From aacfd29673866cc0a8179f560fe3ab07320edb01 Mon Sep 17 00:00:00 2001
From: dmolinari <dmolinari@eldia.com>
Date: Tue, 14 Apr 2026 13:16:43 -0300
Subject: [PATCH] feat(domain): add TokenHasher SHA-256 base64url helper

---
 src/api/SIGCM2.Domain/Security/TokenHasher.cs | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 src/api/SIGCM2.Domain/Security/TokenHasher.cs

diff --git a/src/api/SIGCM2.Domain/Security/TokenHasher.cs b/src/api/SIGCM2.Domain/Security/TokenHasher.cs
new file mode 100644
index 0000000..a9cee84
--- /dev/null
+++ b/src/api/SIGCM2.Domain/Security/TokenHasher.cs
@@ -0,0 +1,25 @@
+using System.Security.Cryptography;
+using System.Text;
+
+namespace SIGCM2.Domain.Security;
+
+/// <summary>
+/// Pure static helper for hashing opaque refresh tokens.
+/// SHA-256 is appropriate here — tokens are 256-bit random values (not passwords),
+/// so salting is unnecessary. Output is base64url without padding.
+/// </summary>
+public static class TokenHasher
+{
+    public static string Sha256Base64Url(string raw)
+    {
+        var bytes = Encoding.UTF8.GetBytes(raw);
+        var hash = SHA256.HashData(bytes);
+        return Base64UrlEncode(hash);
+    }
+
+    private static string Base64UrlEncode(byte[] bytes)
+        => Convert.ToBase64String(bytes)
+                  .TrimEnd('=')
+                  .Replace('+', '-')
+                  .Replace('/', '_');
+}