Refactor DocumentController for async policy-based auth

Refactored DocumentController to use IAuthorizationService and async policy checks via IsUserInPolicyAsync instead of role checks. Implemented IAuthController interface and removed ILogger dependency. Updated usings for new authorization logic.
2026-02-06 13:46:18 +01:00
parent ae7f0b80f3
commit d480dd3a36
1 changed files with 9 additions and 3 deletions
--- a/EnvelopeGenerator.API/Controllers/DocumentController.cs
+++ b/EnvelopeGenerator.API/Controllers/DocumentController.cs
@@ -1,3 +1,4 @@
+using EnvelopeGenerator.API.Controllers.Interfaces;
 using EnvelopeGenerator.API.Extensions;
 using EnvelopeGenerator.Application.Documents.Queries;
 using EnvelopeGenerator.Domain.Constants;
@@ -16,8 +17,13 @@ namespace EnvelopeGenerator.API.Controllers;
 [Authorize]
 [ApiController]
 [Route("api/[controller]")]
-public class DocumentController(IMediator mediator, ILogger<DocumentController> logger) : ControllerBase
+public class DocumentController(IMediator mediator, IAuthorizationService authService) : ControllerBase, IAuthController
 {
+    /// <summary>
+    /// 
+    /// </summary>
+    public IAuthorizationService AuthService => authService;
+
    /// <summary>
    /// Returns the document bytes receiver.
    /// </summary>
@@ -28,7 +34,7 @@ public class DocumentController(IMediator mediator, ILogger<DocumentController>
    public async Task<IActionResult> GetDocument(CancellationToken cancel, [FromQuery] ReadDocumentQuery? query = null)
    {
        // Sender: expects query with envelope key
-        if (User.IsInRole(Role.Sender))
+        if (await this.IsUserInPolicyAsync(AuthPolicy.Sender))
        {
            if (query is null)
                return BadRequest("Missing document query.");
@@ -40,7 +46,7 @@ public class DocumentController(IMediator mediator, ILogger<DocumentController>
        }

        // Receiver: resolve envelope id from claims
-        if (User.IsInRole(Role.Receiver.Full))
+        if (await this.IsUserInPolicyAsync(AuthPolicy.Receiver))
        {           
            if (query is not null)
                return BadRequest("Query parameters are not allowed for receiver role.");