From fd2ff8a8026d5df3891e6a4b26081aa1131ff503 Mon Sep 17 00:00:00 2001
From: dmolinari <dmolinari@eldia.com>
Date: Tue, 14 Apr 2026 13:28:45 -0300
Subject: [PATCH] feat(api): map InvalidRefreshTokenException and
 TokenReuseDetectedException to generic 401

---
 src/api/SIGCM2.Api/Filters/ExceptionFilter.cs | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs b/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
index 549e28b..d6fc2a7 100644
--- a/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
+++ b/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
@@ -26,6 +26,25 @@ public sealed class ExceptionFilter : IExceptionFilter
                 context.ExceptionHandled = true;
                 break;
 
+            case TokenReuseDetectedException reuseEx:
+                // Log with detail on the backend but return generic 401 to client
+                _logger.LogWarning("Token reuse detected — possible session compromise: {Message}", reuseEx.Message);
+                context.Result = new ObjectResult(new { error = "Token inválido" })
+                {
+                    StatusCode = StatusCodes.Status401Unauthorized
+                };
+                context.ExceptionHandled = true;
+                break;
+
+            case InvalidRefreshTokenException:
+                // Generic 401 — do NOT reveal if token was expired, not found, or mismatched
+                context.Result = new ObjectResult(new { error = "Token inválido" })
+                {
+                    StatusCode = StatusCodes.Status401Unauthorized
+                };
+                context.ExceptionHandled = true;
+                break;
+
             case ValidationException validationEx:
                 var errors = validationEx.Errors
                     .GroupBy(e => e.PropertyName)