feat(infra): implement GetPrincipalFromExpiredToken in JwtService

2026-04-14 13:28:20 -03:00
parent a363e3658d
commit c910ff2fc5
1 changed files with 25 additions and 0 deletions
--- a/src/api/SIGCM2.Infrastructure/Security/JwtService.cs
+++ b/src/api/SIGCM2.Infrastructure/Security/JwtService.cs
@@ -19,6 +19,31 @@ public sealed class JwtService : IJwtService
        _options = options;
    }

+    /// <inheritdoc/>
+    public ClaimsPrincipal GetPrincipalFromExpiredToken(string accessToken)
+    {
+        var parameters = new TokenValidationParameters
+        {
+            ValidateIssuer = true,
+            ValidIssuer = _options.Issuer,
+            ValidateAudience = true,
+            ValidAudience = _options.Audience,
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKey = new RsaSecurityKey(_rsa),
+            ValidateLifetime = false,  // Key: accept expired tokens in refresh flow
+            ClockSkew = TimeSpan.Zero,
+        };
+
+        var handler = new JwtSecurityTokenHandler();
+        var principal = handler.ValidateToken(accessToken, parameters, out var securityToken);
+
+        if (securityToken is not JwtSecurityToken jwt ||
+            !jwt.Header.Alg.Equals(SecurityAlgorithms.RsaSha256, StringComparison.OrdinalIgnoreCase))
+            throw new SecurityTokenException("Invalid token algorithm");
+
+        return principal;
+    }
+
    public string GenerateAccessToken(Usuario usuario)
    {
        var signingKey = new RsaSecurityKey(_rsa);