Format all markdown files in active directories

docs/token-validation.md

@@ -2,11 +2,14 @@
 
 ## Overview
 
-The Core project implements comprehensive JWT token validation across three token types:
+The Core project implements comprehensive JWT token validation across three
+token types:
 
 - **Access Tokens**: Short-lived (1 hour) tokens for API authentication
-- **Refresh Tokens**: Long-lived (21 days) tokens for obtaining new access tokens
-- **Confirmation Tokens**: Short-lived (30 minutes) tokens for email confirmation
+- **Refresh Tokens**: Long-lived (21 days) tokens for obtaining new access
+  tokens
+- **Confirmation Tokens**: Short-lived (30 minutes) tokens for email
+  confirmation
 
 ## Components
 
@@ -17,10 +20,13 @@ The Core project implements comprehensive JWT token validation across three toke
 Low-level JWT operations.
 
 **Methods:**
+
 - `GenerateJwt()` - Creates signed JWT tokens
 - `ValidateJwtAsync()` - Validates token signature, expiration, and format
 
-**Implementation:** [JwtInfrastructure.cs](Infrastructure.Jwt/JwtInfrastructure.cs)
+**Implementation:**
+[JwtInfrastructure.cs](Infrastructure.Jwt/JwtInfrastructure.cs)
+
 - Uses Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler
 - Algorithm: HS256 (HMAC-SHA256)
 - Validates token lifetime, signature, and well-formedness
@@ -32,16 +38,20 @@ Low-level JWT operations.
 High-level token validation with context (token type, user extraction).
 
 **Methods:**
+
 - `ValidateAccessTokenAsync(string token)` - Validates access tokens
 - `ValidateRefreshTokenAsync(string token)` - Validates refresh tokens
 - `ValidateConfirmationTokenAsync(string token)` - Validates confirmation tokens
 
 **Returns:** `ValidatedToken` record containing:
+
 - `UserId` (Guid)
 - `Username` (string)
 - `Principal` (ClaimsPrincipal) - Full JWT claims
 
-**Implementation:** [TokenValidationService.cs](Service.Auth/TokenValidationService.cs)
+**Implementation:**
+[TokenValidationService.cs](Service.Auth/TokenValidationService.cs)
+
 - Reads token secrets from environment variables
 - Extracts and validates claims (Sub, UniqueName)
 - Throws `UnauthorizedException` on validation failure
@@ -51,15 +61,18 @@ High-level token validation with context (token type, user extraction).
 Token generation (existing service extended).
 
 **Methods:**
+
 - `GenerateAccessToken(UserAccount)` - Creates 1-hour access token
 - `GenerateRefreshToken(UserAccount)` - Creates 21-day refresh token
-- `GenerateConfirmationToken(UserAccount)` - Creates 30-minute confirmation token
+- `GenerateConfirmationToken(UserAccount)` - Creates 30-minute confirmation
+  token
 
 ### Integration Points
 
 #### [ConfirmationService](Service.Auth/IConfirmationService.cs)
 
 **Flow:**
+
 1. Receives confirmation token from user
 2. Calls `TokenValidationService.ValidateConfirmationTokenAsync()`
 3. Extracts user ID from validated token
@@ -69,6 +82,7 @@ Token generation (existing service extended).
 #### [RefreshTokenService](Service.Auth/RefreshTokenService.cs)
 
 **Flow:**
+
 1. Receives refresh token from user
 2. Calls `TokenValidationService.ValidateRefreshTokenAsync()`
 3. Retrieves user account via `AuthRepository.GetUserByIdAsync()`
@@ -78,6 +92,7 @@ Token generation (existing service extended).
 #### [AuthController](API.Core/Controllers/AuthController.cs)
 
 **Endpoints:**
+
 - `POST /api/auth/register` - Register new user
 - `POST /api/auth/login` - Authenticate user
 - `POST /api/auth/confirm?token=...` - Confirm email
@@ -88,11 +103,13 @@ Token generation (existing service extended).
 ### Token Secrets
 
 Three independent secrets enable:
+
 - **Key rotation** - Rotate each secret type independently
 - **Isolation** - Compromise of one secret doesn't affect others
 - **Different expiration** - Different token types can expire at different rates
 
 **Environment Variables:**
+
 ```bash
 ACCESS_TOKEN_SECRET=...           # Signs 1-hour access tokens
 REFRESH_TOKEN_SECRET=...          # Signs 21-day refresh tokens
@@ -111,6 +128,7 @@ Each token is validated for:
 ### Error Handling
 
 Validation failures return HTTP 401 Unauthorized:
+
 - Invalid signature → "Invalid token"
 - Expired token → "Invalid token" (message doesn't reveal reason for security)
 - Missing claims → "Invalid token"
@@ -149,16 +167,19 @@ Validation failures return HTTP 401 Unauthorized:
 ### Unit Tests
 
 **TokenValidationService.test.cs**
+
 - Happy path: Valid token extraction
 - Error cases: Invalid, expired, malformed tokens
 - Missing/invalid claims scenarios
 
 **RefreshTokenService.test.cs**
+
 - Successful refresh with valid token
 - Invalid/expired refresh token rejection
 - Non-existent user handling
 
 **ConfirmationService.test.cs**
+
 - Successful confirmation with valid token
 - Token validation failures
 - User not found scenarios
@@ -166,16 +187,19 @@ Validation failures return HTTP 401 Unauthorized:
 ### BDD Tests (Reqnroll)
 
 **TokenRefresh.feature**
+
 - Successful token refresh
 - Invalid/expired token rejection
 - Missing token validation
 
 **Confirmation.feature**
+
 - Successful email confirmation
 - Expired/tampered token rejection
 - Missing token validation
 
 **AccessTokenValidation.feature**
+
 - Protected endpoint access token validation
 - Invalid/expired access token rejection
 - Token type mismatch (refresh used as access token)