Refactor GetDocument to unify sender and receiver logic

Combined sender and receiver document retrieval into a single GetDocument endpoint. The endpoint now authorizes both Sender and Receiver.FullyAuth roles, handling their logic based on role detection. Sender requires a query parameter; receiver extracts envelope ID from claims and disallows query params. Updated method signature and endpoint documentation.
2026-02-03 10:06:03 +01:00
parent 5465996563
commit 50ac7570ea
1 changed files with 27 additions and 21 deletions
--- a/EnvelopeGenerator.API/Controllers/DocumentController.cs
+++ b/EnvelopeGenerator.API/Controllers/DocumentController.cs
@@ -19,33 +19,39 @@ namespace EnvelopeGenerator.API.Controllers;
 public class DocumentController(IMediator mediator, ILogger<DocumentController> logger) : ControllerBase
 {
    /// <summary>
-    /// Returns the document bytes for the specified envelope receiver key.
+    /// Returns the document bytes receiver.
    /// </summary>
    /// <param name="query">Encoded envelope key.</param>
    /// <param name="cancel">Cancellation token.</param>
    [HttpGet]
-    [Authorize(Roles = Role.Sender)]
-    public async Task<IActionResult> GetDocument(ReadDocumentQuery query, CancellationToken cancel)
+    [Authorize(Roles = $"{Role.Sender},{Role.Receiver.FullyAuth}")]
+    public async Task<IActionResult> GetDocument(CancellationToken cancel, [FromQuery] ReadDocumentQuery? query = null)
    {
-        var doc = await mediator.Send(query, cancel);
-        return doc.ByteData is byte[] docByte
-            ? File(docByte, "application/octet-stream")
-            : NotFound("Document is empty.");
-    }
+        // Sender: expects query with envelope key
+        if (User.IsInRole(Role.Sender))
+        {
+            if (query is null)
+                return BadRequest("Missing document query.");

-    /// <summary>
-    /// Returns the document bytes for the receiver.
-    /// </summary>
-    /// <param name="cancel">Cancellation token.</param>
-    [HttpGet]
-    [Authorize(Roles = Role.Receiver.FullyAuth)]
-    public async Task<IActionResult> GetDocument(CancellationToken cancel)
-    {
-        var envelopeId = User.GetEnvelopeIdOfReceiver();
+            var senderDoc = await mediator.Send(query, cancel);
+            return senderDoc.ByteData is byte[] senderDocByte
+                ? File(senderDocByte, "application/octet-stream")
+                : NotFound("Document is empty.");
+        }

-        var doc = await mediator.Send(new ReadDocumentQuery() { EnvelopeId = envelopeId }, cancel);
-        return doc.ByteData is byte[] docByte
-            ? File(docByte, "application/octet-stream")
-            : NotFound("Document is empty.");
+        // Receiver: resolve envelope id from claims
+        if (User.IsInRole(Role.Receiver.FullyAuth))
+        {           
+            if (query is not null)
+                return BadRequest("Query parameters are not allowed for receiver role.");
+
+            var envelopeId = User.GetEnvelopeIdOfReceiver();
+            var receiverDoc = await mediator.Send(new ReadDocumentQuery { EnvelopeId = envelopeId }, cancel);
+            return receiverDoc.ByteData is byte[] receiverDocByte
+                ? File(receiverDocByte, "application/octet-stream")
+                : NotFound("Document is empty.");
+        }
+
+        return Unauthorized();
    }
 }