package dev.voidframework.web.http.filter.csrf;

import com.google.inject.Inject;
import com.google.inject.Singleton;
import com.typesafe.config.Config;
import com.typesafe.config.ConfigException;
import dev.voidframework.core.helper.Hex;
import dev.voidframework.core.lang.TypedMap;
import dev.voidframework.web.exception.HttpException;
import dev.voidframework.web.http.Context;
import dev.voidframework.web.http.Cookie;
import dev.voidframework.web.http.FormItem;
import dev.voidframework.web.http.HttpContentType;
import dev.voidframework.web.http.HttpMethod;
import dev.voidframework.web.http.Result;
import dev.voidframework.web.http.filter.Filter;
import dev.voidframework.web.http.filter.FilterChain;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;

@Singleton
/* loaded from: input_file:dev/voidframework/web/http/filter/csrf/CSRFFilter.class */
public class CSRFFilter implements Filter {
    public static final TypedMap.Key<String> CSRF_TOKEN_KEY = TypedMap.Key.of("CSRF_TOKEN", String.class);
    public static final TypedMap.Key<Boolean> BYPASS_CSRF_VERIFICATION = TypedMap.Key.of("BYPASS_CSRF_VERIFICATION", Boolean.class);
    private static final String H_MAC_ALGORITHM = "HmacSHA256";
    private final String csrfTokenName;
    private final String cookieName;
    private final boolean cookieSecure;
    private final boolean cookieHttpOnly;
    private final String signatureKey;
    private final long timeToLive;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:dev/voidframework/web/http/filter/csrf/CSRFFilter$CSRFToken.class */
    public static final class CSRFToken extends Record {
        private final String value;
        private final long nonce;
        private final String signature;

        private CSRFToken(String str, long j, String str2) {
            this.value = str;
            this.nonce = j;
            this.signature = str2;
        }

        @Override // java.lang.Record
        public String toString() {
            String str = this.value;
            long j = this.nonce;
            String str2 = this.signature;
            return str + "-" + j + "-" + str;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, CSRFToken.class), CSRFToken.class, "value;nonce;signature", "FIELD:Ldev/voidframework/web/http/filter/csrf/CSRFFilter$CSRFToken;->value:Ljava/lang/String;", "FIELD:Ldev/voidframework/web/http/filter/csrf/CSRFFilter$CSRFToken;->nonce:J", "FIELD:Ldev/voidframework/web/http/filter/csrf/CSRFFilter$CSRFToken;->signature:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, CSRFToken.class, Object.class), CSRFToken.class, "value;nonce;signature", "FIELD:Ldev/voidframework/web/http/filter/csrf/CSRFFilter$CSRFToken;->value:Ljava/lang/String;", "FIELD:Ldev/voidframework/web/http/filter/csrf/CSRFFilter$CSRFToken;->nonce:J", "FIELD:Ldev/voidframework/web/http/filter/csrf/CSRFFilter$CSRFToken;->signature:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String value() {
            return this.value;
        }

        public long nonce() {
            return this.nonce;
        }

        public String signature() {
            return this.signature;
        }
    }

    @Inject
    public CSRFFilter(Config config) {
        this.csrfTokenName = config.getString("voidframework.web.csrf.tokenName");
        this.cookieName = config.getString("voidframework.web.csrf.cookieName");
        this.cookieSecure = config.getBoolean("voidframework.web.csrf.cookieSecure");
        this.cookieHttpOnly = config.getBoolean("voidframework.web.csrf.cookieHttpOnly");
        this.signatureKey = config.getString("voidframework.web.csrf.signatureKey");
        this.timeToLive = config.getDuration("voidframework.web.csrf.timeToLive", TimeUnit.MILLISECONDS);
        if (StringUtils.isBlank(this.signatureKey)) {
            throw new ConfigException.BadValue("voidframework.web.csrf.signatureKey", "Please configure the CSRF signature Key");
        }
    }

    @Override // dev.voidframework.web.http.filter.Filter
    public Result apply(Context context, FilterChain filterChain) {
        if (context.getAttributes().get(BYPASS_CSRF_VERIFICATION) == Boolean.TRUE) {
            return filterChain.applyNext(context);
        }
        if (context.getRequest().getHttpMethod() == HttpMethod.POST) {
            Pair<CSRFToken, String> extractAndRegenerateCSRFToken = extractAndRegenerateCSRFToken(context);
            checkCSRFToken((CSRFToken) extractAndRegenerateCSRFToken.getLeft(), extractProvidedCSRFToken(context));
            Result applyNext = filterChain.applyNext(context);
            return applyNext.getHttpCode() / 100 != 3 ? applyNext.withCookie(Cookie.of(this.cookieName, (String) extractAndRegenerateCSRFToken.getRight(), this.cookieHttpOnly, this.cookieSecure, null)) : applyNext.withoutCookie(this.cookieName);
        }
        if (context.getRequest().getHttpMethod() == HttpMethod.GET && context.getRequest().acceptContentType(HttpContentType.TEXT_HTML)) {
            return filterChain.applyNext(context).withCookie(Cookie.of(this.cookieName, (String) extractAndRegenerateCSRFToken(context).getRight(), this.cookieHttpOnly, this.cookieSecure, null));
        }
        return filterChain.applyNext(context);
    }

    private Pair<CSRFToken, String> extractAndRegenerateCSRFToken(Context context) {
        CSRFToken extractCurrentCSRFToken = extractCurrentCSRFToken(context);
        String createNewCSRFTokenAsString = createNewCSRFTokenAsString(extractCurrentCSRFToken);
        context.getAttributes().put(CSRF_TOKEN_KEY, createNewCSRFTokenAsString);
        return Pair.of(extractCurrentCSRFToken, createNewCSRFTokenAsString);
    }

    private CSRFToken extractCurrentCSRFToken(Context context) {
        Cookie cookie = context.getRequest().getCookie(this.cookieName);
        if (cookie == null) {
            return null;
        }
        String[] split = cookie.value().split("-");
        if (split.length != 3) {
            return null;
        }
        return new CSRFToken(split[0], Long.parseLong(split[1]), split[2]);
    }

    private CSRFToken extractProvidedCSRFToken(Context context) {
        String queryStringParameter = context.getRequest().getQueryStringParameter(this.csrfTokenName);
        if (StringUtils.isNotBlank(queryStringParameter)) {
            String[] split = queryStringParameter.split("-");
            if (split.length != 3) {
                return null;
            }
            return new CSRFToken(split[0], Long.parseLong(split[1]), split[2]);
        }
        Map<String, List<FormItem>> asFormData = context.getRequest().getBodyContent().asFormData();
        if (asFormData != null) {
            List<FormItem> orDefault = asFormData.getOrDefault(this.csrfTokenName, List.of());
            if (!orDefault.isEmpty()) {
                String value = orDefault.get(0).value();
                if (StringUtils.isNotBlank(value)) {
                    String[] split2 = value.split("-");
                    if (split2.length != 3) {
                        return null;
                    }
                    return new CSRFToken(split2[0], Long.parseLong(split2[1]), split2[2]);
                }
            }
        }
        String header = context.getRequest().getHeader("X-CSRF-TOKEN");
        if (!StringUtils.isNotBlank(header)) {
            return null;
        }
        String[] split3 = header.split("-");
        if (split3.length != 3) {
            return null;
        }
        return new CSRFToken(split3[0], Long.parseLong(split3[1]), split3[2]);
    }

    private String createNewCSRFTokenAsString(CSRFToken cSRFToken) {
        long currentTimeMillis = System.currentTimeMillis();
        String replace = cSRFToken != null ? cSRFToken.value : UUID.randomUUID().toString().replace("-", "");
        return new CSRFToken(replace, currentTimeMillis, generateSignature(replace + currentTimeMillis)).toString();
    }

    private String generateSignature(String str) {
        try {
            Mac mac = Mac.getInstance(H_MAC_ALGORITHM);
            mac.init(new SecretKeySpec(this.signatureKey.getBytes(StandardCharsets.UTF_8), H_MAC_ALGORITHM));
            return Hex.toHex(mac.doFinal(str.getBytes(StandardCharsets.UTF_8)));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new HttpException.InternalServerError(e);
        }
    }

    private void checkCSRFToken(CSRFToken cSRFToken, CSRFToken cSRFToken2) {
        if (cSRFToken == null || cSRFToken2 == null) {
            throw new HttpException.BadRequest("CSRF token not found");
        }
        if (cSRFToken2.nonce + this.timeToLive < System.currentTimeMillis()) {
            throw new HttpException.BadRequest("CSRF token is expired");
        }
        String str = Objects.equals(cSRFToken.signature, generateSignature(cSRFToken.value + cSRFToken.nonce)) ? cSRFToken.value : null;
        String str2 = Objects.equals(cSRFToken2.signature, generateSignature(cSRFToken2.value + cSRFToken2.nonce)) ? cSRFToken2.value : null;
        if (str == null || !Objects.equals(str, str2)) {
            throw new HttpException.BadRequest("CSRF token is invalid");
        }
    }
}
