Add JWT token support for EnvelopeReceiver entities

Enhanced the `AuthController` to support JWT token generation for `EnvelopeReceiverSecretDto` entities. Added a new dependency `IJwtSignatureHandler<EnvelopeReceiverSecretDto>` and updated the constructor to inject it. Refactored the `CreateTokenForEnvelopeReceiver` method: - Added a `cookie` query parameter to control token delivery. - Implemented consumer validation using `_consumerService`. - Added token descriptor retrieval from `_keyPool`. - Improved `AccessCode` validation for `EnvelopeReceiver`. - Added logic to set tokens as cookies or return in the body. Updated `using` directives to include required namespaces. Improved error handling, readability, and flexibility in token generation and delivery.
2026-05-29 08:47:54 +02:00
parent 3ba55cbe9a
commit 2fed1baff5
1 changed files with 33 additions and 4 deletions
--- a/src/DigitalData.Auth.API/Controllers/AuthController.cs
+++ b/src/DigitalData.Auth.API/Controllers/AuthController.cs
@@ -8,6 +8,7 @@ using DigitalData.Core.Abstractions.Security.Extensions;
 using DigitalData.Core.Abstractions.Security.Services;
 using DigitalData.UserManager.Application.Contracts;
 using DigitalData.UserManager.Application.DTOs.User;
+using EnvelopeGenerator.Application.Common.Dto.EnvelopeReceiver;
 using EnvelopeGenerator.Application.Common.Extensions;
 using EnvelopeGenerator.Application.Common.Interfaces.Services;
 using EnvelopeGenerator.Application.EnvelopeReceivers.Queries;
@@ -18,6 +19,7 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.FileSystemGlobbing;
 using Microsoft.Extensions.Options;
+using System.Net;
 using System.Text;

 namespace DigitalData.Auth.API.Controllers
@@ -26,6 +28,8 @@ namespace DigitalData.Auth.API.Controllers
    [ApiController]
    public class AuthController : ControllerBase
    {
+        private readonly IJwtSignatureHandler<EnvelopeReceiverSecretDto> _erSignatureHandler;
+
        private readonly IJwtSignatureHandler<UserReadDto> _userSignatureHandler;

        private readonly IJwtSignatureHandler<Consumer> _consumerSignatureHandler;
@@ -46,7 +50,7 @@ namespace DigitalData.Auth.API.Controllers

        private readonly IMediator _mediator;

-        public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler, IOptionsMonitor<BackdoorParams> backdoorMonitor, IMediator mediator)
+        public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler, IOptionsMonitor<BackdoorParams> backdoorMonitor, IMediator mediator, IJwtSignatureHandler<EnvelopeReceiverSecretDto> erSignatureHandler)
        {
            _apiParams = cookieParamsOptions.Value;
            _userSignatureHandler = userSignatureHandler;
@@ -58,6 +62,7 @@ namespace DigitalData.Auth.API.Controllers
            _consumerSignatureHandler = apiSignatureHandler;
            _backdoorMonitor = backdoorMonitor;
            _mediator = mediator;
+            _erSignatureHandler = erSignatureHandler;
        }

        private async Task<IActionResult> CreateTokenAsync(UserLogin login, string consumerName, bool cookie = true)
@@ -223,17 +228,41 @@ namespace DigitalData.Auth.API.Controllers
        public IActionResult Check() => Ok();

        [HttpPost("envelope-receiver/{key}")]
-        public async Task<IActionResult> CreateTokenForEnvelopeReceiver([FromRoute]string key, [FromForm] ReceiverLogin receiverLogin, CancellationToken cancel)
+        public async Task<IActionResult> CreateTokenForEnvelopeReceiver([FromRoute]string key, [FromForm] ReceiverLogin receiverLogin, [FromQuery] bool cookie = true, CancellationToken cancel = default)
        {
+            //find the consumer
+            var consumer = await _consumerService.ReadByNameAsync("sign-flow");
+            if (consumer is null)
+                return Unauthorized();
+
+            if (!_keyPool.TokenDescriptors.TryGet(_apiParams.Issuer, consumer.Audience, out var descriptor))
+                return StatusCode(StatusCodes.Status500InternalServerError);
+
+            // find receiver
            var er = await _mediator.Send(new ReadEnvelopeReceiverSecretQuery()
            {
                Key = key
            }, cancel);

-            if(er is null)
+            if (er is null)
                return NotFound();

-            return er.AccessCode == receiverLogin.AccessCode ? Ok() : Unauthorized();
+            // check acccess code
+            if (er.AccessCode != receiverLogin.AccessCode)
+                return Unauthorized();
+
+            // create token
+            var token = _erSignatureHandler.WriteToken(er, descriptor);
+
+            //set cookie
+            if (cookie)
+            {
+                var cookieOptions = consumer.CookieOptions ?? _apiParams.DefaultCookieOptions;
+                Response.Cookies.Append(_apiParams.DefaultCookieName, token, cookieOptions.Create(lifetime: descriptor.Lifetime));
+                return Ok();
+            }
+            else
+                return Ok(token);
        }
    }
 }