Skip to content
/ SecureDocs Public

Secure, role-based document approval workflow API built with ASP.NET Core, JWT authentication, and audited state transitions.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Vortex711/SecureDocs

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
SecureDocs.Api
SecureDocs.Api
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
SecureDocs.Api.sln
SecureDocs.Api.sln
 
 

Repository files navigation

SecureDocs – Secure Document Workflow API

A backend-focused ASP.NET Core Web API that implements a secure, role-based document approval workflow with JWT authentication, state-based business rules, and full audit logging.

This project is designed to demonstrate real-world backend architecture rather than simple CRUD functionality.

Problem Statement

Many internal organizations require a system where:

  • Users submit documents
  • Reviewers verify them
  • Admins make final approval or rejection
  • Every action is tracked
  • Unauthorized access is prevented

SecureDocs models this as a strict backend-enforced workflow.

Core Features

Authentication & Authorization

  • JWT-based authentication
  • Role-based access (User, Reviewer, Admin)
  • Roles embedded in JWT claims
  • Stateless and scalable

Workflow State Machine

Documents move through controlled states:

Draft → Submitted → InReview → Approved / Rejected

Invalid transitions are blocked at the service layer.

Roles & Permissions

Role Capabilities
User Create and submit documents
Reviewer Start reviews on submitted documents
Admin Approve or reject documents

Admins can perform reviewer actions as well.

Audit Trail

Every state change generates a permanent audit log:

  • Action performed
  • Who performed it
  • Timestamp
  • Optional remarks

No document can change state without a corresponding audit record.

Access Control

Documents can be accessed only by:

  • Their owner
  • Reviewers (while in workflow states)
  • Admins

This is enforced in the service layer, not just via controller attributes.

Workflow Queues

The API exposes realistic queues:

  • My Documents (for users)
  • Pending Review (for reviewers/admins)
  • In Review (active work queue)

Pending items are ordered by submission time, and in-review items by latest activity.

Why Refresh Tokens Are Not Included

Refresh tokens were intentionally omitted to keep the focus on:

  • Role-based authorization
  • Workflow integrity
  • Auditability

For internal enterprise systems, short-lived JWT access tokens are standard and sufficient.

Why There Is No Admin or Reviewer Registration

Users do not assign their own privileges in real systems.

Roles are assigned externally (HR systems, IT admins, etc).
For this project, roles are assigned directly in the database:

UPDATE Users SET Role = 'Reviewer' WHERE Email = '[email protected]';
UPDATE Users SET Role = 'Admin' WHERE Email = '[email protected]';

About

Secure, role-based document approval workflow API built with ASP.NET Core, JWT authentication, and audited state transitions.

Topics

workflow sql-server backend dotnet role-based-access-control entity-framework-core asp-net-core jwt-authentication audit-logging wep-api

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Languages