EnvelopeGenerator/EnvelopeGenerator.API/Controllers/DocumentController.cs

using EnvelopeGenerator.API.Extensions;
using EnvelopeGenerator.Application.Documents.Queries;
using EnvelopeGenerator.Domain.Constants;
using MediatR;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace EnvelopeGenerator.API.Controllers;

/// <summary>
/// Provides access to envelope documents for authenticated receivers.
/// </summary>
/// <remarks>
/// Initializes a new instance of the <see cref="DocumentController"/> class.
/// </remarks>
[Authorize]
[ApiController]
[Route("api/[controller]")]
public class DocumentController(IMediator mediator, ILogger<DocumentController> logger) : ControllerBase
{
    /// <summary>
    /// Returns the document bytes receiver.
    /// </summary>
    /// <param name="query">Encoded envelope key.</param>
    /// <param name="cancel">Cancellation token.</param>
    [HttpGet]
    [Authorize(Policy = AuthPolicy.SenderOrReceiver)]
    public async Task<IActionResult> GetDocument(CancellationToken cancel, [FromQuery] ReadDocumentQuery? query = null)
    {
        // Sender: expects query with envelope key
        if (User.IsInRole(Role.Sender))
        {
            if (query is null)
                return BadRequest("Missing document query.");

            var senderDoc = await mediator.Send(query, cancel);
            return senderDoc.ByteData is byte[] senderDocByte
                ? File(senderDocByte, "application/octet-stream")
                : NotFound("Document is empty.");
        }

        // Receiver: resolve envelope id from claims
        if (User.IsInRole(Role.Receiver.FullyAuth))
        {           
            if (query is not null)
                return BadRequest("Query parameters are not allowed for receiver role.");

            var envelopeId = User.GetEnvelopeIdOfReceiver();
            var receiverDoc = await mediator.Send(new ReadDocumentQuery { EnvelopeId = envelopeId }, cancel);
            return receiverDoc.ByteData is byte[] receiverDocByte
                ? File(receiverDocByte, "application/octet-stream")
                : NotFound("Document is empty.");
        }

        return Unauthorized();
    }
}