dmolinari
b619c05762
Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:
LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
user_not_found / user_inactive / invalid_password
— attempts captured with attemptedUsername + FailureReason
LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId
RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
user_inactive
PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
{ permissionRequired, endpoint, method }. ActorUserId from JWT sub.
DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).
Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)
Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.
Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}
8.9 KiB
8.9 KiB