feat(api): map InvalidRefreshTokenException and TokenReuseDetectedException to generic 401

2026-04-14 13:28:45 -03:00
parent 8768067fdd
commit fd2ff8a802
1 changed files with 19 additions and 0 deletions
--- a/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
+++ b/src/api/SIGCM2.Api/Filters/ExceptionFilter.cs
@@ -26,6 +26,25 @@ public sealed class ExceptionFilter : IExceptionFilter
                context.ExceptionHandled = true;
                break;

+            case TokenReuseDetectedException reuseEx:
+                // Log with detail on the backend but return generic 401 to client
+                _logger.LogWarning("Token reuse detected — possible session compromise: {Message}", reuseEx.Message);
+                context.Result = new ObjectResult(new { error = "Token inválido" })
+                {
+                    StatusCode = StatusCodes.Status401Unauthorized
+                };
+                context.ExceptionHandled = true;
+                break;
+
+            case InvalidRefreshTokenException:
+                // Generic 401 — do NOT reveal if token was expired, not found, or mismatched
+                context.Result = new ObjectResult(new { error = "Token inválido" })
+                {
+                    StatusCode = StatusCodes.Status401Unauthorized
+                };
+                context.ExceptionHandled = true;
+                break;
+
            case ValidationException validationEx:
                var errors = validationEx.Errors
                    .GroupBy(e => e.PropertyName)