Use policies security for controlling access to bitpay api

BTCPayServer/Controllers/InvoiceController.API.cs

@@ -13,11 +13,14 @@ using BTCPayServer.Data;
 using BTCPayServer.Services.Invoices;
 using Microsoft.AspNetCore.Cors;
 using BTCPayServer.Services.Stores;
+using Microsoft.AspNetCore.Authorization;
+using BTCPayServer.Security;
 
 namespace BTCPayServer.Controllers
 {
     [EnableCors("BitpayAPI")]
     [BitpayAPIConstraint]
+    [Authorize(Policies.CanUseStore.Key)]
     public class InvoiceControllerAPI : Controller
     {
         private InvoiceController _InvoiceController;
@@ -43,6 +46,7 @@ namespace BTCPayServer.Controllers
 
         [HttpGet]
         [Route("invoices/{id}")]
+        [AllowAnonymous]
         public async Task<DataWrapper<InvoiceResponse>> GetInvoice(string id, string token)
         {
             var invoice = await _InvoiceRepository.GetInvoice(null, id);

BTCPayServer/Security/BitpayClaimsFilter.cs

@@ -79,13 +79,13 @@ namespace BTCPayServer.Security
                 if (storeId != null)
                 {
                     var identity = ((ClaimsIdentity)context.HttpContext.User.Identity);
-                    identity.AddClaim(new Claim(Claims.OwnStore, storeId));
+                    identity.AddClaim(new Claim(Policies.CanUseStore.Key, storeId));
                     var store = await _StoreRepository.FindStore(storeId);
                     context.HttpContext.SetStoreData(store);
                 }
                 else if (failedAuth)
                 {
-                    throw new BitpayHttpException(401, "Can't access to store");
+                    throw new BitpayHttpException(401, "Invalid credentials");
                 }
             }
         }