From 83c6a95ee2970b933f48ecad58c0353d7b2acf60 Mon Sep 17 00:00:00 2001
From: dmolinari <dmolinari@eldia.com>
Date: Tue, 14 Apr 2026 13:16:44 -0300
Subject: [PATCH] feat(domain): add InvalidRefreshTokenException and
 TokenReuseDetectedException

---
 .../InvalidRefreshTokenException.cs           | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 src/api/SIGCM2.Domain/Exceptions/InvalidRefreshTokenException.cs

diff --git a/src/api/SIGCM2.Domain/Exceptions/InvalidRefreshTokenException.cs b/src/api/SIGCM2.Domain/Exceptions/InvalidRefreshTokenException.cs
new file mode 100644
index 0000000..7c27a5f
--- /dev/null
+++ b/src/api/SIGCM2.Domain/Exceptions/InvalidRefreshTokenException.cs
@@ -0,0 +1,24 @@
+namespace SIGCM2.Domain.Exceptions;
+
+/// <summary>
+/// Thrown when a refresh token is invalid (not found, expired, malformed, or user mismatch).
+/// Maps to HTTP 401 with a generic error message — never reveal the specific reason to the client.
+/// </summary>
+public sealed class InvalidRefreshTokenException : Exception
+{
+    public InvalidRefreshTokenException(string message = "Invalid refresh token")
+        : base(message) { }
+}
+
+/// <summary>
+/// Thrown when a previously-rotated (revoked) refresh token is presented again.
+/// Triggers chain revocation of the entire token family.
+/// Maps to HTTP 401 with the SAME generic message as InvalidRefreshTokenException
+/// to avoid leaking information to attackers.
+/// The backend logs distinguish between the two cases.
+/// </summary>
+public sealed class TokenReuseDetectedException : Exception
+{
+    public TokenReuseDetectedException()
+        : base("Token reuse detected") { }
+}