From a7275a5e6b4f54b4cbfa193f44b428adc929ef59 Mon Sep 17 00:00:00 2001
From: Jared Snider <jsnider@bitwarden.com>
Date: Thu, 15 May 2025 22:51:18 -0400
Subject: [PATCH] PM-20532 - (1) Policies - Add new Policies.cs static class to
 avoid magic strings for policy use (2) API Startup.cs - Add send
 authorization policy.

---
 src/Api/Startup.cs                  | 8 ++++++++
 src/Core/IdentityServer/Policies.cs | 8 ++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 src/Core/IdentityServer/Policies.cs

diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index 2872a5b88b..2788d7dc21 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -145,6 +145,14 @@ public class Startup
                     (c.Value.Contains(ApiScopes.Api) || c.Value.Contains(ApiScopes.ApiSecrets))
                 ));
             });
+
+            config.AddPolicy(Policies.Send, configurePolicy: policy =>
+            {
+                policy.RequireAuthenticatedUser();
+                policy.RequireClaim(JwtClaimTypes.Scope, ApiScopes.Send);
+                // TODO: talk with Tools about potentially
+                // policy.AddRequirements(new SameSendIdRequirement());
+            });
         });
 
         services.AddScoped<AuthenticatorTokenProvider>();
diff --git a/src/Core/IdentityServer/Policies.cs b/src/Core/IdentityServer/Policies.cs
new file mode 100644
index 0000000000..7a0cabe644
--- /dev/null
+++ b/src/Core/IdentityServer/Policies.cs
@@ -0,0 +1,8 @@
+namespace Bit.Core.IdentityServer;
+
+public static class Policies
+{
+    // TODO: migrate other existing policies to use this class
+    public const string Send = "Send";  // [Authorize(Policy = Policies.Send)]
+
+}