From bee831c52b2219c3fcf0f61007e8cf32cc02e486 Mon Sep 17 00:00:00 2001
From: androidlover5842 <androidlover5842@gmail.com>
Date: Fri, 30 Jan 2026 23:51:48 +0530
Subject: [PATCH] Allow auth on public endpoints and delete guest docs

---
 .../controller/GuestDocuments.kt              | 31 +++++++++++++++++++
 .../security/FirebaseAuthFilter.kt            |  6 +++-
 2 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/src/main/kotlin/com/android/trisolarisserver/controller/GuestDocuments.kt b/src/main/kotlin/com/android/trisolarisserver/controller/GuestDocuments.kt
index 1fa7323..c977b91 100644
--- a/src/main/kotlin/com/android/trisolarisserver/controller/GuestDocuments.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/controller/GuestDocuments.kt
@@ -139,6 +139,37 @@ class GuestDocuments(
             .body(resource)
     }
 
+    @DeleteMapping("/{documentId}")
+    @ResponseStatus(HttpStatus.NO_CONTENT)
+    fun deleteDocument(
+        @PathVariable propertyId: UUID,
+        @PathVariable guestId: UUID,
+        @PathVariable documentId: UUID,
+        @AuthenticationPrincipal principal: MyPrincipal?
+    ) {
+        requireRole(propertyAccess, propertyId, principal, Role.ADMIN, Role.MANAGER)
+
+        val document = guestDocumentRepo.findByIdAndPropertyIdAndGuestId(documentId, propertyId, guestId)
+            ?: throw ResponseStatusException(HttpStatus.NOT_FOUND, "Document not found")
+        val status = document.booking.status
+        if (status != com.android.trisolarisserver.models.booking.BookingStatus.OPEN &&
+            status != com.android.trisolarisserver.models.booking.BookingStatus.CHECKED_IN
+        ) {
+            throw ResponseStatusException(
+                HttpStatus.BAD_REQUEST,
+                "Documents can only be deleted for OPEN or CHECKED_IN bookings"
+            )
+        }
+
+        val path = Paths.get(document.storagePath)
+        try {
+            Files.deleteIfExists(path)
+        } catch (_: Exception) {
+            throw ResponseStatusException(HttpStatus.INTERNAL_SERVER_ERROR, "Failed to delete file")
+        }
+        guestDocumentRepo.delete(document)
+    }
+
     private fun runExtraction(documentId: UUID, propertyId: UUID, guestId: UUID) {
         extractionQueue.enqueue {
             val document = guestDocumentRepo.findById(documentId).orElse(null) ?: return@enqueue
diff --git a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
index 56847b2..f635bfb 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
@@ -20,7 +20,11 @@ class FirebaseAuthFilter(
     private val logger = LoggerFactory.getLogger(FirebaseAuthFilter::class.java)
 
     override fun shouldNotFilter(request: HttpServletRequest): Boolean {
-        return PublicEndpoints.isPublic(request)
+        if (!PublicEndpoints.isPublic(request)) {
+            return false
+        }
+        val header = request.getHeader(HttpHeaders.AUTHORIZATION)
+        return header.isNullOrBlank() || !header.startsWith("Bearer ")
     }
 
     override fun doFilterInternal(