src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs

using Microsoft.Extensions.Logging;
using SIGCM2.Application.Abstractions;
using SIGCM2.Application.Abstractions.Persistence;
using SIGCM2.Application.Abstractions.Security;
using SIGCM2.Application.Audit;
using SIGCM2.Application.Common;
using SIGCM2.Domain.Entities;
using SIGCM2.Domain.Exceptions;
using SIGCM2.Domain.Security;

namespace SIGCM2.Application.Auth.Login;

public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginResponseDto>
{
    private readonly IUsuarioRepository _repository;
    private readonly IPasswordHasher _hasher;
    private readonly IJwtService _jwtService;
    private readonly IRefreshTokenRepository _refreshRepository;
    private readonly IRefreshTokenGenerator _refreshGenerator;
    private readonly IClientContext _clientContext;
    private readonly AuthOptions _authOptions;
    private readonly IRolPermisoRepository _rolPermisoRepository;
    private readonly ISecurityEventLogger _security;
    private readonly ILogger<LoginCommandHandler> _logger;
    private readonly TimeProvider _timeProvider;

    public LoginCommandHandler(
        IUsuarioRepository repository,
        IPasswordHasher hasher,
        IJwtService jwtService,
        IRefreshTokenRepository refreshRepository,
        IRefreshTokenGenerator refreshGenerator,
        IClientContext clientContext,
        AuthOptions authOptions,
        IRolPermisoRepository rolPermisoRepository,
        ISecurityEventLogger security,
        ILogger<LoginCommandHandler> logger,
        TimeProvider timeProvider)
    {
        _repository = repository;
        _hasher = hasher;
        _jwtService = jwtService;
        _refreshRepository = refreshRepository;
        _refreshGenerator = refreshGenerator;
        _clientContext = clientContext;
        _authOptions = authOptions;
        _rolPermisoRepository = rolPermisoRepository;
        _security = security;
        _logger = logger;
        _timeProvider = timeProvider;
    }

    public async Task<LoginResponseDto> Handle(LoginCommand command)
    {
        var usuario = await _repository.GetByUsernameAsync(command.Username);

        // Deliberately vague to the client — never reveal which check failed.
        // Internally, SecurityEvent captures the precise FailureReason for ops.
        if (usuario is null)
        {
            await _security.LogAsync("login", "failure",
                actorUserId: null, attemptedUsername: command.Username,
                failureReason: "user_not_found");
            throw new InvalidCredentialsException();
        }
        if (!usuario.Activo)
        {
            await _security.LogAsync("login", "failure",
                actorUserId: usuario.Id, attemptedUsername: command.Username,
                failureReason: "user_inactive");
            throw new InvalidCredentialsException();
        }

        if (!_hasher.Verify(command.Password, usuario.PasswordHash))
        {
            await _security.LogAsync("login", "failure",
                actorUserId: usuario.Id, attemptedUsername: command.Username,
                failureReason: "invalid_password");
            throw new InvalidCredentialsException();
        }

        var accessToken = _jwtService.GenerateAccessToken(usuario);

        // Generate and persist refresh token — only the hash hits the DB
        var rawRefresh = _refreshGenerator.Generate();
        var hash = TokenHasher.Sha256Base64Url(rawRefresh);
        var now = _timeProvider.GetUtcNow().UtcDateTime;
        var ttl = TimeSpan.FromDays(_authOptions.RefreshTokenDays);
        var entity = RefreshToken.IssueForNewFamily(
            usuario.Id, hash, now, ttl,
            _clientContext.Ip, _clientContext.UserAgent);
        await _refreshRepository.AddAsync(entity);

        // UDT-008: update UltimoLogin best-effort — never block login on this
        try
        {
            await _repository.UpdateUltimoLoginAsync(usuario.Id, now);
        }
        catch (Exception ex)
        {
            _logger.LogWarning(ex, "Failed to update UltimoLogin for usuario {Id} — login proceeds", usuario.Id);
        }

        // UDT-009: permisos efectivos = (rol ∪ grant) \ deny via PermisoResolver
        var rolPermisoEntities = await _rolPermisoRepository.GetByRolCodigoAsync(usuario.Rol);
        var rolPermisos = rolPermisoEntities.Select(p => p.Codigo);
        var overrides = PermisosOverride.FromJson(usuario.PermisosJson);
        var effective = PermisoResolver.Resolve(rolPermisos, overrides);
        var permisos = effective.OrderBy(p => p, StringComparer.Ordinal).ToArray();

        await _security.LogAsync("login", "success", actorUserId: usuario.Id);

        return new LoginResponseDto(
            AccessToken: accessToken,
            RefreshToken: rawRefresh,      // raw to client — never stored
            ExpiresIn: _authOptions.AccessTokenMinutes * 60,
            Usuario: new UsuarioDto(
                Id: usuario.Id,
                Username: usuario.Username,
                Nombre: $"{usuario.Nombre} {usuario.Apellido}".Trim(),
                Rol: usuario.Rol,
                Permisos: permisos,
                MustChangePassword: usuario.MustChangePassword
            )
        );
    }
}
-												feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

											
										
										
											2026-04-15 17:39:48 -03:00
+								using Microsoft.Extensions.Logging;
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								using SIGCM2.Application.Abstractions;
 								using SIGCM2.Application.Abstractions.Persistence;
 								using SIGCM2.Application.Abstractions.Security;
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								using SIGCM2.Application.Audit;
-												feat(application): LoginCommandHandler usa PermisoResolver para permisos efectivos [UDT-009]

											
										
										
											2026-04-15 21:29:33 -03:00
+								using SIGCM2.Application.Common;
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
+								using SIGCM2.Domain.Entities;
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								using SIGCM2.Domain.Exceptions;
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
+								using SIGCM2.Domain.Security;
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
 								namespace SIGCM2.Application.Auth.Login;
 								public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginResponseDto>
 								{
 								    private readonly IUsuarioRepository _repository;
 								    private readonly IPasswordHasher _hasher;
 								    private readonly IJwtService _jwtService;
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
+								    private readonly IRefreshTokenRepository _refreshRepository;
 								    private readonly IRefreshTokenGenerator _refreshGenerator;
 								    private readonly IClientContext _clientContext;
 								    private readonly AuthOptions _authOptions;
-												feat(api): login response permisos desde RolPermiso [UDT-006]

											
										
										
											2026-04-15 16:24:21 -03:00
+								    private readonly IRolPermisoRepository _rolPermisoRepository;
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								    private readonly ISecurityEventLogger _security;
-												feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

											
										
										
											2026-04-15 17:39:48 -03:00
+								    private readonly ILogger<LoginCommandHandler> _logger;
-												feat(udt-011): T400.10 — inject TimeProvider into all Application handlers

All command handlers that call domain mutators now inject TimeProvider
via constructor and use _timeProvider.GetUtcNow().UtcDateTime as the
explicit 'now' argument. Replaces previous direct DateTime.UtcNow usage.

											
										
										
											2026-04-18 10:12:17 -03:00
+								    private readonly TimeProvider _timeProvider;
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
 								    public LoginCommandHandler(
 								        IUsuarioRepository repository,
 								        IPasswordHasher hasher,
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
+								        IJwtService jwtService,
 								        IRefreshTokenRepository refreshRepository,
 								        IRefreshTokenGenerator refreshGenerator,
 								        IClientContext clientContext,
-												feat(api): login response permisos desde RolPermiso [UDT-006]

											
										
										
											2026-04-15 16:24:21 -03:00
+								        AuthOptions authOptions,
-												feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

											
										
										
											2026-04-15 17:39:48 -03:00
+								        IRolPermisoRepository rolPermisoRepository,
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								        ISecurityEventLogger security,
-												feat(udt-011): T400.10 — inject TimeProvider into all Application handlers

All command handlers that call domain mutators now inject TimeProvider
via constructor and use _timeProvider.GetUtcNow().UtcDateTime as the
explicit 'now' argument. Replaces previous direct DateTime.UtcNow usage.

											
										
										
											2026-04-18 10:12:17 -03:00
+								        ILogger<LoginCommandHandler> logger,
 								        TimeProvider timeProvider)
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								    {
 								        _repository = repository;
 								        _hasher = hasher;
 								        _jwtService = jwtService;
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
+								        _refreshRepository = refreshRepository;
 								        _refreshGenerator = refreshGenerator;
 								        _clientContext = clientContext;
 								        _authOptions = authOptions;
-												feat(api): login response permisos desde RolPermiso [UDT-006]

											
										
										
											2026-04-15 16:24:21 -03:00
+								        _rolPermisoRepository = rolPermisoRepository;
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								        _security = security;
-												feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

											
										
										
											2026-04-15 17:39:48 -03:00
+								        _logger = logger;
-												feat(udt-011): T400.10 — inject TimeProvider into all Application handlers

All command handlers that call domain mutators now inject TimeProvider
via constructor and use _timeProvider.GetUtcNow().UtcDateTime as the
explicit 'now' argument. Replaces previous direct DateTime.UtcNow usage.

											
										
										
											2026-04-18 10:12:17 -03:00
+								        _timeProvider = timeProvider;
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								    }
 								    public async Task<LoginResponseDto> Handle(LoginCommand command)
 								    {
 								        var usuario = await _repository.GetByUsernameAsync(command.Username);
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								        // Deliberately vague to the client — never reveal which check failed.
 								        // Internally, SecurityEvent captures the precise FailureReason for ops.
 								        if (usuario is null)
 								        {
 								            await _security.LogAsync("login", "failure",
 								                actorUserId: null, attemptedUsername: command.Username,
 								                failureReason: "user_not_found");
 								            throw new InvalidCredentialsException();
 								        }
 								        if (!usuario.Activo)
 								        {
 								            await _security.LogAsync("login", "failure",
 								                actorUserId: usuario.Id, attemptedUsername: command.Username,
 								                failureReason: "user_inactive");
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								            throw new InvalidCredentialsException();
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								        }
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
 								        if (!_hasher.Verify(command.Password, usuario.PasswordHash))
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								        {
 								            await _security.LogAsync("login", "failure",
 								                actorUserId: usuario.Id, attemptedUsername: command.Username,
 								                failureReason: "invalid_password");
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								            throw new InvalidCredentialsException();
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								        }
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
 								        var accessToken = _jwtService.GenerateAccessToken(usuario);
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
 								        // Generate and persist refresh token — only the hash hits the DB
 								        var rawRefresh = _refreshGenerator.Generate();
 								        var hash = TokenHasher.Sha256Base64Url(rawRefresh);
-												feat(udt-011): T400.10 — inject TimeProvider into all Application handlers

All command handlers that call domain mutators now inject TimeProvider
via constructor and use _timeProvider.GetUtcNow().UtcDateTime as the
explicit 'now' argument. Replaces previous direct DateTime.UtcNow usage.

											
										
										
											2026-04-18 10:12:17 -03:00
+								        var now = _timeProvider.GetUtcNow().UtcDateTime;
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
+								        var ttl = TimeSpan.FromDays(_authOptions.RefreshTokenDays);
 								        var entity = RefreshToken.IssueForNewFamily(
 								            usuario.Id, hash, now, ttl,
 								            _clientContext.Ip, _clientContext.UserAgent);
 								        await _refreshRepository.AddAsync(entity);
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
-												feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

											
										
										
											2026-04-15 17:39:48 -03:00
+								        // UDT-008: update UltimoLogin best-effort — never block login on this
 								        try
 								        {
 								            await _repository.UpdateUltimoLoginAsync(usuario.Id, now);
 								        }
 								        catch (Exception ex)
 								        {
 								            _logger.LogWarning(ex, "Failed to update UltimoLogin for usuario {Id} — login proceeds", usuario.Id);
 								        }
-												feat(application): LoginCommandHandler usa PermisoResolver para permisos efectivos [UDT-009]

											
										
										
											2026-04-15 21:29:33 -03:00
+								        // UDT-009: permisos efectivos = (rol ∪ grant) \ deny via PermisoResolver
 								        var rolPermisoEntities = await _rolPermisoRepository.GetByRolCodigoAsync(usuario.Rol);
 								        var rolPermisos = rolPermisoEntities.Select(p => p.Codigo);
 								        var overrides = PermisosOverride.FromJson(usuario.PermisosJson);
 								        var effective = PermisoResolver.Resolve(rolPermisos, overrides);
 								        var permisos = effective.OrderBy(p => p, StringComparer.Ordinal).ToArray();
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
-												feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

											
										
										
											2026-04-16 13:59:27 -03:00
+								        await _security.LogAsync("login", "success", actorUserId: usuario.Id);
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								        return new LoginResponseDto(
 								            AccessToken: accessToken,
-												feat(app): update LoginCommandHandler to persist hashed refresh token on login

											
										
										
											2026-04-14 13:28:16 -03:00
+								            RefreshToken: rawRefresh,      // raw to client — never stored
 								            ExpiresIn: _authOptions.AccessTokenMinutes * 60,
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								            Usuario: new UsuarioDto(
 								                Id: usuario.Id,
-												feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

											
										
										
											2026-04-15 17:39:48 -03:00
+								                Username: usuario.Username,
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								                Nombre: $"{usuario.Nombre} {usuario.Apellido}".Trim(),
 								                Rol: usuario.Rol,
-												feat(auth): extend LoginResponse with username + mustChangePassword + ultimoLogin [UDT-008]

											
										
										
											2026-04-15 17:39:48 -03:00
+								                Permisos: permisos,
 								                MustChangePassword: usuario.MustChangePassword
-												feat(udt-001): application layer with LoginCommandHandler and ports

											
										
										
											2026-04-13 21:36:01 -03:00
+								            )
 								        );
 								    }
 								}