package com.agapsys.agreste;

import com.agapsys.rcf.User;
import com.agapsys.rcf.exceptions.ForbiddenException;
import com.agapsys.web.toolkit.utils.StringUtils;
import java.util.Objects;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/* loaded from: input_file:com/agapsys/agreste/CsrfHttpExchange.class */
public class CsrfHttpExchange extends HttpExchange {
    public static final String SESSION_ATTR_CSRF_TOKEN = CsrfHttpExchange.class.getName() + ".csrfToken";
    private static final int CSRF_TOKEN_LENGTH = 128;
    public static final String CSRF_HEADER = "X-Csrf-Token";

    public CsrfHttpExchange(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        super(httpServletRequest, httpServletResponse);
    }

    public User getCurrentUser() {
        User currentUser = super.getCurrentUser();
        if (currentUser == null) {
            return null;
        }
        HttpSession session = getRequest().getSession(false);
        if (session == null) {
            throw new ForbiddenException("Missing CSRF header", new Object[0]);
        }
        if (Objects.equals((String) session.getAttribute(SESSION_ATTR_CSRF_TOKEN), getRequest().getHeader(CSRF_HEADER))) {
            return currentUser;
        }
        throw new ForbiddenException("Invalid CSRF header", new Object[0]);
    }

    public void setCurrentUser(User user) {
        super.setCurrentUser(user);
        if (user != null) {
            HttpSession session = getRequest().getSession(true);
            String randomString = StringUtils.getRandomString(CSRF_TOKEN_LENGTH);
            session.setAttribute(SESSION_ATTR_CSRF_TOKEN, randomString);
            getResponse().setHeader(CSRF_HEADER, randomString);
            return;
        }
        HttpSession session2 = getRequest().getSession(false);
        if (session2 != null) {
            session2.removeAttribute(SESSION_ATTR_CSRF_TOKEN);
        }
    }
}
