package play.plugins.security;

import java.lang.reflect.Method;
import javax.annotation.Nullable;
import play.PlayPlugin;
import play.mvc.Http;
import play.mvc.NoAuthenticityToken;
import play.mvc.Scope;
import play.mvc.results.Forbidden;

/* loaded from: input_file:play/plugins/security/AuthenticityTokenPlugin.class */
public class AuthenticityTokenPlugin extends PlayPlugin {
    @Override // play.PlayPlugin
    public void beforeActionInvocation(Http.Request request, Http.Response response, Scope.Session session, Scope.RenderArgs renderArgs, Scope.Flash flash, Method method) {
        if (Http.Methods.POST.equalsIgnoreCase(request.method) && !request.invokedMethod.isAnnotationPresent(NoAuthenticityToken.class)) {
            String[] all = request.params.getAll("authenticityToken");
            verifyTokenIsPresent(all);
            verifyAllTokensAreEqual(all);
            verifyToken(session, all[0]);
        }
    }

    private void verifyTokenIsPresent(@Nullable String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            throw new Forbidden("No authenticity token");
        }
    }

    private void verifyAllTokensAreEqual(String[] strArr) {
        if (strArr.length > 1) {
            for (int i = 1; i < strArr.length; i++) {
                if (!strArr[i].equals(strArr[0])) {
                    throw new Forbidden("Multiple authenticity tokens");
                }
            }
        }
    }

    private void verifyToken(Scope.Session session, String str) {
        if (!str.equals(session.getAuthenticityToken())) {
            throw new Forbidden("Bad authenticity token");
        }
    }
}
