Refactor AuthController for improved policy-based auth

- Inject IAuthorizationService for flexible policy checks
- Replace role checks in Logout with async policy authorization
- Merge IsAuthenticated into Check endpoint with optional role
- Update Check response type and clean up imports

EnvelopeGenerator.API/Controllers/AuthController.cs

@@ -1,10 +1,10 @@
-using Microsoft.AspNetCore.Authentication.Cookies;
+using EnvelopeGenerator.API.Extensions;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Authorization;
 using EnvelopeGenerator.API.Models;
 using EnvelopeGenerator.Domain.Constants;
-using System.Net;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Options;
 
 namespace EnvelopeGenerator.API.Controllers;
@@ -14,7 +14,7 @@ namespace EnvelopeGenerator.API.Controllers;
 /// </summary>
 [Route("api/[controller]")]
 [ApiController]
-public partial class AuthController(IOptions<AuthTokenKeys> authTokenKeyOptions) : ControllerBase
+public partial class AuthController(IOptions<AuthTokenKeys> authTokenKeyOptions, IAuthorizationService authService) : ControllerBase
 {
     private readonly AuthTokenKeys authTokenKeys = authTokenKeyOptions.Value;
 
@@ -38,9 +38,9 @@ public partial class AuthController(IOptions<AuthTokenKeys> authTokenKeyOptions)
     [HttpPost("logout")]
     public async Task<IActionResult> Logout()
     {
-        if (User.IsInRole(Role.Sender))
+        if (await authService.AuthorizePolicyAsync(User, AuthPolicy.Sender))
             Response.Cookies.Delete(authTokenKeys.Cookie);
-        else if (User.IsInRole(Role.Receiver.Full))
+        else if (await authService.AuthorizePolicyAsync(User, AuthPolicy.ReceiverOrReceiverTFA))
             await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
         else
             return Unauthorized();
@@ -48,17 +48,6 @@ public partial class AuthController(IOptions<AuthTokenKeys> authTokenKeyOptions)
         return Ok();
     }
 
-    /// <summary>
-    /// 
-    /// </summary>
-    /// <param name="role"></param>
-    /// <returns></returns>
-    [ProducesResponseType(typeof(void), StatusCodes.Status200OK)]
-    [ProducesResponseType(typeof(void), StatusCodes.Status401Unauthorized)]
-    [HttpGet("check")]
-    [Authorize(Policy = AuthPolicy.SenderOrReceiver)]
-    public IActionResult Check([FromQuery] string role) => User.IsInRole(role) ? Ok() : Unauthorized();
-
     /// <summary>
     /// Prüft, ob der Benutzer ein autorisiertes Token hat.
     /// </summary>
@@ -71,9 +60,12 @@ public partial class AuthController(IOptions<AuthTokenKeys> authTokenKeyOptions)
     /// </remarks>
     /// <response code="200">Wenn es einen autorisierten Cookie gibt.</response>
     /// <response code="401">Wenn kein Cookie vorhanden ist oder nicht autorisierte.</response>
-    [ProducesResponseType(typeof(string), StatusCodes.Status200OK, "text/javascript")]
+    [ProducesResponseType(typeof(void), StatusCodes.Status200OK)]
     [ProducesResponseType(typeof(void), StatusCodes.Status401Unauthorized)]
+    [HttpGet("check")]
     [Authorize]
-    [HttpGet]
+    public IActionResult Check(string? role = null)
-    public IActionResult IsAuthenticated() => Ok();
+        => role is not null && !User.IsInRole(role)
+            ? Unauthorized()
+            : Ok();
 }