feat(api): List + GetById usuarios — handlers, repo, endpoints [UDT-008]

src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs

@@ -0,0 +1,44 @@
+using SIGCM2.Application.Abstractions;
+using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Common;
+using SIGCM2.Domain.Exceptions;
+
+namespace SIGCM2.Application.Usuarios.ResetPassword;
+
+public sealed class ResetUsuarioPasswordCommandHandler : ICommandHandler<ResetUsuarioPasswordCommand, ResetUsuarioPasswordResponse>
+{
+    private readonly IUsuarioRepository _repository;
+    private readonly IPasswordHasher _hasher;
+    private readonly IRefreshTokenRepository _refreshTokenRepository;
+
+    public ResetUsuarioPasswordCommandHandler(
+        IUsuarioRepository repository,
+        IPasswordHasher hasher,
+        IRefreshTokenRepository refreshTokenRepository)
+    {
+        _repository = repository;
+        _hasher = hasher;
+        _refreshTokenRepository = refreshTokenRepository;
+    }
+
+    public async Task<ResetUsuarioPasswordResponse> Handle(ResetUsuarioPasswordCommand cmd)
+    {
+        // Cannot self-reset: admin must use /me/password
+        if (cmd.CallerId == cmd.TargetId)
+            throw new CannotSelfResetException();
+
+        var target = await _repository.GetByIdAsync(cmd.TargetId)
+            ?? throw new UsuarioNotFoundException(cmd.TargetId);
+
+        var temp = TempPasswordGenerator.Generate(12);
+        // SECURITY: NEVER log tempPassword
+        var hash = _hasher.Hash(temp);
+
+        await _repository.UpdatePasswordAsync(cmd.TargetId, hash, mustChangePassword: true);
+        await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.TargetId, DateTime.UtcNow);
+
+        // TODO: audit — defer to ADM-004
+        return new ResetUsuarioPasswordResponse(temp, MustChangeOnLogin: true);
+    }
+}