using System.Security.Claims;
using SIGCM2.Domain.Entities;

namespace SIGCM2.Application.Abstractions.Security;

public interface IJwtService
{
    string GenerateAccessToken(Usuario usuario);

    /// <summary>
    /// Validates an access token's signature and claims WITHOUT checking expiry.
    /// Used by the refresh flow to extract the UsuarioId from an expired access token.
    /// Throws SecurityTokenException (or derived) if the signature is invalid or the algorithm is wrong.
    /// </summary>
    ClaimsPrincipal GetPrincipalFromExpiredToken(string accessToken);
}