src/api/SIGCM2.Infrastructure/Security/JwtService.cs

using System.Security.Claims;
using System.Security.Cryptography;
using System.Text.Json;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using SIGCM2.Application.Abstractions.Security;
using SIGCM2.Domain.Entities;

namespace SIGCM2.Infrastructure.Security;

public sealed class JwtService : IJwtService
{
    private readonly RSA _rsa;
    private readonly JwtOptions _options;

    public JwtService(RSA rsa, JwtOptions options)
    {
        _rsa = rsa;
        _options = options;
    }

    /// <inheritdoc/>
    public ClaimsPrincipal GetPrincipalFromExpiredToken(string accessToken)
    {
        var parameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidIssuer = _options.Issuer,
            ValidateAudience = true,
            ValidAudience = _options.Audience,
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new RsaSecurityKey(_rsa),
            ValidateLifetime = false,  // Key: accept expired tokens in refresh flow
            ClockSkew = TimeSpan.Zero,
        };

        var handler = new JwtSecurityTokenHandler();
        var principal = handler.ValidateToken(accessToken, parameters, out var securityToken);

        if (securityToken is not JwtSecurityToken jwt ||
            !jwt.Header.Alg.Equals(SecurityAlgorithms.RsaSha256, StringComparison.OrdinalIgnoreCase))
            throw new SecurityTokenException("Invalid token algorithm");

        return principal;
    }

    public string GenerateAccessToken(Usuario usuario)
    {
        var signingKey = new RsaSecurityKey(_rsa);
        var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256);

        var permisos = DeserializePermisos(usuario.PermisosJson);

        var claims = new List<Claim>
        {
            new(JwtRegisteredClaimNames.Sub, usuario.Id.ToString()),
            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
            new("name", usuario.Username),
            new("rol", usuario.Rol),
        };

        // Add each permission as a separate claim
        foreach (var permiso in permisos)
            claims.Add(new Claim("permisos", permiso));

        var now = DateTime.UtcNow;
        var descriptor = new SecurityTokenDescriptor
        {
            Subject = new ClaimsIdentity(claims),
            Issuer = _options.Issuer,
            Audience = _options.Audience,
            IssuedAt = now,
            Expires = now.AddMinutes(_options.AccessTokenMinutes),
            SigningCredentials = credentials
        };

        var handler = new JwtSecurityTokenHandler();
        var token = handler.CreateToken(descriptor);
        return handler.WriteToken(token);
    }

    private static string[] DeserializePermisos(string permisosJson)
    {
        try
        {
            return JsonSerializer.Deserialize<string[]>(permisosJson) ?? [];
        }
        catch
        {
            return [];
        }
    }
}
feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`using System.Security.Claims;`
			`using System.Security.Cryptography;`
			`using System.Text.Json;`
			`using Microsoft.IdentityModel.Tokens;`
			`using System.IdentityModel.Tokens.Jwt;`
			`using SIGCM2.Application.Abstractions.Security;`
			`using SIGCM2.Domain.Entities;`

			`namespace SIGCM2.Infrastructure.Security;`

			`public sealed class JwtService : IJwtService`
			`{`
			`private readonly RSA _rsa;`
			`private readonly JwtOptions _options;`

			`public JwtService(RSA rsa, JwtOptions options)`
			`{`
			`_rsa = rsa;`
			`_options = options;`
			`}`

feat(infra): implement GetPrincipalFromExpiredToken in JwtService 2026-04-14 13:28:20 -03:00			`/// <inheritdoc/>`
			`public ClaimsPrincipal GetPrincipalFromExpiredToken(string accessToken)`
			`{`
			`var parameters = new TokenValidationParameters`
			`{`
			`ValidateIssuer = true,`
			`ValidIssuer = _options.Issuer,`
			`ValidateAudience = true,`
			`ValidAudience = _options.Audience,`
			`ValidateIssuerSigningKey = true,`
			`IssuerSigningKey = new RsaSecurityKey(_rsa),`
			`ValidateLifetime = false, // Key: accept expired tokens in refresh flow`
			`ClockSkew = TimeSpan.Zero,`
			`};`

			`var handler = new JwtSecurityTokenHandler();`
			`var principal = handler.ValidateToken(accessToken, parameters, out var securityToken);`

			`if (securityToken is not JwtSecurityToken jwt \|\|`
			`!jwt.Header.Alg.Equals(SecurityAlgorithms.RsaSha256, StringComparison.OrdinalIgnoreCase))`
			`throw new SecurityTokenException("Invalid token algorithm");`

			`return principal;`
			`}`

feat(udt-001): infrastructure (Dapper, BCrypt, JWT RS256, dispatcher) 2026-04-13 21:36:02 -03:00			`public string GenerateAccessToken(Usuario usuario)`
			`{`
			`var signingKey = new RsaSecurityKey(_rsa);`
			`var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256);`

			`var permisos = DeserializePermisos(usuario.PermisosJson);`

			`var claims = new List<Claim>`
			`{`
			`new(JwtRegisteredClaimNames.Sub, usuario.Id.ToString()),`
			`new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),`
			`new("name", usuario.Username),`
			`new("rol", usuario.Rol),`
			`};`

			`// Add each permission as a separate claim`
			`foreach (var permiso in permisos)`
			`claims.Add(new Claim("permisos", permiso));`

			`var now = DateTime.UtcNow;`
			`var descriptor = new SecurityTokenDescriptor`
			`{`
			`Subject = new ClaimsIdentity(claims),`
			`Issuer = _options.Issuer,`
			`Audience = _options.Audience,`
			`IssuedAt = now,`
			`Expires = now.AddMinutes(_options.AccessTokenMinutes),`
			`SigningCredentials = credentials`
			`};`

			`var handler = new JwtSecurityTokenHandler();`
			`var token = handler.CreateToken(descriptor);`
			`return handler.WriteToken(token);`
			`}`

			`private static string[] DeserializePermisos(string permisosJson)`
			`{`
			`try`
			`{`
			`return JsonSerializer.Deserialize<string[]>(permisosJson) ?? [];`
			`}`
			`catch`
			`{`
			`return [];`
			`}`
			`}`
			`}`