package org.javalite.activeweb.controller_filters;

import java.util.Iterator;
import org.javalite.activeweb.CSRF;
import org.javalite.activeweb.FormItem;
import org.javalite.activeweb.HttpMethod;
import org.javalite.activeweb.RequestUtils;

/* loaded from: input_file:org/javalite/activeweb/controller_filters/CSRFFilter.class */
public class CSRFFilter extends HttpSupportFilter {
    public CSRFFilter() {
        CSRF.enableVerification();
    }

    @Override // org.javalite.activeweb.controller_filters.HttpSupportFilter
    public void before() {
        if (CSRF.verificationEnabled()) {
            HttpMethod method = getRoute().getMethod();
            if (method == HttpMethod.POST || method == HttpMethod.DELETE || method == HttpMethod.PUT) {
                verify();
            }
        }
    }

    private void verify() {
        String sessionString = sessionString(CSRF.CSRF_TOKEN_NAME);
        String sessionString2 = sessionString(CSRF.CSRF_TOKEN_VALUE);
        if (sessionString2 == null || sessionString == null) {
            throw new SecurityException("CSRF attack detected! Session token missing!");
        }
        String param = param(sessionString);
        if (param == null) {
            param = header(CSRF.HTTP_HEADER_NAME);
        }
        if (param == null && RequestUtils.isMultipartContent()) {
            int i = 0;
            Iterator<FormItem> it = multipartFormItems().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                FormItem next = it.next();
                if (next.isFormField() && sessionString.equals(next.getFieldName())) {
                    param = new String(next.getBytes());
                    multipartFormItems().remove(i);
                    break;
                }
                i++;
            }
        }
        if (param == null) {
            throw new SecurityException("CSRF attack detected! Token not found!");
        }
        if (!sessionString2.equals(param)) {
            throw new SecurityException("CSRF attack detected! Request token is not valid!");
        }
    }
}
