From ba6dffb1378bebf33233fe407faaadf2025734ed Mon Sep 17 00:00:00 2001
From: dmolinari <dmolinari@eldia.com>
Date: Tue, 14 Apr 2026 13:17:11 -0300
Subject: [PATCH] feat(app): extend IJwtService with
 GetPrincipalFromExpiredToken

---
 .../Abstractions/Security/IJwtService.cs                  | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs b/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
index 0a60224..bdace9e 100644
--- a/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
+++ b/src/api/SIGCM2.Application/Abstractions/Security/IJwtService.cs
@@ -1,3 +1,4 @@
+using System.Security.Claims;
 using SIGCM2.Domain.Entities;
 
 namespace SIGCM2.Application.Abstractions.Security;
@@ -5,4 +6,11 @@ namespace SIGCM2.Application.Abstractions.Security;
 public interface IJwtService
 {
     string GenerateAccessToken(Usuario usuario);
+
+    /// <summary>
+    /// Validates an access token's signature and claims WITHOUT checking expiry.
+    /// Used by the refresh flow to extract the UsuarioId from an expired access token.
+    /// Throws SecurityTokenException (or derived) if the signature is invalid or the algorithm is wrong.
+    /// </summary>
+    ClaimsPrincipal GetPrincipalFromExpiredToken(string accessToken);
 }