package org.primeframework.mvc.security;

import com.fasterxml.jackson.databind.JsonNode;
import com.inversoft.rest.ClientResponse;
import com.inversoft.rest.FormDataBodyHandler;
import com.inversoft.rest.JSONResponseHandler;
import com.inversoft.rest.RESTClient;
import io.fusionauth.http.Cookie;
import io.fusionauth.http.server.HTTPRequest;
import io.fusionauth.http.server.HTTPResponse;
import io.fusionauth.jwt.JWTExpiredException;
import io.fusionauth.jwt.Verifier;
import io.fusionauth.jwt.domain.JWT;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.primeframework.mvc.security.oauth.OAuthConfiguration;
import org.primeframework.mvc.security.oauth.RefreshResponse;
import org.primeframework.mvc.security.oauth.TokenAuthenticationMethod;
import org.primeframework.mvc.security.oauth.Tokens;
import org.primeframework.mvc.util.ObjectTools;

/* loaded from: input_file:org/primeframework/mvc/security/BaseJWTRefreshTokenCookiesUserLoginSecurityContext.class */
public abstract class BaseJWTRefreshTokenCookiesUserLoginSecurityContext implements UserLoginSecurityContext {
    private static final String ContextKey = "primeLoginContext";
    private static final String UserKey = "primeCurrentUser";
    protected final CookieProxy jwtCookie = new CookieProxy(jwtCookieName(), 2147483647L, Cookie.SameSite.Strict);
    protected final CookieProxy refreshTokenCookie = new CookieProxy(refreshTokenCookieName(), 2147483647L, Cookie.SameSite.Strict);
    protected final HTTPRequest request;
    protected final HTTPResponse response;
    protected final VerifierProvider verifierProvider;

    protected BaseJWTRefreshTokenCookiesUserLoginSecurityContext(HTTPRequest hTTPRequest, HTTPResponse hTTPResponse, VerifierProvider verifierProvider) {
        this.request = hTTPRequest;
        this.response = hTTPResponse;
        this.verifierProvider = verifierProvider;
    }

    @Override // org.primeframework.mvc.security.UserLoginSecurityContext
    public Object getCurrentUser() {
        Object attribute = this.request.getAttribute(UserKey);
        if (attribute != null) {
            return attribute;
        }
        Tokens resolveContext = resolveContext();
        if (resolveContext.jwt == null) {
            return null;
        }
        Object retrieveUserForJWT = retrieveUserForJWT(resolveContext.jwt);
        if (retrieveUserForJWT != null) {
            this.request.setAttribute(UserKey, retrieveUserForJWT);
        }
        return retrieveUserForJWT;
    }

    @Override // org.primeframework.mvc.security.UserLoginSecurityContext
    public String getSessionId() {
        Tokens resolveContext = resolveContext();
        if (resolveContext.decodedJWT != null) {
            return resolveContext.decodedJWT.getString("sid");
        }
        return null;
    }

    @Override // org.primeframework.mvc.security.UserLoginSecurityContext
    public boolean isLoggedIn() {
        return getCurrentUser() != null;
    }

    @Override // org.primeframework.mvc.security.UserLoginSecurityContext
    public void login(Object obj) {
        if (!(obj instanceof Tokens)) {
            throw new IllegalArgumentException("The login context for [BaseJWTRefreshTokenCookiesUserLoginSecurityContext] is expected to be of type [" + Tokens.class.getCanonicalName() + "] but an object of type [" + obj.getClass().getCanonicalName() + "] was provided. This is a development time error.");
        }
        Tokens tokens = (Tokens) obj;
        if (tokens.jwt != null) {
            this.jwtCookie.add(this.request, this.response, tokens.jwt);
        }
        if (tokens.refreshToken != null) {
            this.refreshTokenCookie.add(this.request, this.response, tokens.refreshToken);
        }
    }

    @Override // org.primeframework.mvc.security.UserLoginSecurityContext
    public void logout() {
        this.jwtCookie.delete(this.request, this.response);
        this.refreshTokenCookie.delete(this.request, this.response);
    }

    @Override // org.primeframework.mvc.security.UserLoginSecurityContext
    public void updateUser(Object obj) {
        if (this.request.getAttribute(UserKey) != null) {
            this.request.setAttribute(UserKey, obj);
        }
    }

    protected abstract String jwtCookieName();

    protected abstract OAuthConfiguration oauthConfiguration();

    protected abstract String refreshTokenCookieName();

    protected abstract Object retrieveUserForJWT(String str);

    protected boolean validateJWTClaims(JWT jwt) {
        return true;
    }

    private Map<String, Verifier> getVerifiersOrNull() {
        Map<String, Verifier> map = this.verifierProvider.get();
        if (map.isEmpty()) {
            return null;
        }
        return map;
    }

    private Tokens refreshJWT(Tokens tokens) {
        tokens.jwt = null;
        tokens.decodedJWT = null;
        if (tokens.refreshToken == null) {
            this.jwtCookie.delete(this.request, this.response);
            return tokens;
        }
        HashMap hashMap = new HashMap(2);
        hashMap.put("grant_type", List.of("refresh_token"));
        hashMap.put("refresh_token", List.of(tokens.refreshToken));
        OAuthConfiguration oauthConfiguration = oauthConfiguration();
        RESTClient errorResponseHandler = new RESTClient(RefreshResponse.class, JsonNode.class).url(oauthConfiguration.tokenEndpoint).successResponseHandler(new JSONResponseHandler(RefreshResponse.class)).errorResponseHandler(new JSONResponseHandler(JsonNode.class));
        if (oauthConfiguration.authenticationMethod == TokenAuthenticationMethod.client_secret_basic) {
            errorResponseHandler.basicAuthorization(oauthConfiguration.clientId, oauthConfiguration.clientSecret);
        } else if (oauthConfiguration.authenticationMethod == TokenAuthenticationMethod.client_secret_post) {
            hashMap.put("client_id", List.of(oauthConfiguration.clientId));
            hashMap.put("client_secret", List.of(oauthConfiguration.clientSecret));
        }
        ClientResponse go = errorResponseHandler.bodyHandler(new FormDataBodyHandler(hashMap)).post().go();
        if (!go.wasSuccessful()) {
            tokens.refreshToken = null;
            this.jwtCookie.delete(this.request, this.response);
            this.refreshTokenCookie.delete(this.request, this.response);
            return tokens;
        }
        RefreshResponse refreshResponse = (RefreshResponse) go.getSuccessResponse();
        tokens.jwt = refreshResponse.access_token;
        tokens.refreshToken = (String) ObjectTools.defaultIfNull(refreshResponse.refresh_token, tokens.refreshToken);
        Map<String, Verifier> verifiersOrNull = getVerifiersOrNull();
        if (verifiersOrNull != null) {
            tokens.decodedJWT = JWT.getDecoder().decode(tokens.jwt, verifiersOrNull);
        }
        if (tokens.jwt != null) {
            this.jwtCookie.add(this.request, this.response, tokens.jwt);
        }
        if (tokens.refreshToken != null) {
            this.refreshTokenCookie.add(this.request, this.response, tokens.refreshToken);
        }
        return tokens;
    }

    private Tokens resolveContext() {
        Tokens tokens = (Tokens) this.request.getAttribute(ContextKey);
        if (tokens != null) {
            return tokens;
        }
        Tokens tokens2 = new Tokens();
        this.request.setAttribute(ContextKey, tokens2);
        Map<String, Verifier> verifiersOrNull = getVerifiersOrNull();
        if (verifiersOrNull == null) {
            return tokens2;
        }
        tokens2.jwt = this.jwtCookie.get(this.request);
        tokens2.refreshToken = this.refreshTokenCookie.get(this.request);
        if (tokens2.jwt == null && tokens2.refreshToken == null) {
            return tokens2;
        }
        try {
            tokens2.decodedJWT = JWT.getDecoder().decode(tokens2.jwt, verifiersOrNull);
            return !validateJWTClaims(tokens2.decodedJWT) ? refreshJWT(tokens2) : tokens2;
        } catch (Exception e) {
            tokens2.jwt = null;
            tokens2.refreshToken = null;
            this.jwtCookie.delete(this.request, this.response);
            this.refreshTokenCookie.delete(this.request, this.response);
            return tokens2;
        } catch (JWTExpiredException e2) {
            return refreshJWT(tokens2);
        }
    }
}
