dmolinari/SIG-CM2.0
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): remover claim permisos del JWT post-UDT-009 [UDT-009]

Browse Source
This commit is contained in:
dmolinari
2026-04-15 21:28:26 -03:00
parent 54955231bf
commit 86310de286
2 changed files with 59 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
tests/SIGCM2.Application.Tests/Infrastructure/JwtServiceTests.cs
View File

@@ -55,6 +55,59 @@ public class JwtServiceTests : IDisposable
Assert.Contains("sigcm2.web", parsed.Audiences); // aud
Assert.Contains(parsed.Claims, c => c.Type == "name" && c.Value == "admin");
Assert.Contains(parsed.Claims, c => c.Type == "rol" && c.Value == "admin");
// J-01 (UDT-009): token must NOT contain 'permisos' claim post-UDT-009
Assert.DoesNotContain(parsed.Claims, c => c.Type == "permisos");
}
// J-01: token post-UDT-009 does NOT have 'permisos' claim
[Fact]
public void GenerateAccessToken_DoesNotContainPermisosClaim()
{
var usuario = MakeUsuario();
var token = _jwtService.GenerateAccessToken(usuario);
var handler = new JwtSecurityTokenHandler();
var parsed = handler.ReadJwtToken(token);
Assert.DoesNotContain(parsed.Claims, c => c.Type == "permisos");
}
// J-02: claims present are sub, jti, name, rol (+ iat/exp/nbf) — no extras
[Fact]
public void GenerateAccessToken_HasExactlyExpectedClaims_NoPermisos()
{
var usuario = MakeUsuario();
var token = _jwtService.GenerateAccessToken(usuario);
var handler = new JwtSecurityTokenHandler();
var parsed = handler.ReadJwtToken(token);
// Must have sub, name, rol, jti
Assert.Contains(parsed.Claims, c => c.Type == "sub");
Assert.Contains(parsed.Claims, c => c.Type == "name");
Assert.Contains(parsed.Claims, c => c.Type == "rol");
Assert.Contains(parsed.Claims, c => c.Type == "jti");
// Must NOT have permisos
Assert.DoesNotContain(parsed.Claims, c => c.Type == "permisos");
}
// J-03: MakeUsuario with '["*"]' PermisosJson → token still has no 'permisos' claim
[Fact]
public void GenerateAccessToken_WithLegacyPermisosJson_NoPermisosClaim()
{
// MakeUsuario already uses '[\"*\"]' — this explicitly tests J-03
var usuario = MakeUsuario();
Assert.Equal("[\"*\"]", usuario.PermisosJson); // verify the helper
var token = _jwtService.GenerateAccessToken(usuario);
var handler = new JwtSecurityTokenHandler();
var parsed = handler.ReadJwtToken(token);
// Post-UDT-009: JwtService ignores PermisosJson entirely — no claim emitted
Assert.DoesNotContain(parsed.Claims, c => c.Type == "permisos");
}
// Scenario: token is verifiable with the public key