src/api/SIGCM2.Application/Usuarios/Update/UpdateUsuarioCommandHandler.cs

using SIGCM2.Application.Abstractions;
using SIGCM2.Application.Abstractions.Persistence;
using SIGCM2.Application.Common;
using SIGCM2.Application.Usuarios.GetById;
using SIGCM2.Domain.Exceptions;

namespace SIGCM2.Application.Usuarios.Update;

public sealed class UpdateUsuarioCommandHandler : ICommandHandler<UpdateUsuarioCommand, UsuarioDetailDto>
{
    private readonly IUsuarioRepository _repository;
    private readonly IRolRepository _rolRepository;
    private readonly IRefreshTokenRepository _refreshTokenRepository;

    public UpdateUsuarioCommandHandler(
        IUsuarioRepository repository,
        IRolRepository rolRepository,
        IRefreshTokenRepository refreshTokenRepository)
    {
        _repository = repository;
        _rolRepository = rolRepository;
        _refreshTokenRepository = refreshTokenRepository;
    }

    public async Task<UsuarioDetailDto> Handle(UpdateUsuarioCommand cmd)
    {
        var target = await _repository.GetByIdAsync(cmd.Id)
            ?? throw new UsuarioNotFoundException(cmd.Id);

        // Guard: validate rol exists and is active
        var rolExists = await _rolRepository.ExistsActiveByCodigoAsync(cmd.Rol);
        if (!rolExists)
            throw new FluentValidation.ValidationException(
                [new FluentValidation.Results.ValidationFailure("Rol", $"El rol '{cmd.Rol}' no existe o está inactivo.")]);

        // Guard: anti-lockout — cannot remove last active admin
        if (target.Rol == "admin" && target.Activo)
        {
            var isChangingRol = !string.Equals(cmd.Rol, "admin", StringComparison.Ordinal);
            var isDeactivating = !cmd.Activo;

            if ((isChangingRol || isDeactivating)
                && await _repository.CountActiveAdminsAsync() <= 1)
            {
                throw new LastAdminLockoutException();
            }
        }

        var fields = new UpdateUsuarioFields(cmd.Nombre, cmd.Apellido, cmd.Email, cmd.Rol, cmd.Activo);
        var now = DateTime.UtcNow;
        await _repository.UpdateAsync(cmd.Id, fields, now);

        // Revoke refresh tokens if rol changed or user deactivated
        var rolChanged = !string.Equals(target.Rol, cmd.Rol, StringComparison.Ordinal);
        var justDeactivated = target.Activo && !cmd.Activo;
        if (rolChanged || justDeactivated)
        {
            await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.Id, now);
        }

        // TODO: audit — defer to ADM-004
        var updated = await _repository.GetDetailAsync(cmd.Id)
            ?? throw new UsuarioNotFoundException(cmd.Id);

        return new UsuarioDetailDto(
            updated.Id, updated.Username, updated.Nombre, updated.Apellido,
            updated.Email, updated.Rol, updated.Activo, updated.MustChangePassword,
            updated.UltimoLogin, updated.FechaModificacion);
    }
}
feat(api): List + GetById usuarios — handlers, repo, endpoints [UDT-008] 2026-04-15 17:46:23 -03:00			`using SIGCM2.Application.Abstractions;`
			`using SIGCM2.Application.Abstractions.Persistence;`
			`using SIGCM2.Application.Common;`
			`using SIGCM2.Application.Usuarios.GetById;`
			`using SIGCM2.Domain.Exceptions;`

			`namespace SIGCM2.Application.Usuarios.Update;`

			`public sealed class UpdateUsuarioCommandHandler : ICommandHandler<UpdateUsuarioCommand, UsuarioDetailDto>`
			`{`
			`private readonly IUsuarioRepository _repository;`
			`private readonly IRolRepository _rolRepository;`
			`private readonly IRefreshTokenRepository _refreshTokenRepository;`

			`public UpdateUsuarioCommandHandler(`
			`IUsuarioRepository repository,`
			`IRolRepository rolRepository,`
			`IRefreshTokenRepository refreshTokenRepository)`
			`{`
			`_repository = repository;`
			`_rolRepository = rolRepository;`
			`_refreshTokenRepository = refreshTokenRepository;`
			`}`

			`public async Task<UsuarioDetailDto> Handle(UpdateUsuarioCommand cmd)`
			`{`
			`var target = await _repository.GetByIdAsync(cmd.Id)`
			`?? throw new UsuarioNotFoundException(cmd.Id);`

			`// Guard: validate rol exists and is active`
			`var rolExists = await _rolRepository.ExistsActiveByCodigoAsync(cmd.Rol);`
			`if (!rolExists)`
			`throw new FluentValidation.ValidationException(`
			`[new FluentValidation.Results.ValidationFailure("Rol", $"El rol '{cmd.Rol}' no existe o está inactivo.")]);`

			`// Guard: anti-lockout — cannot remove last active admin`
			`if (target.Rol == "admin" && target.Activo)`
			`{`
			`var isChangingRol = !string.Equals(cmd.Rol, "admin", StringComparison.Ordinal);`
			`var isDeactivating = !cmd.Activo;`

			`if ((isChangingRol \|\| isDeactivating)`
			`&& await _repository.CountActiveAdminsAsync() <= 1)`
			`{`
			`throw new LastAdminLockoutException();`
			`}`
			`}`

			`var fields = new UpdateUsuarioFields(cmd.Nombre, cmd.Apellido, cmd.Email, cmd.Rol, cmd.Activo);`
			`var now = DateTime.UtcNow;`
			`await _repository.UpdateAsync(cmd.Id, fields, now);`

			`// Revoke refresh tokens if rol changed or user deactivated`
			`var rolChanged = !string.Equals(target.Rol, cmd.Rol, StringComparison.Ordinal);`
			`var justDeactivated = target.Activo && !cmd.Activo;`
			`if (rolChanged \|\| justDeactivated)`
			`{`
			`await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.Id, now);`
			`}`

			`// TODO: audit — defer to ADM-004`
			`var updated = await _repository.GetDetailAsync(cmd.Id)`
			`?? throw new UsuarioNotFoundException(cmd.Id);`

			`return new UsuarioDetailDto(`
			`updated.Id, updated.Username, updated.Nombre, updated.Apellido,`
			`updated.Email, updated.Rol, updated.Activo, updated.MustChangePassword,`
			`updated.UltimoLogin, updated.FechaModificacion);`
			`}`
			`}`