Refactor to use named authorization policies in controllers

Replaced direct role-based [Authorize] attributes with named
authorization policies (e.g., AuthPolicy.Receiver,
AuthPolicy.SenderOrReceiver) in AnnotationController,
DocumentController, and ReadOnlyController. Added and registered
new policies in Program.cs and updated AuthPolicy constants.
This centralizes and simplifies authorization management.

EnvelopeGenerator.API/Controllers/AnnotationController.cs

@@ -18,7 +18,7 @@ namespace EnvelopeGenerator.API.Controllers;
 /// <summary>
 /// Manages annotations and signature lifecycle for envelopes.
 /// </summary>
-[Authorize(Roles = Role.Receiver.FullyAuth)]
+[Authorize(Policy = AuthPolicy.Receiver)]
 [ApiController]
 [Route("api/[controller]")]
 public class AnnotationController : ControllerBase
@@ -54,7 +54,7 @@ public class AnnotationController : ControllerBase
     /// </summary>
     /// <param name="psPdfKitAnnotation">Annotation payload.</param>
     /// <param name="cancel">Cancellation token.</param>
-    [Authorize(Roles = Role.Receiver.FullyAuth)]
+    [Authorize(Policy = AuthPolicy.Receiver)]
     [HttpPost]
     [Obsolete("PSPDF Kit will no longer be used.")]
     public async Task<IActionResult> CreateOrUpdate([FromBody] PsPdfKitAnnotation? psPdfKitAnnotation = null, CancellationToken cancel = default)
@@ -87,7 +87,7 @@ public class AnnotationController : ControllerBase
     /// Rejects the document for the current receiver.
     /// </summary>
     /// <param name="reason">Optional rejection reason.</param>
-    [Authorize(Roles = Role.Receiver.FullyAuth)]
+    [Authorize(Policy = AuthPolicy.Receiver)]
     [HttpPost("reject")]
     [Obsolete("Use MediatR")]
     public async Task<IActionResult> Reject([FromBody] string? reason = null)

EnvelopeGenerator.API/Controllers/DocumentController.cs

@@ -24,7 +24,7 @@ public class DocumentController(IMediator mediator, ILogger<DocumentController>
     /// <param name="query">Encoded envelope key.</param>
     /// <param name="cancel">Cancellation token.</param>
     [HttpGet]
-    [Authorize(Roles = $"{Role.Sender},{Role.Receiver.FullyAuth}")]
+    [Authorize(Policy = AuthPolicy.SenderOrReceiver)]
     public async Task<IActionResult> GetDocument(CancellationToken cancel, [FromQuery] ReadDocumentQuery? query = null)
     {
         // Sender: expects query with envelope key

EnvelopeGenerator.API/Controllers/ReadOnlyController.cs

@@ -37,7 +37,7 @@ public class ReadOnlyController : ControllerBase
     /// </summary>
     /// <param name="createDto">Creation payload.</param>
     [HttpPost]
-    [Authorize(Roles = Role.Receiver.FullyAuth)]
+    [Authorize(Policy = AuthPolicy.Receiver)]
     public async Task<IActionResult> CreateAsync([FromBody] EnvelopeReceiverReadOnlyCreateDto createDto)
     {
         var authReceiverMail = User.GetReceiverMailOfReceiver();

EnvelopeGenerator.API/Program.cs

@@ -180,8 +180,12 @@ try
     builder.Services.AddAuthorizationBuilder()
         .AddPolicy(AuthPolicy.SenderOrReceiver, policy =>
             policy.RequireRole(Role.Sender, Role.Receiver.FullyAuth))
+        .AddPolicy(AuthPolicy.Sender, policy =>
+            policy.RequireRole(Role.Sender))
         .AddPolicy(AuthPolicy.Receiver, policy =>
-            policy.RequireRole(Role.Receiver.FullyAuth));
+            policy.RequireRole(Role.Receiver.FullyAuth))
+        .AddPolicy(AuthPolicy.ReceiverTFA, policy =>
+            policy.RequireRole(Role.Receiver.PreAuth));
 
     // User manager
 #pragma warning disable CS0618 // Type or member is obsolete

EnvelopeGenerator.Domain/Constants/AuthPolicy.cs

@@ -3,7 +3,11 @@ namespace EnvelopeGenerator.Domain.Constants
     public static class AuthPolicy
     {
         public const string SenderOrReceiver = nameof(SenderOrReceiver) + nameof(AuthPolicy);
+
+        public const string Sender = nameof(Sender) + nameof(AuthPolicy);
+
         public const string Receiver = nameof(Receiver) + nameof(AuthPolicy);
+
         public const string ReceiverTFA = nameof(ReceiverTFA) + nameof(AuthPolicy);
     }
-}
+}