Add TfaRegistrationController for receiver TFA endpoints

Introduced TfaRegistrationController with endpoints to register and manage two-factor authentication for envelope receivers. Includes a GET endpoint to generate TFA registration metadata (QR code and deadline) and a POST endpoint to log out receivers. Implements error handling, logging, and uses dependency injection for required services. Added necessary using directives.

EnvelopeGenerator.Application/Common/Extensions/TaskExtensions.cs

@@ -5,6 +5,7 @@ namespace EnvelopeGenerator.Application.Common.Extensions;
 /// <summary>
 /// Extension methods for tasks
 /// </summary>
+[Obsolete("Implement Mediator behaviors in the Osolete .NET project.")]
 public static class TaskExtensions
 {
     /// <summary>
@@ -17,6 +18,7 @@ public static class TaskExtensions
     /// <param name="factory">Exception provider</param>
     /// <returns>The awaited result if not <c>null</c>.</returns>
     /// <exception>Thrown if the result is <c>null</c>.</exception>
+    [Obsolete("Implement Mediator behaviors in the Osolete .NET project.")]
     public static async Task<T> ThrowIfNull<T, TException>(this Task<T?> task, Func<TException> factory) where TException : Exception
     {
         var result = await task;
@@ -33,6 +35,7 @@ public static class TaskExtensions
     /// <param name="factory">Exception provider</param>
     /// <returns>The awaited collection if it is not <c>null</c> or empty.</returns>
     /// <exception cref="NotFoundException">Thrown if the result is <c>null</c> or empty.</exception>
+    [Obsolete("Implement Mediator behaviors in the Osolete .NET project.")]
     public static async Task<IEnumerable<T>> ThrowIfEmpty<T, TException>(this Task<IEnumerable<T>> task, Func<TException> factory) where TException : Exception
     {
         var result = await task;
@@ -47,11 +50,33 @@ public static class TaskExtensions
     /// <param name="task"></param>
     /// <param name="act"></param>
     /// <returns></returns>
+    [Obsolete("Implement Mediator behaviors in the Osolete .NET project.")]
     public static async Task<I> Then<T, I>(this Task<T> task, Func<T, I> act)
     {
         var res = await task;
         return act(res);
     }
+
+    /// <summary>
+    /// 
+    /// </summary>
+    /// <typeparam name="T"></typeparam>
+    /// <param name="task"></param>
+    /// <returns></returns>
+    [Obsolete("Implement Mediator behaviors in the Osolete .NET project.")]
+    public static Task<T?> FirstOrDefaultAsync<T>(this Task<IEnumerable<T>> task) => task.Then(t => t.FirstOrDefault());
+
+    /// <summary>
+    /// 
+    /// </summary>
+    /// <typeparam name="T"></typeparam>
+    /// <typeparam name="TException"></typeparam>
+    /// <param name="task"></param>
+    /// <param name="factory"></param>
+    /// <returns></returns>
+    public static Task<T> FirstAsync<T, TException>(this Task<IEnumerable<T>> task, Func<TException> factory) 
+        where TException : Exception 
+        => task.Then(t => t.FirstOrDefault() ?? throw factory());
 }
 
 /// <summary>
@@ -68,11 +93,13 @@ public static class Exceptions
     /// 
     /// </summary>
     /// <returns></returns>
+    [Obsolete("Implement Mediator behaviors in the Osolete .NET project.")]
     public static BadRequestException BadRequest() => new();
 
     /// <summary>
     /// 
     /// </summary>
     /// <returns></returns>
+    [Obsolete("Implement Mediator behaviors in the Osolete .NET project.")]
     public static ForbiddenException Forbidden() => new();
 }

EnvelopeGenerator.GeneratorAPI/Controllers/AnnotationController.cs

@@ -0,0 +1,130 @@
+using DigitalData.Core.Abstraction.Application.DTO;
+using DigitalData.Core.Exceptions;
+using EnvelopeGenerator.Application.Common.Extensions;
+using EnvelopeGenerator.Application.Common.Interfaces.Services;
+using EnvelopeGenerator.Application.Common.Notifications.DocSigned;
+using EnvelopeGenerator.Application.EnvelopeReceivers.Queries;
+using EnvelopeGenerator.Application.Histories.Queries;
+using EnvelopeGenerator.Domain.Constants;
+using EnvelopeGenerator.GeneratorAPI.Extensions;
+using MediatR;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace EnvelopeGenerator.GeneratorAPI.Controllers;
+
+/// <summary>
+/// Manages annotations and signature lifecycle for envelopes.
+/// </summary>
+[Authorize(Roles = ReceiverRole.FullyAuth)]
+[ApiController]
+[Route("api/[controller]")]
+public class AnnotationController : ControllerBase
+{
+    [Obsolete("Use MediatR")]
+    private readonly IEnvelopeHistoryService _historyService;
+
+    [Obsolete("Use MediatR")]
+    private readonly IEnvelopeReceiverService _envelopeReceiverService;
+
+    private readonly IMediator _mediator;
+
+    private readonly ILogger<AnnotationController> _logger;
+
+    /// <summary>
+    /// Initializes a new instance of <see cref="AnnotationController"/>.
+    /// </summary>
+    [Obsolete("Use MediatR")]
+    public AnnotationController(
+        ILogger<AnnotationController> logger,
+        IEnvelopeHistoryService envelopeHistoryService,
+        IEnvelopeReceiverService envelopeReceiverService,
+        IMediator mediator)
+    {
+        _historyService = envelopeHistoryService;
+        _envelopeReceiverService = envelopeReceiverService;
+        _mediator = mediator;
+        _logger = logger;
+    }
+
+    /// <summary>
+    /// Creates or updates annotations for the authenticated envelope receiver.
+    /// </summary>
+    /// <param name="psPdfKitAnnotation">Annotation payload.</param>
+    /// <param name="cancel">Cancellation token.</param>
+    [Authorize(Roles = ReceiverRole.FullyAuth)]
+    [HttpPost]
+    [Obsolete("This endpoint is for PSPDF Kit.")]
+    public async Task<IActionResult> CreateOrUpdate([FromBody] PsPdfKitAnnotation? psPdfKitAnnotation = null, CancellationToken cancel = default)
+    {
+        var signature = User.GetAuthReceiverSignature();
+        var uuid = User.GetAuthEnvelopeUuid();
+
+        if (signature is null || uuid is null)
+        {
+            _logger.LogError("Authorization failed: authenticated user does not have a valid signature or envelope UUID.");
+            return Unauthorized("User authentication is incomplete. Missing required claims for processing this request.");
+        }
+
+        var envelopeReceiver = await _mediator.ReadEnvelopeReceiverAsync(uuid, signature, cancel).ThrowIfNull(Exceptions.NotFound);
+
+        if (!envelopeReceiver.Envelope!.ReadOnly && psPdfKitAnnotation is null)
+            return BadRequest();
+
+        if (await _mediator.IsSignedAsync(uuid, signature, cancel))
+            return Problem(statusCode: StatusCodes.Status409Conflict);
+        else if (await _mediator.AnyHistoryAsync(uuid, new[] { EnvelopeStatus.EnvelopeRejected, EnvelopeStatus.DocumentRejected }, cancel))
+            return Problem(statusCode: StatusCodes.Status423Locked);
+
+        var docSignedNotification = await _mediator
+            .ReadEnvelopeReceiverAsync(uuid, signature, cancel)
+            .ToDocSignedNotification(psPdfKitAnnotation)
+            ?? throw new NotFoundException("Envelope receiver is not found.");
+
+        await _mediator.PublishSafely(docSignedNotification, cancel);
+        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+
+        return Ok();
+    }
+
+    /// <summary>
+    /// Rejects the document for the current receiver.
+    /// </summary>
+    /// <param name="reason">Optional rejection reason.</param>
+    [Authorize(Roles = ReceiverRole.FullyAuth)]
+    [HttpPost("reject")]
+    [Obsolete("Use MediatR")]
+    public async Task<IActionResult> Reject([FromBody] string? reason = null)
+    {
+        var signature = User.GetAuthReceiverSignature();
+        var uuid = User.GetAuthEnvelopeUuid();
+        var mail = User.GetAuthReceiverMail();
+        if (uuid is null || signature is null || mail is null)
+        {
+            _logger.LogEnvelopeError(uuid: uuid, signature: signature,
+                message: @$"Unauthorized POST request in api\\envelope\\reject. One of claims, Envelope, signature or mail ({mail}) is null.");
+            return Unauthorized();
+        }
+
+        var envRcvRes = await _envelopeReceiverService.ReadByUuidSignatureAsync(uuid: uuid, signature: signature);
+
+        if (envRcvRes.IsFailed)
+        {
+            _logger.LogNotice(envRcvRes.Notices);
+            return Unauthorized("you are not authorized");
+        }
+
+        var histRes = await _historyService.RecordAsync(envRcvRes.Data.EnvelopeId, userReference: mail, EnvelopeStatus.DocumentRejected, comment: reason);
+        if (histRes.IsSuccess)
+        {
+            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+            return NoContent();
+        }
+
+        _logger.LogEnvelopeError(uuid: uuid, signature: signature, message: "Unexpected error happened in api/envelope/reject");
+        _logger.LogNotice(histRes.Notices);
+        return StatusCode(500, histRes.Messages);
+    }
+}

EnvelopeGenerator.GeneratorAPI/Controllers/ConfigController.cs

@@ -0,0 +1,29 @@
+using EnvelopeGenerator.GeneratorAPI.Models.PsPdfKitAnnotation;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
+
+namespace EnvelopeGenerator.GeneratorAPI.Controllers;
+
+/// <summary>
+/// Exposes configuration data required by the client applications.
+/// </summary>
+/// <remarks>
+/// Initializes a new instance of <see cref="ConfigController"/>.
+/// </remarks>
+[Route("api/[controller]")]
+[ApiController]
+[Authorize]
+public class ConfigController(IOptionsMonitor<AnnotationParams> annotationParamsOptions) : ControllerBase
+{
+    private readonly AnnotationParams _annotationParams = annotationParamsOptions.CurrentValue;
+
+    /// <summary>
+    /// Returns annotation configuration that was previously rendered by MVC.
+    /// </summary>
+    [HttpGet("Annotations")]
+    public IActionResult GetAnnotationParams()
+    {
+        return Ok(_annotationParams.AnnotationJSObject);
+    }
+}

EnvelopeGenerator.GeneratorAPI/Controllers/DocumentController.cs

@@ -0,0 +1,43 @@
+using DigitalData.Core.Exceptions;
+using EnvelopeGenerator.Application.Common.Extensions;
+using EnvelopeGenerator.Application.EnvelopeReceivers.Queries;
+using EnvelopeGenerator.Domain.Constants;
+using MediatR;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+
+namespace EnvelopeGenerator.GeneratorAPI.Controllers;
+
+/// <summary>
+/// Provides access to envelope documents for authenticated receivers.
+/// </summary>
+/// <remarks>
+/// Initializes a new instance of the <see cref="DocumentController"/> class.
+/// </remarks>
+[Authorize(Roles = ReceiverRole.FullyAuth)]
+[ApiController]
+[Route("api/[controller]")]
+public class DocumentController(IMediator mediator, ILogger<DocumentController> logger) : ControllerBase
+{
+    /// <summary>
+    /// Returns the document bytes for the specified envelope receiver key.
+    /// </summary>
+    /// <param name="query">Encoded envelope key.</param>
+    /// <param name="cancel">Cancellation token.</param>
+    [HttpGet]
+    public async Task<IActionResult> GetDocument(ReadEnvelopeReceiverQuery query, CancellationToken cancel)
+    {
+        var envRcv = await mediator.Send(query, cancel).FirstAsync(Exceptions.NotFound);
+
+        var byteData = envRcv.Envelope?.Documents?.FirstOrDefault()?.ByteData;
+
+        if (byteData is null || byteData.Length == 0)
+        {
+            logger.LogError("Document byte data is null or empty for envelope-receiver entity:\n{envelopeKey}.",
+                envRcv.ToJson(Format.Json.ForDiagnostics));
+            throw new NotFoundException("Document is empty.");
+        }
+
+        return File(byteData, "application/octet-stream");
+    }
+}

EnvelopeGenerator.GeneratorAPI/Controllers/ReadOnlyController.cs

@@ -0,0 +1,95 @@
+using DigitalData.Core.Abstraction.Application.DTO;
+using EnvelopeGenerator.Application.Common.Dto.EnvelopeReceiverReadOnly;
+using EnvelopeGenerator.Application.Common.Interfaces.Services;
+using EnvelopeGenerator.Domain.Constants;
+using EnvelopeGenerator.GeneratorAPI.Extensions;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Newtonsoft.Json;
+
+namespace EnvelopeGenerator.GeneratorAPI.Controllers;
+
+/// <summary>
+/// Manages read-only envelope sharing flows.
+/// </summary>
+[Route("api/[controller]")]
+[ApiController]
+public class ReadOnlyController : ControllerBase
+{
+    private readonly ILogger<ReadOnlyController> _logger;
+    private readonly IEnvelopeReceiverReadOnlyService _readOnlyService;
+    private readonly IEnvelopeMailService _mailService;
+    private readonly IEnvelopeHistoryService _historyService;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="ReadOnlyController"/> class.
+    /// </summary>
+    public ReadOnlyController(ILogger<ReadOnlyController> logger, IEnvelopeReceiverReadOnlyService readOnlyService, IEnvelopeMailService mailService, IEnvelopeHistoryService historyService)
+    {
+        _logger = logger;
+        _readOnlyService = readOnlyService;
+        _mailService = mailService;
+        _historyService = historyService;
+    }
+
+    /// <summary>
+    /// Creates a new read-only receiver for the current envelope.
+    /// </summary>
+    /// <param name="createDto">Creation payload.</param>
+    [HttpPost]
+    [Authorize(Roles = ReceiverRole.FullyAuth)]
+    public async Task<IActionResult> CreateAsync([FromBody] EnvelopeReceiverReadOnlyCreateDto createDto)
+    {
+        var authReceiverMail = User.GetAuthReceiverMail();
+        if (authReceiverMail is null)
+        {
+            _logger.LogError("EmailAddress claim is not found in envelope-receiver-read-only creation process. Create DTO is:\n {dto}", JsonConvert.SerializeObject(createDto));
+            return Unauthorized();
+        }
+
+        var envelopeId = User.GetAuthEnvelopeId();
+        if (envelopeId is null)
+        {
+            _logger.LogError("Envelope Id claim is not found in envelope-receiver-read-only creation process. Create DTO is:\n {dto}", JsonConvert.SerializeObject(createDto));
+            return Unauthorized();
+        }
+
+        createDto.AddedWho = authReceiverMail;
+        createDto.EnvelopeId = envelopeId;
+
+        var creationRes = await _readOnlyService.CreateAsync(createDto: createDto);
+
+        if (creationRes.IsFailed)
+        {
+            _logger.LogNotice(creationRes);
+            return StatusCode(StatusCodes.Status500InternalServerError);
+        }
+
+        var readRes = await _readOnlyService.ReadByIdAsync(creationRes.Data.Id);
+        if (readRes.IsFailed)
+        {
+            _logger.LogNotice(creationRes);
+            return StatusCode(StatusCodes.Status500InternalServerError);
+        }
+
+        var newReadOnly = readRes.Data;
+
+        return await _mailService.SendAsync(newReadOnly).ThenAsync<int, IActionResult>(SuccessAsync: async _ =>
+        {
+            var histRes = await _historyService.RecordAsync((int)createDto.EnvelopeId, createDto.AddedWho, EnvelopeStatus.EnvelopeShared);
+            if (histRes.IsFailed)
+            {
+                _logger.LogError("Although the envelope was sent as read-only, the EnvelopeShared history could not be saved. Create DTO:\n{createDto}", JsonConvert.SerializeObject(createDto));
+                _logger.LogNotice(histRes.Notices);
+            }
+
+            return Ok();
+        },
+
+        Fail: (msg, ntc) =>
+        {
+            _logger.LogNotice(ntc);
+            return StatusCode(StatusCodes.Status500InternalServerError);
+        });
+    }
+}

EnvelopeGenerator.GeneratorAPI/Controllers/TfaRegistrationController.cs

@@ -0,0 +1,130 @@
+using DigitalData.Core.Abstraction.Application.DTO;
+using EnvelopeGenerator.Application.Common.Extensions;
+using EnvelopeGenerator.Application.Common.Interfaces.Services;
+using EnvelopeGenerator.Application.Resources;
+using EnvelopeGenerator.Domain.Constants;
+using EnvelopeGenerator.GeneratorAPI.Extensions;
+using EnvelopeGenerator.GeneratorAPI.Models;
+using Ganss.Xss;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Localization;
+using Microsoft.Extensions.Options;
+
+namespace EnvelopeGenerator.GeneratorAPI.Controllers;
+
+/// <summary>
+/// Exposes endpoints for registering and managing two-factor authentication for envelope receivers.
+/// </summary>
+[ApiController]
+[Route("api/tfa")]
+public class TfaRegistrationController : ControllerBase
+{
+    private readonly ILogger<TfaRegistrationController> _logger;
+    private readonly IEnvelopeReceiverService _envelopeReceiverService;
+    private readonly IAuthenticator _authenticator;
+    private readonly IReceiverService _receiverService;
+    private readonly TFARegParams _parameters;
+    private readonly IStringLocalizer<Resource> _localizer;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="TfaRegistrationController"/> class.
+    /// </summary>
+    public TfaRegistrationController(
+        ILogger<TfaRegistrationController> logger,
+        IEnvelopeReceiverService envelopeReceiverService,
+        IAuthenticator authenticator,
+        IReceiverService receiverService,
+        IOptions<TFARegParams> tfaRegParamsOptions,
+        IStringLocalizer<Resource> localizer)
+    {
+        _logger = logger;
+        _envelopeReceiverService = envelopeReceiverService;
+        _authenticator = authenticator;
+        _receiverService = receiverService;
+        _parameters = tfaRegParamsOptions.Value;
+        _localizer = localizer;
+    }
+
+    /// <summary>
+    /// Generates registration metadata (QR code and deadline) for a receiver.
+    /// </summary>
+    /// <param name="envelopeReceiverId">Encoded envelope receiver id.</param>
+    [Authorize]
+    [HttpGet("{envelopeReceiverId}")]
+    public async Task<IActionResult> RegisterAsync(string envelopeReceiverId)
+    {
+        try
+        {
+            var (uuid, signature) = envelopeReceiverId.DecodeEnvelopeReceiverId();
+
+            if (uuid is null || signature is null)
+            {
+                _logger.LogEnvelopeError(uuid: uuid, signature: signature, message: _localizer.WrongEnvelopeReceiverId());
+                return Unauthorized(new { message = _localizer.WrongEnvelopeReceiverId() });
+            }
+
+            var secretResult = await _envelopeReceiverService.ReadWithSecretByUuidSignatureAsync(uuid: uuid, signature: signature);
+            if (secretResult.IsFailed)
+            {
+                _logger.LogNotice(secretResult.Notices);
+                return NotFound(new { message = _localizer.WrongEnvelopeReceiverId() });
+            }
+
+            var envelopeReceiver = secretResult.Data;
+
+            if (!envelopeReceiver.Envelope!.TFAEnabled)
+                return Unauthorized(new { message = _localizer.WrongAccessCode() });
+
+            var receiver = envelopeReceiver.Receiver;
+            receiver!.TotpSecretkey = _authenticator.GenerateTotpSecretKey();
+            await _receiverService.UpdateAsync(receiver);
+            var totpQr64 = _authenticator.GenerateTotpQrCode(userEmail: receiver.EmailAddress, secretKey: receiver.TotpSecretkey).ToBase64String();
+
+            if (receiver.TfaRegDeadline is null)
+            {
+                receiver.TfaRegDeadline = _parameters.Deadline;
+                await _receiverService.UpdateAsync(receiver);
+            }
+            else if (receiver.TfaRegDeadline <= DateTime.Now)
+            {
+                return StatusCode(StatusCodes.Status410Gone, new { message = _localizer.WrongAccessCode() });
+            }
+
+            return Ok(new
+            {
+                envelopeReceiver.EnvelopeId,
+                envelopeReceiver.Envelope!.Uuid,
+                envelopeReceiver.Receiver!.Signature,
+                receiver.TfaRegDeadline,
+                TotpQR64 = totpQr64
+            });
+        }
+        catch (Exception ex)
+        {
+            _logger.LogEnvelopeError(envelopeReceiverId: envelopeReceiverId, exception: ex, message: _localizer.WrongEnvelopeReceiverId());
+            return StatusCode(StatusCodes.Status500InternalServerError, new { message = _localizer.UnexpectedError() });
+        }
+    }
+
+    /// <summary>
+    /// Logs out the envelope receiver from cookie authentication.
+    /// </summary>
+    [Authorize(Roles = ReceiverRole.FullyAuth)]
+    [HttpPost("auth/logout")]
+    public async Task<IActionResult> LogOutAsync()
+    {
+        try
+        {
+            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+            return Ok();
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "{message}", ex.Message);
+            return StatusCode(StatusCodes.Status500InternalServerError, new { message = _localizer.UnexpectedError() });
+        }
+    }
+}

EnvelopeGenerator.GeneratorAPI/EnvelopeClaimTypes.cs

@@ -0,0 +1,18 @@
+namespace EnvelopeGenerator.GeneratorAPI
+{
+    /// <summary>
+    /// Provides custom claim types for envelope-related information.
+    /// </summary>
+    public static class EnvelopeClaimTypes
+    {
+        /// <summary>
+        /// Claim type for the title of an envelope.
+        /// </summary>
+        public static readonly string Title = $"Envelope{nameof(Title)}";
+
+        /// <summary>
+        /// Claim type for the ID of an envelope.
+        /// </summary>
+        public static readonly string Id = $"Envelope{nameof(Id)}";
+    }
+}

EnvelopeGenerator.GeneratorAPI/Extensions/EnvelopeAuthExtensions.cs

@@ -0,0 +1,87 @@
+using System.Security.Claims;
+using EnvelopeGenerator.Application.Common.Dto.EnvelopeReceiver;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+
+namespace EnvelopeGenerator.GeneratorAPI.Extensions;
+
+/// <summary>
+/// Provides helper methods for working with envelope-specific authentication claims.
+/// </summary>
+public static class EnvelopeAuthExtensions
+{
+    /// <summary>
+    /// Retrieves a claim value by type.
+    /// </summary>
+    /// <param name="user">The current claims principal.</param>
+    /// <param name="claimType">The claim type to resolve.</param>
+    /// <returns>The claim value or null when missing.</returns>
+    public static string? GetClaimValue(this ClaimsPrincipal user, string claimType) => user.FindFirstValue(claimType);
+
+    /// <summary>
+    /// Gets the authenticated envelope UUID from the claims.
+    /// </summary>
+    public static string? GetAuthEnvelopeUuid(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.NameIdentifier);
+
+    /// <summary>
+    /// Gets the authenticated receiver signature from the claims.
+    /// </summary>
+    public static string? GetAuthReceiverSignature(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.Hash);
+
+    /// <summary>
+    /// Gets the authenticated receiver display name from the claims.
+    /// </summary>
+    public static string? GetAuthReceiverName(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.Name);
+
+    /// <summary>
+    /// Gets the authenticated receiver email address from the claims.
+    /// </summary>
+    public static string? GetAuthReceiverMail(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.Email);
+
+    /// <summary>
+    /// Gets the authenticated envelope title from the claims.
+    /// </summary>
+    public static string? GetAuthEnvelopeTitle(this ClaimsPrincipal user) => user.FindFirstValue(EnvelopeClaimTypes.Title);
+
+    /// <summary>
+    /// Gets the authenticated envelope identifier from the claims.
+    /// </summary>
+    public static int? GetAuthEnvelopeId(this ClaimsPrincipal user)
+    {
+        var envIdStr = user.FindFirstValue(EnvelopeClaimTypes.Id);
+        return int.TryParse(envIdStr, out var envId) ? envId : null;
+    }
+
+    /// <summary>
+    /// Signs in an envelope receiver using cookie authentication and attaches envelope claims.
+    /// </summary>
+    /// <param name="context">The current HTTP context.</param>
+    /// <param name="envelopeReceiver">Envelope receiver DTO to extract claims from.</param>
+    /// <param name="receiverRole">Role to attach to the authentication ticket.</param>
+    public static async Task SignInEnvelopeAsync(this HttpContext context, EnvelopeReceiverDto envelopeReceiver, string receiverRole)
+    {
+        var claims = new List<Claim>
+        {
+            new(ClaimTypes.NameIdentifier, envelopeReceiver.Envelope!.Uuid),
+            new(ClaimTypes.Hash, envelopeReceiver.Receiver!.Signature),
+            new(ClaimTypes.Name, envelopeReceiver.Name ?? string.Empty),
+            new(ClaimTypes.Email, envelopeReceiver.Receiver.EmailAddress),
+            new(EnvelopeClaimTypes.Title, envelopeReceiver.Envelope.Title),
+            new(EnvelopeClaimTypes.Id, envelopeReceiver.Envelope.Id.ToString()),
+            new(ClaimTypes.Role, receiverRole)
+        };
+
+        var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+
+        var authProperties = new AuthenticationProperties
+        {
+            AllowRefresh = false,
+            IsPersistent = false
+        };
+
+        await context.SignInAsync(
+            CookieAuthenticationDefaults.AuthenticationScheme,
+            new ClaimsPrincipal(claimsIdentity),
+            authProperties);
+    }
+}

EnvelopeGenerator.GeneratorAPI/Models/Auth.cs

@@ -0,0 +1,14 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+public record Auth(string? AccessCode = null, string? SmsCode = null, string? AuthenticatorCode = null, bool UserSelectSMS = default)
+{
+    public bool HasAccessCode => AccessCode is not null;
+
+    public bool HasSmsCode => SmsCode is not null;
+
+    public bool HasAuthenticatorCode => AuthenticatorCode is not null;
+
+    public bool HasMulti => new[] { HasAccessCode, HasSmsCode, HasAuthenticatorCode }.Count(state => state) > 1;
+
+    public bool HasNone => !(HasAccessCode || HasSmsCode || HasAuthenticatorCode);
+}

EnvelopeGenerator.GeneratorAPI/Models/ContactLink.cs

@@ -0,0 +1,60 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models
+{
+    /// <summary>
+    /// Represents a hyperlink for contact purposes with various HTML attributes.
+    /// </summary>
+    public class ContactLink
+    {
+        /// <summary>
+        /// Gets or sets the label of the hyperlink.
+        /// </summary>
+        public string Label { get; init; } = "Contact";
+
+        /// <summary>
+        /// Gets or sets the URL that the hyperlink points to.
+        /// </summary>
+        public string Href { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets the target where the hyperlink should open.
+        /// Commonly used values are "_blank", "_self", "_parent", "_top".
+        /// </summary>
+        public string Target { get; set; } = "_blank";
+
+        /// <summary>
+        /// Gets or sets the relationship of the linked URL as space-separated link types.
+        /// Examples include "nofollow", "noopener", "noreferrer".
+        /// </summary>
+        public string Rel { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets the filename that should be downloaded when clicking the hyperlink.
+        /// This attribute will only have an effect if the href attribute is set.
+        /// </summary>
+        public string Download { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets the language of the linked resource. Useful when linking to
+        /// content in another language.
+        /// </summary>
+        public string HrefLang { get; set; } = "en";
+
+        /// <summary>
+        /// Gets or sets the MIME type of the linked URL. Helps browsers to handle
+        /// the type correctly when the link is clicked.
+        /// </summary>
+        public string Type { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets additional information about the hyperlink, typically viewed
+        /// as a tooltip when the mouse hovers over the link.
+        /// </summary>
+        public string Title { get; set; } = string.Empty;
+
+        /// <summary>
+        /// Gets or sets an identifier for the hyperlink, unique within the HTML document.
+        /// </summary>
+        public string Id { get; set; } = string.Empty;
+    }
+
+}

EnvelopeGenerator.GeneratorAPI/Models/Culture.cs

@@ -0,0 +1,17 @@
+using System.Globalization;
+
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+public class Culture
+{
+    private string _language = string.Empty;
+    public string Language { get => _language;
+        init {
+            _language = value;
+            Info = new(value);
+        } 
+    }
+    public string FIClass { get; init; } = string.Empty;
+
+    public CultureInfo? Info { get; init; }
+}

EnvelopeGenerator.GeneratorAPI/Models/Cultures.cs

@@ -0,0 +1,12 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+public class Cultures : List<Culture>
+{
+    public IEnumerable<string> Languages => this.Select(c => c.Language);
+
+    public IEnumerable<string> FIClasses => this.Select(c => c.FIClass);
+
+    public Culture Default => this.First();
+    
+    public Culture? this[string? language] => language is null ? null : this.Where(c => c.Language == language).FirstOrDefault();
+}

EnvelopeGenerator.GeneratorAPI/Models/CustomImages.cs

@@ -0,0 +1,6 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+public class CustomImages : Dictionary<string, Image>
+{
+    public new Image this[string key] => TryGetValue(key, out var img) && img is not null ? img : new();
+}

EnvelopeGenerator.GeneratorAPI/Models/ErrorViewModel.cs

@@ -0,0 +1,10 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+public class ErrorViewModel
+{
+    public string Title { get; init; } = "404";
+
+    public string Subtitle { get; init; } = "Hmmm...";
+
+    public string Body { get; init; } = "It looks like one of the developers fell asleep";
+}

EnvelopeGenerator.GeneratorAPI/Models/Image.cs

@@ -0,0 +1,10 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+public class Image
+{
+    public string Src { get; init; } = string.Empty;
+
+    public Dictionary<string, string> Classes { get; init; } = new();
+
+    public string GetClassIn(string page) => Classes.TryGetValue(page, out var cls) && cls is not null ? cls : string.Empty;
+}

EnvelopeGenerator.GeneratorAPI/Models/MainViewModel.cs

@@ -0,0 +1,6 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+public class MainViewModel
+{
+    public string? Title { get; init; }
+}

EnvelopeGenerator.GeneratorAPI/Models/PsPdfKitAnnotation/Annotation.cs

@@ -0,0 +1,92 @@
+using System.Text.Json.Serialization;
+
+namespace EnvelopeGenerator.GeneratorAPI.Models.PsPdfKitAnnotation;
+
+public record Annotation : IAnnotation
+{
+    public required string Name { get; init; }
+
+    #region Bound Annotation
+    [JsonIgnore]
+    public string? HorBoundAnnotName { get; init; }
+
+    [JsonIgnore]
+    public string? VerBoundAnnotName { get; init; }
+    #endregion
+
+    #region Layout
+    [JsonIgnore]
+    public double? MarginLeft { get; set; }
+
+    [JsonIgnore]
+    public double MarginLeftRatio { get; init; } = 1;
+
+    [JsonIgnore]
+    public double? MarginTop { get; set; }
+
+    [JsonIgnore]
+    public double MarginTopRatio { get; init; } = 1;
+
+    public double? Width { get; set; }
+
+    [JsonIgnore]
+    public double WidthRatio { get; init; } = 1;
+
+    public double? Height { get; set; }
+
+    [JsonIgnore]
+    public double HeightRatio { get; init; } = 1;
+    #endregion
+
+    #region Position
+    public double Left => (MarginLeft ?? 0) + (HorBoundAnnot?.HorBoundary ?? 0);
+
+    public double Top => (MarginTop ?? 0) + (VerBoundAnnot?.VerBoundary ?? 0);
+    #endregion
+
+    #region Boundary
+    [JsonIgnore]
+    public double HorBoundary => Left + (Width ?? 0);
+
+    [JsonIgnore]
+    public double VerBoundary => Top + (Height ?? 0);
+    #endregion
+
+    #region BoundAnnot
+    [JsonIgnore]
+    public Annotation? HorBoundAnnot { get; set; }
+
+    [JsonIgnore]
+    public Annotation? VerBoundAnnot { get; set; }
+    #endregion
+
+    public Color? BackgroundColor { get; init; }
+
+    #region Border
+    public Color? BorderColor { get; init; }
+
+    public string? BorderStyle { get; init; }
+
+    public int? BorderWidth { get; set; }
+    #endregion
+
+    [JsonIgnore]
+    internal Annotation Default 
+    { 
+        set 
+        {
+            // To set null value, annotation must have null (0) value but null must has non-null value
+            if (MarginLeft == null && value.MarginLeft != null)
+                MarginLeft = value.MarginLeft * MarginLeftRatio;
+
+            if (MarginTop == null && value.MarginTop != null)
+                MarginTop = value.MarginTop * MarginTopRatio;
+
+            if (Width == null && value.Width != null)
+                Width = value.Width * WidthRatio;
+
+            if (Height == null && value.Height != null)
+                Height = value.Height * HeightRatio;
+        }
+    }
+};

EnvelopeGenerator.GeneratorAPI/Models/PsPdfKitAnnotation/AnnotationParams.cs

@@ -0,0 +1,79 @@
+using System.Text.Json.Serialization;
+
+namespace EnvelopeGenerator.GeneratorAPI.Models.PsPdfKitAnnotation;
+
+public class AnnotationParams
+{
+    public AnnotationParams()
+    {
+        _AnnotationJSObjectInitor = new(CreateAnnotationJSObject);
+    }
+
+    public Background? Background { get; init; }
+
+    #region Annotation
+    [JsonIgnore]
+    public Annotation? DefaultAnnotation { get; init; }
+
+    private readonly List<Annotation> _annots = new List<Annotation>();
+
+    public bool TryGet(string name, out Annotation annotation)
+    {
+#pragma warning disable CS8601 // Possible null reference assignment.
+        annotation = _annots.FirstOrDefault(a => a.Name == name);
+#pragma warning restore CS8601 // Possible null reference assignment.
+        return annotation is not null;
+    }
+
+    public required IEnumerable<Annotation> Annotations
+    {
+        get => _annots;
+        init
+        {
+            _annots = value.ToList();
+
+            if (DefaultAnnotation is not null)
+                foreach (var annot in _annots)
+                    annot.Default = DefaultAnnotation;
+
+            for (int i = 0; i < _annots.Count; i++)
+            {
+                #region set bound annotations
+                // horizontal
+                if (_annots[i].HorBoundAnnotName is string horBoundAnnotName)
+                    if (TryGet(horBoundAnnotName, out var horBoundAnnot))
+                        _annots[i].HorBoundAnnot = horBoundAnnot;
+                    else
+                        throw new InvalidOperationException($"{horBoundAnnotName} added as bound anotation. However, it is not defined.");
+
+                // vertical
+                if (_annots[i].VerBoundAnnotName is string verBoundAnnotName)
+                    if (TryGet(verBoundAnnotName, out var verBoundAnnot))
+                        _annots[i].VerBoundAnnot = verBoundAnnot;
+                    else
+                        throw new InvalidOperationException($"{verBoundAnnotName} added as bound anotation. However, it is not defined.");
+                #endregion
+            }
+        }
+    }
+    #endregion
+
+    #region AnnotationJSObject
+    private Dictionary<string, IAnnotation> CreateAnnotationJSObject()
+    {
+        var dict = _annots.ToDictionary(a => a.Name.ToLower(), a => a as IAnnotation);
+
+        if (Background is not null)
+        {
+            Background.Locate(_annots);
+            dict.Add(Background.Name.ToLower(), Background);
+        }            
+
+        return dict;
+    }
+
+    private readonly Lazy<Dictionary<string, IAnnotation>> _AnnotationJSObjectInitor;
+
+    public Dictionary<string, IAnnotation> AnnotationJSObject => _AnnotationJSObjectInitor.Value;
+    #endregion
+}

EnvelopeGenerator.GeneratorAPI/Models/PsPdfKitAnnotation/Background.cs

@@ -0,0 +1,58 @@
+using System.Text.Json.Serialization;
+
+namespace EnvelopeGenerator.GeneratorAPI.Models.PsPdfKitAnnotation;
+
+/// <summary>
+/// The Background is an annotation for the PSPDF Kit. However, it has no function.
+/// It is only the first annotation as a background for other annotations.
+/// </summary>
+public record Background : IAnnotation
+{
+    [JsonIgnore]
+    public double Margin { get; init; }
+
+    public string Name { get; } = "Background";
+
+    public double? Width { get; set; }
+
+    public double? Height { get; set; }
+
+    public double Left { get; set; }
+
+    public double Top { get; set; }
+
+    public Color? BackgroundColor { get; init; }
+
+    #region Border
+    public Color? BorderColor { get; init; }
+
+    public string? BorderStyle { get; init; }
+
+    public int? BorderWidth { get; set; }
+    #endregion
+
+    public void Locate(IEnumerable<IAnnotation> annotations)
+    {
+        // set Top
+        if (annotations.MinBy(a => a.Top)?.Top is double minTop)
+            Top = minTop;
+
+        // set Left
+        if (annotations.MinBy(a => a.Left)?.Left is double minLeft)
+            Left = minLeft;
+
+        // set Width
+        if(annotations.MaxBy(a => a.GetRight())?.GetRight() is double maxRight)
+            Width = maxRight - Left;
+
+        // set Height
+        if (annotations.MaxBy(a => a.GetBottom())?.GetBottom() is double maxBottom)
+            Height = maxBottom - Top;
+
+        // add margins
+        Top -= Margin;
+        Left -= Margin;
+        Width += Margin * 2;
+        Height += Margin * 2;
+    }
+}

EnvelopeGenerator.GeneratorAPI/Models/PsPdfKitAnnotation/Color.cs

@@ -0,0 +1,10 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models.PsPdfKitAnnotation;
+
+public record Color
+{
+    public int R { get; init; } = 0;
+
+    public int G { get; init; } = 0;
+
+    public int B { get; init; } = 0;
+}

EnvelopeGenerator.GeneratorAPI/Models/PsPdfKitAnnotation/Extensions.cs

@@ -0,0 +1,8 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models.PsPdfKitAnnotation;
+
+public static class Extensions
+{
+    public static double GetRight(this IAnnotation annotation) => annotation.Left + annotation?.Width ?? 0;
+
+    public static double GetBottom(this IAnnotation annotation) => annotation.Top + annotation?.Height ?? 0;
+}

EnvelopeGenerator.GeneratorAPI/Models/PsPdfKitAnnotation/IAnnotation.cs

@@ -0,0 +1,22 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models.PsPdfKitAnnotation;
+
+public interface IAnnotation
+{
+    string Name { get; }
+
+    double? Width { get; }
+
+    double? Height { get; }
+
+    double Left { get; }
+
+    double Top { get; }
+
+    Color? BackgroundColor { get; }
+
+    Color? BorderColor { get; }
+
+    string? BorderStyle { get; }
+
+    int? BorderWidth { get; }
+}

EnvelopeGenerator.GeneratorAPI/Models/TFARegParams.cs

@@ -0,0 +1,17 @@
+namespace EnvelopeGenerator.GeneratorAPI.Models;
+
+/// <summary>
+/// Represents the parameters for two-factor authentication (2FA) registration.
+/// </summary>
+public class TFARegParams
+{
+    /// <summary>
+    /// The maximum allowed time for completing the registration process.
+    /// </summary>
+    public TimeSpan TimeLimit { get; init; } = new(0, 30, 0);
+
+    /// <summary>
+    /// The deadline for registration, calculated as the current time plus the <see cref="TimeLimit"/>.
+    /// </summary>
+    public DateTime Deadline => DateTime.Now.AddTicks(TimeLimit.Ticks);
+}