books/backend/Books.Api/Authorization/CompanyAccessService.cs

using Books.Api.Domain.UserAccess;
using Books.Api.EventFlow.Repositories;

namespace Books.Api.Authorization;

/// <summary>
/// Service for checking company access permissions.
/// </summary>
public interface ICompanyAccessService
{
    /// <summary>
    /// Check if the current user has access to the specified company with the required role.
    /// Throws UnauthorizedAccessException if access is denied.
    /// </summary>
    Task RequireAccessAsync(
        string companyId,
        CompanyRole minimumRole,
        CancellationToken cancellationToken = default);

    /// <summary>
    /// Check if the current user has access to the specified company.
    /// Returns the access DTO if granted, null if denied.
    /// </summary>
    Task<UserCompanyAccessDto?> GetAccessAsync(
        string companyId,
        CancellationToken cancellationToken = default);

    /// <summary>
    /// Get all companies the current user has access to.
    /// </summary>
    Task<IReadOnlyList<UserCompanyAccessDto>> GetUserCompaniesAsync(
        CancellationToken cancellationToken = default);

    /// <summary>
    /// Check if the current user has write access (Owner or Accountant) to the company.
    /// </summary>
    Task<bool> CanWriteAsync(
        string companyId,
        CancellationToken cancellationToken = default);

    /// <summary>
    /// Check if the current user can manage users for the company (Owner only).
    /// </summary>
    Task<bool> CanManageUsersAsync(
        string companyId,
        CancellationToken cancellationToken = default);
}

public class CompanyAccessService(
    IHttpContextAccessor httpContextAccessor,
    IUserCompanyAccessRepository accessRepository) : ICompanyAccessService
{
    public async Task RequireAccessAsync(
        string companyId,
        CompanyRole minimumRole,
        CancellationToken cancellationToken = default)
    {
        var userId = GetCurrentUserId();
        if (userId == null)
        {
            throw new UnauthorizedAccessException("User is not authenticated");
        }

        var hasAccess = await accessRepository.HasAccessAsync(userId, companyId, minimumRole, cancellationToken);
        if (!hasAccess)
        {
            var roleDescription = minimumRole switch
            {
                CompanyRole.Owner => "ejer",
                CompanyRole.Accountant => "bogholder",
                CompanyRole.Viewer => "læser",
                _ => "ukendt"
            };

            throw new Domain.DomainException(
                "ACCESS_DENIED",
                $"You do not have {minimumRole} access to this company",
                $"Du har ikke {roleDescription}-adgang til denne virksomhed");
        }
    }

    public async Task<UserCompanyAccessDto?> GetAccessAsync(
        string companyId,
        CancellationToken cancellationToken = default)
    {
        var userId = GetCurrentUserId();
        if (userId == null) return null;

        return await accessRepository.GetAccessAsync(userId, companyId, cancellationToken);
    }

    public async Task<IReadOnlyList<UserCompanyAccessDto>> GetUserCompaniesAsync(
        CancellationToken cancellationToken = default)
    {
        var userId = GetCurrentUserId();
        if (userId == null) return [];

        return await accessRepository.GetByUserIdAsync(userId, cancellationToken);
    }

    public async Task<bool> CanWriteAsync(
        string companyId,
        CancellationToken cancellationToken = default)
    {
        var userId = GetCurrentUserId();
        if (userId == null) return false;

        return await accessRepository.HasAccessAsync(userId, companyId, CompanyRole.Accountant, cancellationToken);
    }

    public async Task<bool> CanManageUsersAsync(
        string companyId,
        CancellationToken cancellationToken = default)
    {
        var userId = GetCurrentUserId();
        if (userId == null) return false;

        return await accessRepository.HasAccessAsync(userId, companyId, CompanyRole.Owner, cancellationToken);
    }

    private string? GetCurrentUserId()
    {
        var user = httpContextAccessor.HttpContext?.User;
        if (user?.Identity?.IsAuthenticated != true) return null;

        // For API keys, use the API key ID as the user ID
        // For OIDC users, use the NameIdentifier claim (Keycloak user ID)
        return user.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;
    }
}
Add all backend domain, commands, repositories, and tests This commit includes all previously untracked backend files: Domain: - Accounts, Attachments, BankConnections, Customers - FiscalYears, Invoices, JournalEntryDrafts - Orders, Products, UserAccess Commands & Handlers: - Full CQRS command structure for all domains Repositories: - PostgreSQL repositories for all read models - Bank transaction and ledger repositories GraphQL: - Input types, scalars, and types for all entities - Mutations and queries Infrastructure: - Banking integration (Enable Banking client) - File storage, Invoicing, Reporting, SAF-T export - Database migrations (003-029) Tests: - Integration tests for GraphQL endpoints - Domain tests - Invoicing and reporting tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 22:19:42 +01:00			`using Books.Api.Domain.UserAccess;`
			`using Books.Api.EventFlow.Repositories;`

			`namespace Books.Api.Authorization;`

			`/// <summary>`
			`/// Service for checking company access permissions.`
			`/// </summary>`
			`public interface ICompanyAccessService`
			`{`
			`/// <summary>`
			`/// Check if the current user has access to the specified company with the required role.`
			`/// Throws UnauthorizedAccessException if access is denied.`
			`/// </summary>`
			`Task RequireAccessAsync(`
			`string companyId,`
			`CompanyRole minimumRole,`
			`CancellationToken cancellationToken = default);`

			`/// <summary>`
			`/// Check if the current user has access to the specified company.`
			`/// Returns the access DTO if granted, null if denied.`
			`/// </summary>`
			`Task<UserCompanyAccessDto?> GetAccessAsync(`
			`string companyId,`
			`CancellationToken cancellationToken = default);`

			`/// <summary>`
			`/// Get all companies the current user has access to.`
			`/// </summary>`
			`Task<IReadOnlyList<UserCompanyAccessDto>> GetUserCompaniesAsync(`
			`CancellationToken cancellationToken = default);`

			`/// <summary>`
			`/// Check if the current user has write access (Owner or Accountant) to the company.`
			`/// </summary>`
			`Task<bool> CanWriteAsync(`
			`string companyId,`
			`CancellationToken cancellationToken = default);`

			`/// <summary>`
			`/// Check if the current user can manage users for the company (Owner only).`
			`/// </summary>`
			`Task<bool> CanManageUsersAsync(`
			`string companyId,`
			`CancellationToken cancellationToken = default);`
			`}`

			`public class CompanyAccessService(`
			`IHttpContextAccessor httpContextAccessor,`
			`IUserCompanyAccessRepository accessRepository) : ICompanyAccessService`
			`{`
			`public async Task RequireAccessAsync(`
			`string companyId,`
			`CompanyRole minimumRole,`
			`CancellationToken cancellationToken = default)`
			`{`
			`var userId = GetCurrentUserId();`
			`if (userId == null)`
			`{`
			`throw new UnauthorizedAccessException("User is not authenticated");`
			`}`

			`var hasAccess = await accessRepository.HasAccessAsync(userId, companyId, minimumRole, cancellationToken);`
			`if (!hasAccess)`
			`{`
			`var roleDescription = minimumRole switch`
			`{`
			`CompanyRole.Owner => "ejer",`
			`CompanyRole.Accountant => "bogholder",`
			`CompanyRole.Viewer => "læser",`
			`_ => "ukendt"`
			`};`

			`throw new Domain.DomainException(`
			`"ACCESS_DENIED",`
			`$"You do not have {minimumRole} access to this company",`
			`$"Du har ikke {roleDescription}-adgang til denne virksomhed");`
			`}`
			`}`

			`public async Task<UserCompanyAccessDto?> GetAccessAsync(`
			`string companyId,`
			`CancellationToken cancellationToken = default)`
			`{`
			`var userId = GetCurrentUserId();`
			`if (userId == null) return null;`

			`return await accessRepository.GetAccessAsync(userId, companyId, cancellationToken);`
			`}`

			`public async Task<IReadOnlyList<UserCompanyAccessDto>> GetUserCompaniesAsync(`
			`CancellationToken cancellationToken = default)`
			`{`
			`var userId = GetCurrentUserId();`
			`if (userId == null) return [];`

			`return await accessRepository.GetByUserIdAsync(userId, cancellationToken);`
			`}`

			`public async Task<bool> CanWriteAsync(`
			`string companyId,`
			`CancellationToken cancellationToken = default)`
			`{`
			`var userId = GetCurrentUserId();`
			`if (userId == null) return false;`

			`return await accessRepository.HasAccessAsync(userId, companyId, CompanyRole.Accountant, cancellationToken);`
			`}`

			`public async Task<bool> CanManageUsersAsync(`
			`string companyId,`
			`CancellationToken cancellationToken = default)`
			`{`
			`var userId = GetCurrentUserId();`
			`if (userId == null) return false;`

			`return await accessRepository.HasAccessAsync(userId, companyId, CompanyRole.Owner, cancellationToken);`
			`}`

			`private string? GetCurrentUserId()`
			`{`
			`var user = httpContextAccessor.HttpContext?.User;`
			`if (user?.Identity?.IsAuthenticated != true) return null;`

			`// For API keys, use the API key ID as the user ID`
			`// For OIDC users, use the NameIdentifier claim (Keycloak user ID)`
			`return user.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier)?.Value;`
			`}`
			`}`