src/api/SIGCM2.Api/Filters/ExceptionFilter.cs

@@ -26,6 +26,25 @@ public sealed class ExceptionFilter : IExceptionFilter
                 context.ExceptionHandled = true;
                 break;
 
+            case TokenReuseDetectedException reuseEx:
+                // Log with detail on the backend but return generic 401 to client
+                _logger.LogWarning("Token reuse detected — possible session compromise: {Message}", reuseEx.Message);
+                context.Result = new ObjectResult(new { error = "Token inválido" })
+                {
+                    StatusCode = StatusCodes.Status401Unauthorized
+                };
+                context.ExceptionHandled = true;
+                break;
+
+            case InvalidRefreshTokenException:
+                // Generic 401 — do NOT reveal if token was expired, not found, or mismatched
+                context.Result = new ObjectResult(new { error = "Token inválido" })
+                {
+                    StatusCode = StatusCodes.Status401Unauthorized
+                };
+                context.ExceptionHandled = true;
+                break;
+
             case ValidationException validationEx:
                 var errors = validationEx.Errors
                     .GroupBy(e => e.PropertyName)