package fathom.rest.security;

import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import fathom.exception.StatusCodeException;
import fathom.rest.Context;
import fathom.utils.CryptoUtil;
import fathom.utils.Util;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ro.pippo.core.route.RouteHandler;

@Singleton
/* loaded from: input_file:fathom-rest-security-1.0.1.jar:fathom/rest/security/CSRFHandler.class */
public class CSRFHandler implements RouteHandler<Context> {
    public static final String HEADER = "Csrf-Token";
    public static final String PARAMETER = "_csrf_token";
    public static final String BINDING = "csrfToken";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CSRFHandler.class);
    private final Set<String> guardedTypes;
    private final String secretKey;
    private final String algorithm;

    @Inject
    public CSRFHandler() {
        this(CryptoUtil.generateSecretKey());
    }

    public CSRFHandler(String str) {
        this(str, "HmacSHA256");
    }

    public CSRFHandler(String str, String str2) {
        this.guardedTypes = Sets.newHashSet("application/x-www-form-urlencoded", "multipart/form-data", "text/plain");
        this.secretKey = str;
        this.algorithm = str2;
    }

    public String getSecretKey() {
        return this.secretKey;
    }

    public String getAlgorithm() {
        return this.algorithm;
    }

    protected String getSessionCsrfToken(Context context) {
        return (String) context.getSession("_csrf_token");
    }

    protected void setSessionCsrfToken(Context context, String str) {
        context.setSession("_csrf_token", str);
    }

    protected String getTokenId(Context context) {
        return context.getSession().getId().toString();
    }

    @Override // ro.pippo.core.route.RouteHandler
    public void handle(Context context) {
        String method = context.getRequest().getHttpServletRequest().getMethod();
        if ("POST".equals(method)) {
            String preSubstring = Util.getPreSubstring(context.getRequest().getHeader("Content-Type").toLowerCase(), ';');
            if (!this.guardedTypes.contains(preSubstring)) {
                log.debug("Ignoring '{}' request for {} '{}'", preSubstring, context.getRequestMethod(), context.getRequestUri());
                return;
            }
            String header = context.getRequest().getHeader(HEADER);
            if ("nocheck".equals(header)) {
                log.debug("Ignoring 'nocheck' request for {} '{}'", context.getRequestMethod(), context.getRequestUri());
                return;
            }
            if (Strings.isNullOrEmpty(header)) {
                header = context.getParameter("_csrf_token").toString();
            }
            if (Strings.isNullOrEmpty(header)) {
                throw new StatusCodeException(403, "Illegal request, no '{}'!", "_csrf_token");
            }
            String sessionCsrfToken = getSessionCsrfToken(context);
            if (!header.equals(sessionCsrfToken)) {
                throw new StatusCodeException(403, "Illegal request, invalid '{}'!", "_csrf_token");
            }
            log.debug("Validated '{}' for {} '{}'", "_csrf_token", context.getRequestMethod(), context.getRequestUri());
            context.setLocal("csrfToken", sessionCsrfToken);
        } else if ("GET".equals(method)) {
            if (getSessionCsrfToken(context) == null) {
                setSessionCsrfToken(context, CryptoUtil.hmacDigest(getTokenId(context), this.secretKey, this.algorithm));
                log.debug("Generated '{}' for {} '{}'", "_csrf_token", method, context.getRequestUri());
            }
            context.setLocal("csrfToken", getSessionCsrfToken(context));
        }
        context.next();
    }
}
