EnvelopeGenerator/EnvelopeGenerator.API/Controllers/AuthController.cs

using EnvelopeGenerator.API.Controllers.Interfaces;
using EnvelopeGenerator.API.Models;
using EnvelopeGenerator.Domain.Constants;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Options;

namespace EnvelopeGenerator.API.Controllers;

/// <summary>
/// Controller verantwortlich für die Benutzer-Authentifizierung, einschließlich Anmelden, Abmelden und Überprüfung des Authentifizierungsstatus.
/// </summary>
[Route("api/[controller]")]
[ApiController]
public partial class AuthController(IOptions<AuthTokenKeys> authTokenKeyOptions, IAuthorizationService authService) : ControllerBase, IAuthController
{
    private readonly AuthTokenKeys authTokenKeys = authTokenKeyOptions.Value;

    /// <summary>
    /// 
    /// </summary>
    public IAuthorizationService AuthService { get; } = authService;

    /// <summary>
    /// Entfernt das Authentifizierungs-Cookie des Benutzers (AuthCookie)
    /// </summary>
    /// <returns>
    /// Gibt eine HTTP 200 oder 401.
    /// </returns>
    /// <remarks>
    /// Sample request:
    ///
    ///     POST /api/auth/logout
    ///
    /// </remarks>
    /// <response code="200">Erfolgreich gelöscht, wenn der Benutzer ein berechtigtes Cookie hat.</response>
    /// <response code="401">Wenn es kein zugelassenes Cookie gibt, wird „nicht zugelassen“ zurückgegeben.</response>
    [ProducesResponseType(typeof(void), StatusCodes.Status200OK)]
    [ProducesResponseType(typeof(void), StatusCodes.Status401Unauthorized)]
    [Authorize(Policy = AuthPolicy.SenderOrReceiver)]
    [HttpPost("logout")]
    public async Task<IActionResult> Logout()
    {
        if (await this.IsUserInPolicyAsync(AuthPolicy.Sender))
            Response.Cookies.Delete(authTokenKeys.Cookie);
        else if (await this.IsUserInPolicyAsync(AuthPolicy.ReceiverOrReceiverTFA))
            await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
        else
            return Unauthorized();

        return Ok();
    }

    /// <summary>
    /// Prüft, ob der Benutzer ein autorisiertes Token hat.
    /// </summary>
    /// <returns>Wenn ein autorisiertes Token vorhanden ist HTTP 200 asynchron 401</returns>
    /// <remarks>
    /// Sample request:
    ///
    ///     GET /api/auth
    ///
    /// </remarks>
    /// <response code="200">Wenn es einen autorisierten Cookie gibt.</response>
    /// <response code="401">Wenn kein Cookie vorhanden ist oder nicht autorisierte.</response>
    [ProducesResponseType(typeof(void), StatusCodes.Status200OK)]
    [ProducesResponseType(typeof(void), StatusCodes.Status401Unauthorized)]
    [HttpGet("check")]
    [Authorize]
    public IActionResult Check(string? role = null)
        => role is not null && !User.IsInRole(role)
            ? Unauthorized()
            : Ok();

    /// <summary>
    /// Checks whether the caller holds a valid per-envelope receiver token for the given envelope key.
    /// The request must carry a cookie named <c>AuthTokenSignFLOWReceiver.{envelopeKey}</c>.
    /// </summary>
    /// <param name="envelopeKey">The unique envelope key extracted from the route.</param>
    /// <response code="200">Valid per-envelope token found.</response>
    /// <response code="401">Token is missing, expired or invalid.</response>
    [ProducesResponseType(typeof(void), StatusCodes.Status200OK)]
    [ProducesResponseType(typeof(void), StatusCodes.Status401Unauthorized)]
    [Authorize(Policy = AuthPolicy.Receiver)]
    [HttpGet("check/envelope/{envelopeKey}")]
    public IActionResult CheckEnvelopeReceiver([FromRoute] string envelopeKey) => Ok();
}