diff --git a/EnvelopeGenerator.API/Controllers/AnnotationController.cs b/EnvelopeGenerator.API/Controllers/AnnotationController.cs
index 940dd911..be40fb0d 100644
--- a/EnvelopeGenerator.API/Controllers/AnnotationController.cs
+++ b/EnvelopeGenerator.API/Controllers/AnnotationController.cs
@@ -18,7 +18,7 @@ namespace EnvelopeGenerator.API.Controllers;
///
/// Manages annotations and signature lifecycle for envelopes.
///
-[Authorize(Roles = Role.Receiver.FullyAuth)]
+[Authorize(Policy = AuthPolicy.Receiver)]
[ApiController]
[Route("api/[controller]")]
public class AnnotationController : ControllerBase
@@ -54,7 +54,7 @@ public class AnnotationController : ControllerBase
///
/// Annotation payload.
/// Cancellation token.
- [Authorize(Roles = Role.Receiver.FullyAuth)]
+ [Authorize(Policy = AuthPolicy.Receiver)]
[HttpPost]
[Obsolete("PSPDF Kit will no longer be used.")]
public async Task CreateOrUpdate([FromBody] PsPdfKitAnnotation? psPdfKitAnnotation = null, CancellationToken cancel = default)
@@ -87,7 +87,7 @@ public class AnnotationController : ControllerBase
/// Rejects the document for the current receiver.
///
/// Optional rejection reason.
- [Authorize(Roles = Role.Receiver.FullyAuth)]
+ [Authorize(Policy = AuthPolicy.Receiver)]
[HttpPost("reject")]
[Obsolete("Use MediatR")]
public async Task Reject([FromBody] string? reason = null)
diff --git a/EnvelopeGenerator.API/Controllers/DocumentController.cs b/EnvelopeGenerator.API/Controllers/DocumentController.cs
index dc55d7de..474412a9 100644
--- a/EnvelopeGenerator.API/Controllers/DocumentController.cs
+++ b/EnvelopeGenerator.API/Controllers/DocumentController.cs
@@ -24,7 +24,7 @@ public class DocumentController(IMediator mediator, ILogger
/// Encoded envelope key.
/// Cancellation token.
[HttpGet]
- [Authorize(Roles = $"{Role.Sender},{Role.Receiver.FullyAuth}")]
+ [Authorize(Policy = AuthPolicy.SenderOrReceiver)]
public async Task GetDocument(CancellationToken cancel, [FromQuery] ReadDocumentQuery? query = null)
{
// Sender: expects query with envelope key
diff --git a/EnvelopeGenerator.API/Controllers/ReadOnlyController.cs b/EnvelopeGenerator.API/Controllers/ReadOnlyController.cs
index 8592e1be..40c59bbb 100644
--- a/EnvelopeGenerator.API/Controllers/ReadOnlyController.cs
+++ b/EnvelopeGenerator.API/Controllers/ReadOnlyController.cs
@@ -37,7 +37,7 @@ public class ReadOnlyController : ControllerBase
///
/// Creation payload.
[HttpPost]
- [Authorize(Roles = Role.Receiver.FullyAuth)]
+ [Authorize(Policy = AuthPolicy.Receiver)]
public async Task CreateAsync([FromBody] EnvelopeReceiverReadOnlyCreateDto createDto)
{
var authReceiverMail = User.GetReceiverMailOfReceiver();
diff --git a/EnvelopeGenerator.API/Program.cs b/EnvelopeGenerator.API/Program.cs
index 40dd1377..da15a25b 100644
--- a/EnvelopeGenerator.API/Program.cs
+++ b/EnvelopeGenerator.API/Program.cs
@@ -180,8 +180,12 @@ try
builder.Services.AddAuthorizationBuilder()
.AddPolicy(AuthPolicy.SenderOrReceiver, policy =>
policy.RequireRole(Role.Sender, Role.Receiver.FullyAuth))
+ .AddPolicy(AuthPolicy.Sender, policy =>
+ policy.RequireRole(Role.Sender))
.AddPolicy(AuthPolicy.Receiver, policy =>
- policy.RequireRole(Role.Receiver.FullyAuth));
+ policy.RequireRole(Role.Receiver.FullyAuth))
+ .AddPolicy(AuthPolicy.ReceiverTFA, policy =>
+ policy.RequireRole(Role.Receiver.PreAuth));
// User manager
#pragma warning disable CS0618 // Type or member is obsolete
diff --git a/EnvelopeGenerator.Domain/Constants/AuthPolicy.cs b/EnvelopeGenerator.Domain/Constants/AuthPolicy.cs
index 88b1186d..17e709a3 100644
--- a/EnvelopeGenerator.Domain/Constants/AuthPolicy.cs
+++ b/EnvelopeGenerator.Domain/Constants/AuthPolicy.cs
@@ -3,7 +3,11 @@ namespace EnvelopeGenerator.Domain.Constants
public static class AuthPolicy
{
public const string SenderOrReceiver = nameof(SenderOrReceiver) + nameof(AuthPolicy);
+
+ public const string Sender = nameof(Sender) + nameof(AuthPolicy);
+
public const string Receiver = nameof(Receiver) + nameof(AuthPolicy);
+
public const string ReceiverTFA = nameof(ReceiverTFA) + nameof(AuthPolicy);
}
-}
+}
\ No newline at end of file