feat(audit): security events en Auth + authorization handlers (UDT-010 B9)
Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:
LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
user_not_found / user_inactive / invalid_password
— attempts captured with attemptedUsername + FailureReason
LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId
RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
user_inactive
PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
{ permissionRequired, endpoint, method }. ActorUserId from JWT sub.
DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).
Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)
Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.
Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}
This commit is contained in:
@@ -2,6 +2,7 @@ using Microsoft.Extensions.Logging;
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Abstractions.Security;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Application.Common;
|
||||
using SIGCM2.Domain.Entities;
|
||||
using SIGCM2.Domain.Exceptions;
|
||||
@@ -19,6 +20,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
private readonly IClientContext _clientContext;
|
||||
private readonly AuthOptions _authOptions;
|
||||
private readonly IRolPermisoRepository _rolPermisoRepository;
|
||||
private readonly ISecurityEventLogger _security;
|
||||
private readonly ILogger<LoginCommandHandler> _logger;
|
||||
|
||||
public LoginCommandHandler(
|
||||
@@ -30,6 +32,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
IClientContext clientContext,
|
||||
AuthOptions authOptions,
|
||||
IRolPermisoRepository rolPermisoRepository,
|
||||
ISecurityEventLogger security,
|
||||
ILogger<LoginCommandHandler> logger)
|
||||
{
|
||||
_repository = repository;
|
||||
@@ -40,6 +43,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
_clientContext = clientContext;
|
||||
_authOptions = authOptions;
|
||||
_rolPermisoRepository = rolPermisoRepository;
|
||||
_security = security;
|
||||
_logger = logger;
|
||||
}
|
||||
|
||||
@@ -47,12 +51,30 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
{
|
||||
var usuario = await _repository.GetByUsernameAsync(command.Username);
|
||||
|
||||
// Deliberately vague — never reveal which check failed
|
||||
if (usuario is null || !usuario.Activo)
|
||||
// Deliberately vague to the client — never reveal which check failed.
|
||||
// Internally, SecurityEvent captures the precise FailureReason for ops.
|
||||
if (usuario is null)
|
||||
{
|
||||
await _security.LogAsync("login", "failure",
|
||||
actorUserId: null, attemptedUsername: command.Username,
|
||||
failureReason: "user_not_found");
|
||||
throw new InvalidCredentialsException();
|
||||
}
|
||||
if (!usuario.Activo)
|
||||
{
|
||||
await _security.LogAsync("login", "failure",
|
||||
actorUserId: usuario.Id, attemptedUsername: command.Username,
|
||||
failureReason: "user_inactive");
|
||||
throw new InvalidCredentialsException();
|
||||
}
|
||||
|
||||
if (!_hasher.Verify(command.Password, usuario.PasswordHash))
|
||||
{
|
||||
await _security.LogAsync("login", "failure",
|
||||
actorUserId: usuario.Id, attemptedUsername: command.Username,
|
||||
failureReason: "invalid_password");
|
||||
throw new InvalidCredentialsException();
|
||||
}
|
||||
|
||||
var accessToken = _jwtService.GenerateAccessToken(usuario);
|
||||
|
||||
@@ -83,6 +105,8 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
|
||||
var effective = PermisoResolver.Resolve(rolPermisos, overrides);
|
||||
var permisos = effective.OrderBy(p => p, StringComparer.Ordinal).ToArray();
|
||||
|
||||
await _security.LogAsync("login", "success", actorUserId: usuario.Id);
|
||||
|
||||
return new LoginResponseDto(
|
||||
AccessToken: accessToken,
|
||||
RefreshToken: rawRefresh, // raw to client — never stored
|
||||
|
||||
@@ -1,15 +1,18 @@
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Audit;
|
||||
|
||||
namespace SIGCM2.Application.Auth.Logout;
|
||||
|
||||
public sealed class LogoutCommandHandler : ICommandHandler<LogoutCommand, LogoutResponseDto>
|
||||
{
|
||||
private readonly IRefreshTokenRepository _refreshRepo;
|
||||
private readonly ISecurityEventLogger _security;
|
||||
|
||||
public LogoutCommandHandler(IRefreshTokenRepository refreshRepo)
|
||||
public LogoutCommandHandler(IRefreshTokenRepository refreshRepo, ISecurityEventLogger security)
|
||||
{
|
||||
_refreshRepo = refreshRepo;
|
||||
_security = security;
|
||||
}
|
||||
|
||||
public async Task<LogoutResponseDto> Handle(LogoutCommand command)
|
||||
@@ -17,6 +20,7 @@ public sealed class LogoutCommandHandler : ICommandHandler<LogoutCommand, Logout
|
||||
// Revoke all active tokens for the user across all families.
|
||||
// Idempotent: 0 rows affected is not an error.
|
||||
await _refreshRepo.RevokeAllActiveForUserAsync(command.UsuarioId, DateTime.UtcNow);
|
||||
await _security.LogAsync("logout", "success", actorUserId: command.UsuarioId);
|
||||
return new LogoutResponseDto(true, "Sesión cerrada correctamente");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
using SIGCM2.Application.Abstractions;
|
||||
using SIGCM2.Application.Abstractions.Persistence;
|
||||
using SIGCM2.Application.Abstractions.Security;
|
||||
using SIGCM2.Application.Audit;
|
||||
using SIGCM2.Domain.Entities;
|
||||
using SIGCM2.Domain.Exceptions;
|
||||
using SIGCM2.Domain.Security;
|
||||
@@ -15,6 +16,7 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
private readonly IRefreshTokenGenerator _refreshGenerator;
|
||||
private readonly IClientContext _clientCtx;
|
||||
private readonly AuthOptions _authOptions;
|
||||
private readonly ISecurityEventLogger _security;
|
||||
|
||||
public RefreshCommandHandler(
|
||||
IRefreshTokenRepository refreshRepo,
|
||||
@@ -22,7 +24,8 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
IJwtService jwt,
|
||||
IRefreshTokenGenerator refreshGenerator,
|
||||
IClientContext clientCtx,
|
||||
AuthOptions authOptions)
|
||||
AuthOptions authOptions,
|
||||
ISecurityEventLogger security)
|
||||
{
|
||||
_refreshRepo = refreshRepo;
|
||||
_usuarioRepo = usuarioRepo;
|
||||
@@ -30,6 +33,7 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
_refreshGenerator = refreshGenerator;
|
||||
_clientCtx = clientCtx;
|
||||
_authOptions = authOptions;
|
||||
_security = security;
|
||||
}
|
||||
|
||||
public async Task<RefreshResponseDto> Handle(RefreshCommand command)
|
||||
@@ -62,23 +66,44 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
if (stored.IsRevoked)
|
||||
{
|
||||
await _refreshRepo.RevokeFamilyAsync(stored.FamilyId, now);
|
||||
await _security.LogAsync("refresh.reuse_detected", "failure",
|
||||
actorUserId: stored.UsuarioId,
|
||||
failureReason: "token_reused",
|
||||
metadata: new { familyId = stored.FamilyId });
|
||||
throw new TokenReuseDetectedException();
|
||||
}
|
||||
|
||||
// 5. Absolute expiration check
|
||||
if (stored.IsExpired(now))
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: stored.UsuarioId, failureReason: "token_expired");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
// 6. UsuarioId must match access token's sub claim
|
||||
if (stored.UsuarioId != accessUserId)
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: stored.UsuarioId, failureReason: "sub_mismatch");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
// 7. Load current user (so access token has up-to-date claims)
|
||||
var usuario = await _usuarioRepo.GetByIdAsync(stored.UsuarioId)
|
||||
?? throw new InvalidRefreshTokenException();
|
||||
var usuario = await _usuarioRepo.GetByIdAsync(stored.UsuarioId);
|
||||
if (usuario is null)
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: stored.UsuarioId, failureReason: "user_not_found");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
if (!usuario.Activo)
|
||||
{
|
||||
await _security.LogAsync("refresh.issue", "failure",
|
||||
actorUserId: usuario.Id, failureReason: "user_inactive");
|
||||
throw new InvalidRefreshTokenException();
|
||||
}
|
||||
|
||||
// 8. Rotate: create new token, persist, then revoke old
|
||||
var newRaw = _refreshGenerator.Generate();
|
||||
@@ -90,6 +115,9 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
|
||||
|
||||
// 9. Issue new access token
|
||||
var newAccess = _jwt.GenerateAccessToken(usuario);
|
||||
|
||||
await _security.LogAsync("refresh.issue", "success", actorUserId: usuario.Id);
|
||||
|
||||
return new RefreshResponseDto(newAccess, newRaw, _authOptions.AccessTokenMinutes * 60);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user