"). Replace("=", "");