package com.gu.pandomainauth.action;

import com.gu.pandomainauth.PanDomain$;
import com.gu.pandomainauth.PanDomainAuthSettingsRefresher;
import com.gu.pandomainauth.model.Authenticated;
import com.gu.pandomainauth.model.AuthenticatedUser;
import com.gu.pandomainauth.model.AuthenticationStatus;
import com.gu.pandomainauth.model.Expired;
import com.gu.pandomainauth.model.GracePeriod;
import com.gu.pandomainauth.model.InvalidCookie;
import com.gu.pandomainauth.model.NotAuthenticated$;
import com.gu.pandomainauth.model.NotAuthorized;
import com.gu.pandomainauth.model.PanDomainAuthSettings;
import com.gu.pandomainauth.service.CookieUtils$;
import com.gu.pandomainauth.service.Google2FAGroupChecker;
import com.gu.pandomainauth.service.OAuth;
import com.gu.pandomainauth.service.OAuthException;
import com.gu.pandomainauth.service.OAuthException$;
import java.net.URLDecoder;
import java.net.URLEncoder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import play.api.libs.ws.WSClient;
import play.api.mvc.ActionBuilder;
import play.api.mvc.AnyContent;
import play.api.mvc.BodyParser;
import play.api.mvc.ControllerComponents;
import play.api.mvc.Cookie;
import play.api.mvc.Cookie$;
import play.api.mvc.Cookie$SameSite$None$;
import play.api.mvc.DiscardingCookie;
import play.api.mvc.DiscardingCookie$;
import play.api.mvc.Request;
import play.api.mvc.RequestHeader;
import play.api.mvc.Result;
import play.api.mvc.Results;
import play.api.mvc.Results$;
import scala.Function1;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.collection.Seq;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;

/* compiled from: Actions.scala */
@ScalaSignature(bytes = "\u0006\u0001\r\u0005aaB\u001e=!\u0003\r\t!\u0012\u0005\u0006\u0019\u0002!\t!\u0014\u0005\b#\u0002\u0011\r\u0011\"\u0003S\u0011\u0015Y\u0006A\"\u0001]\u0011\u0015I\u0007A\"\u0001k\u0011\u0015\t\bA\"\u0001s\u0011\u00159\b\u0001\"\u0003y\u0011\u0019\tI\u0001\u0001C\u0005q\"9\u00111\u0002\u0001\u0005\n\u00055\u0001\"CA\u000e\u0001\t\u0007I1BA\u000f\u0011\u001d\tY\u0003\u0001D\u0001\u0003[Aq!a\u0010\u0001\t\u0003\t\t\u0005C\u0004\u0002D\u0001!\t!!\u0012\t\r\u00055\u0003A\"\u0001y\u0011%\ty\u0005\u0001b\u0001\n\u0003\t\t\u0006\u0003\u0005\u0002`\u0001\u0011\r\u0011\"\u0001y\u0011%\t\t\u0007\u0001b\u0001\n\u0003\t\u0019\u0007C\u0005\u0002r\u0001\u0011\r\u0011\"\u0001\u0002t!I\u00111\u0011\u0001C\u0002\u0013\u0005\u00111\u000f\u0005\b\u0003\u000b\u0003A\u0011BAD\u0011)\t9\n\u0001EC\u0002\u0013%\u0011\u0011\u0014\u0005\b\u0003[\u0003A\u0011AAX\u0011%\t\t\u000fAI\u0001\n\u0003\t\u0019\u000fC\u0004\u0002~\u0002!\t!a@\t\u000f\t\r\u0001\u0001\"\u0001\u0003\u0006!9!q\u0002\u0001\u0005\u0002\tE\u0001b\u0002B\f\u0001\u0011\u0005!\u0011\u0004\u0005\b\u0005?\u0001A\u0011\u0001B\u0011\u0011\u001d\u0011)\u0003\u0001C\u0001\u0005OAqA!\f\u0001\t\u0003\u0011y\u0003C\u0004\u00036\u0001!\tAa\u000e\t\u000f\tm\u0002\u0001\"\u0001\u0003>!9!q\t\u0001\u0005\u0002\t%\u0003b\u0002B'\u0001\u0011\u0005!qJ\u0004\b\u00053\u0002\u0001\u0012\u0001B.\r\u001d\u0011y\u0006\u0001E\u0001\u0005CBqAa\u001e$\t\u0003\u0011I\bC\u0004\u0003|\r\"\tE! \t\u000f\t\u00155\u0005\"\u0015\u0002\u001e!9!qQ\u0012\u0005B\t%ua\u0002BT\u0001!\u0005!\u0011\u0016\u0004\b\u0005W\u0003\u0001\u0012\u0001BW\u0011\u001d\u00119(\u000bC\u0001\u0005\u007f4\u0011B!8\u0001!\u0003\r\tAa8\t\u000b1[C\u0011A'\t\u0013\tU6F1A\u0005\u0002\t\u0005\b\"\u0003B]W\t\u0007I\u0011\u0001Bq\u0011%\u0011Yl\u000bb\u0001\n\u0003\u0011\t\u000fC\u0005\u0003>.\u0012\r\u0011\"\u0001\u0003b\u001aI!\u0011\u0017\u0001\u0011\u0002\u0007\u0005!1\u0017\u0005\u0006\u0019F\"\t!\u0014\u0005\b\u0005w\nD\u0011\tB?\u0011\u001d\u0011))\rC)\u0003;A\u0011B!.2\u0005\u00045\tAa.\t\u0013\te\u0016G1A\u0007\u0002\t]\u0006\"\u0003B^c\t\u0007i\u0011\u0001B\\\u0011%\u0011i,\rb\u0001\u000e\u0003\u00119\fC\u0004\u0003\bF\"\tEa0\t\u000f\tE\u0017\u0007\"\u0001\u0003T\nY\u0011)\u001e;i\u0003\u000e$\u0018n\u001c8t\u0015\tid(\u0001\u0004bGRLwN\u001c\u0006\u0003\u007f\u0001\u000bQ\u0002]1oI>l\u0017-\u001b8bkRD'BA!C\u0003\t9WOC\u0001D\u0003\r\u0019w.\\\u0002\u0001'\t\u0001a\t\u0005\u0002H\u00156\t\u0001JC\u0001J\u0003\u0015\u00198-\u00197b\u0013\tY\u0005J\u0001\u0004B]f\u0014VMZ\u0001\u0007I%t\u0017\u000e\u001e\u0013\u0015\u00039\u0003\"aR(\n\u0005AC%\u0001B+oSR\fa\u0001\\8hO\u0016\u0014X#A*\u0011\u0005QKV\"A+\u000b\u0005Y;\u0016!B:mMRR'\"\u0001-\u0002\u0007=\u0014x-\u0003\u0002[+\n1Aj\\4hKJ\f\u0001b^:DY&,g\u000e^\u000b\u0002;B\u0011alZ\u0007\u0002?*\u0011\u0001-Y\u0001\u0003oNT!AY2\u0002\t1L'm\u001d\u0006\u0003I\u0016\f1!\u00199j\u0015\u00051\u0017\u0001\u00029mCfL!\u0001[0\u0003\u0011]\u001b6\t\\5f]R\fAcY8oiJ|G\u000e\\3s\u0007>l\u0007o\u001c8f]R\u001cX#A6\u0011\u00051|W\"A7\u000b\u00059\u001c\u0017aA7wG&\u0011\u0001/\u001c\u0002\u0015\u0007>tGO]8mY\u0016\u00148i\\7q_:,g\u000e^:\u0002#A\fg\u000eR8nC&t7+\u001a;uS:<7/F\u0001t!\t!X/D\u0001?\u0013\t1hH\u0001\u0010QC:$u.\\1j]\u0006+H\u000f[*fiRLgnZ:SK\u001a\u0014Xm\u001d5fe\u000611/_:uK6,\u0012!\u001f\t\u0004u\u0006\raBA>��!\ta\b*D\u0001~\u0015\tqH)\u0001\u0004=e>|GOP\u0005\u0004\u0003\u0003A\u0015A\u0002)sK\u0012,g-\u0003\u0003\u0002\u0006\u0005\u001d!AB*ue&twMC\u0002\u0002\u0002!\u000ba\u0001Z8nC&t\u0017\u0001C:fiRLgnZ:\u0016\u0005\u0005=\u0001\u0003BA\t\u0003/i!!a\u0005\u000b\u0007\u0005Ua(A\u0003n_\u0012,G.\u0003\u0003\u0002\u001a\u0005M!!\u0006)b]\u0012{W.Y5o\u0003V$\bnU3ui&twm]\u0001\u0003K\u000e,\"!a\b\u0011\t\u0005\u0005\u0012qE\u0007\u0003\u0003GQ1!!\nI\u0003)\u0019wN\\2veJ,g\u000e^\u0005\u0005\u0003S\t\u0019C\u0001\tFq\u0016\u001cW\u000f^5p]\u000e{g\u000e^3yi\u0006aa/\u00197jI\u0006$X-V:feR!\u0011qFA\u001b!\r9\u0015\u0011G\u0005\u0004\u0003gA%a\u0002\"p_2,\u0017M\u001c\u0005\b\u0003oQ\u0001\u0019AA\u001d\u0003)\tW\u000f\u001e5fIV\u001bXM\u001d\t\u0005\u0003#\tY$\u0003\u0003\u0002>\u0005M!!E!vi\",g\u000e^5dCR,G-V:fe\u0006y1-Y2iKZ\u000bG.\u001b3bi&|g.\u0006\u0002\u00020\u0005q\u0011\r]5He\u0006\u001cW\rU3sS>$WCAA$!\r9\u0015\u0011J\u0005\u0004\u0003\u0017B%\u0001\u0002'p]\u001e\fq\"Y;uQ\u000e\u000bG\u000e\u001c2bG.,&\u000f\\\u0001\u0006\u001f\u0006+H\u000f[\u000b\u0003\u0003'\u0002B!!\u0016\u0002\\5\u0011\u0011q\u000b\u0006\u0004\u00033r\u0014aB:feZL7-Z\u0005\u0005\u0003;\n9FA\u0003P\u0003V$\b.A\bbaBd\u0017nY1uS>tg*Y7f\u0003IiW\u000f\u001c;jM\u0006\u001cGo\u001c:DQ\u0016\u001c7.\u001a:\u0016\u0005\u0005\u0015\u0004#B$\u0002h\u0005-\u0014bAA5\u0011\n1q\n\u001d;j_:\u0004B!!\u0016\u0002n%!\u0011qNA,\u0005U9un\\4mKJ2\u0015i\u0012:pkB\u001c\u0005.Z2lKJ\f\u0001\u0003T(H\u0013:{vJU%H\u0013:{6*R-\u0016\u0005\u0005U\u0004\u0003BA<\u0003\u0003k!!!\u001f\u000b\t\u0005m\u0014QP\u0001\u0005Y\u0006twM\u0003\u0002\u0002��\u0005!!.\u0019<b\u0013\u0011\t)!!\u001f\u0002!\u0005sE+S0G\u001fJ;UIU-`\u0017\u0016K\u0016AB2p_.LW\r\u0006\u0004\u0002\n\u0006=\u00151\u0013\t\u0004Y\u0006-\u0015bAAG[\n11i\\8lS\u0016Da!!%\u0014\u0001\u0004I\u0018\u0001\u00028b[\u0016Da!!&\u0014\u0001\u0004I\u0018!\u0002<bYV,\u0017A\u00043jg\u000e\f'\u000fZ\"p_.LWm]\u000b\u0003\u00037\u0003b!!(\u0002$\u0006\u001dVBAAP\u0015\r\t\t\u000bS\u0001\u000bG>dG.Z2uS>t\u0017\u0002BAS\u0003?\u00131aU3r!\ra\u0017\u0011V\u0005\u0004\u0003Wk'\u0001\u0005#jg\u000e\f'\u000fZ5oO\u000e{wn[5f\u0003-\u0019XM\u001c3G_J\fU\u000f\u001e5\u0016\t\u0005E\u0016q\u001a\u000b\u0007\u0003g\u000by,!3\u0011\r\u0005\u0005\u0012QWA]\u0013\u0011\t9,a\t\u0003\r\u0019+H/\u001e:f!\ra\u00171X\u0005\u0004\u0003{k'A\u0002*fgVdG\u000fC\u0004\u0002BV\u0001\u001d!a1\u0002\u000fI,\u0017/^3tiB\u0019A.!2\n\u0007\u0005\u001dWNA\u0007SKF,Xm\u001d;IK\u0006$WM\u001d\u0005\n\u0003\u0017,\u0002\u0013!a\u0002\u0003\u001b\fQ!Z7bS2\u0004BaRA4s\u00129\u0011\u0011[\u000bC\u0002\u0005M'!A!\u0012\t\u0005U\u00171\u001c\t\u0004\u000f\u0006]\u0017bAAm\u0011\n9aj\u001c;iS:<\u0007cA$\u0002^&\u0019\u0011q\u001c%\u0003\u0007\u0005s\u00170A\u000btK:$gi\u001c:BkRDG\u0005Z3gCVdG\u000f\n\u001a\u0016\t\u0005\u0015\u00181`\u000b\u0003\u0003OTC!!4\u0002j.\u0012\u00111\u001e\t\u0005\u0003[\f90\u0004\u0002\u0002p*!\u0011\u0011_Az\u0003%)hn\u00195fG.,GMC\u0002\u0002v\"\u000b!\"\u00198o_R\fG/[8o\u0013\u0011\tI0a<\u0003#Ut7\r[3dW\u0016$g+\u0019:jC:\u001cW\rB\u0004\u0002RZ\u0011\r!a5\u0002!\rDWmY6Nk2$\u0018NZ1di>\u0014H\u0003BA\u0018\u0005\u0003Aq!a\u000e\u0018\u0001\u0004\tI$A\ntQ><XK\\1vi\",G-T3tg\u0006<W\r\u0006\u0003\u0003\b\t-A\u0003BA]\u0005\u0013Aq!!1\u0019\u0001\b\t\u0019\r\u0003\u0004\u0003\u000ea\u0001\r!_\u0001\b[\u0016\u001c8/Y4f\u0003IIgN^1mS\u0012,6/\u001a:NKN\u001c\u0018mZ3\u0015\u0007e\u0014\u0019\u0002C\u0004\u0003\u0016e\u0001\r!!\u000f\u0002\u0017\rd\u0017-[7fI\u0006+H\u000f[\u0001\u0015aJ|7-Z:t\u001f\u0006+H\u000f[\"bY2\u0014\u0017mY6\u0015\u0005\tmA\u0003BAZ\u0005;Aq!!1\u001b\u0001\b\t\u0019-A\u0007qe>\u001cWm]:M_\u001e|W\u000f\u001e\u000b\u0005\u0003s\u0013\u0019\u0003C\u0004\u0002Bn\u0001\u001d!a1\u0002+I,\u0017\rZ!vi\",g\u000e^5dCR,G-V:feR!!\u0011\u0006B\u0016!\u00159\u0015qMA\u001d\u0011\u001d\t\t\r\ba\u0001\u0003\u0007\f!B]3bI\u000e{wn[5f)\u0011\u0011\tDa\r\u0011\u000b\u001d\u000b9'!#\t\u000f\u0005\u0005W\u00041\u0001\u0002D\u0006qq-\u001a8fe\u0006$XmQ8pW&,G\u0003BAE\u0005sAq!a\u000e\u001f\u0001\u0004\tI$A\u000bj]\u000edW\u000fZ3TsN$X-\\%o\u0007>|7.[3\u0015\t\t}\"Q\t\u000b\u0005\u0003s\u0013\t\u0005C\u0004\u0003D}\u0001\r!!/\u0002\rI,7/\u001e7u\u0011\u001d\t9d\ba\u0001\u0003s\t1B\u001a7vg\"\u001cun\\6jKR!\u0011\u0011\u0018B&\u0011\u001d\u0011\u0019\u0005\ta\u0001\u0003s\u000b1\"\u001a=ue\u0006\u001cG/Q;uQR!!\u0011\u000bB,!\u0011\t\tBa\u0015\n\t\tU\u00131\u0003\u0002\u0015\u0003V$\b.\u001a8uS\u000e\fG/[8o'R\fG/^:\t\u000f\u0005\u0005\u0017\u00051\u0001\u0002D\u0006Q\u0011)\u001e;i\u0003\u000e$\u0018n\u001c8\u0011\u0007\tu3%D\u0001\u0001\u0005)\tU\u000f\u001e5BGRLwN\\\n\u0005G\u0019\u0013\u0019\u0007E\u0004m\u0005K\u0012IG!\u001d\n\u0007\t\u001dTNA\u0007BGRLwN\u001c\"vS2$WM\u001d\t\u0005\u0005W\u0012i'D\u0001=\u0013\r\u0011y\u0007\u0010\u0002\f+N,'OU3rk\u0016\u001cH\u000fE\u0002m\u0005gJ1A!\u001en\u0005)\te._\"p]R,g\u000e^\u0001\u0007y%t\u0017\u000e\u001e \u0015\u0005\tm\u0013A\u00029beN,'/\u0006\u0002\u0003��A)AN!!\u0003r%\u0019!1Q7\u0003\u0015\t{G-\u001f)beN,'/\u0001\tfq\u0016\u001cW\u000f^5p]\u000e{g\u000e^3yi\u0006Y\u0011N\u001c<pW\u0016\u0014En\\2l+\u0011\u0011YI!'\u0015\r\u0005M&Q\u0012BN\u0011\u001d\t\tm\na\u0001\u0005\u001f\u0003R\u0001\u001cBI\u0005+K1Aa%n\u0005\u001d\u0011V-];fgR\u0004BAa&\u0003\u001a2\u0001AaBAiO\t\u0007\u00111\u001b\u0005\b\u0005;;\u0003\u0019\u0001BP\u0003\u0015\u0011Gn\\2l!\u001d9%\u0011\u0015BS\u0003gK1Aa)I\u0005%1UO\\2uS>t\u0017\u0007\u0005\u0004\u0003l\t5$QS\u0001\u000e\u0003BK\u0015)\u001e;i\u0003\u000e$\u0018n\u001c8\u0011\u0007\tu\u0013FA\u0007B!&\u000bU\u000f\u001e5BGRLwN\\\n\u0007S\u0019\u0013yKa7\u0011\u0007\tu\u0013GA\u000bBEN$(/Y2u\u0003BL\u0017)\u001e;i\u0003\u000e$\u0018n\u001c8\u0014\tE2%1M\u0001\u0017]>$\u0018)\u001e;iK:$\u0018nY1uK\u0012\u0014Vm];miV\u0011\u0011\u0011X\u0001\u0014S:4\u0018\r\\5e\u0007>|7.[3SKN,H\u000e^\u0001\u000eKb\u0004\u0018N]3e%\u0016\u001cX\u000f\u001c;\u0002'9|G/Q;uQ>\u0014\u0018N_3e%\u0016\u001cX\u000f\u001c;\u0016\t\t\u0005'\u0011\u001a\u000b\u0007\u0003g\u0013\u0019Ma3\t\u000f\u0005\u0005\u0017\b1\u0001\u0003FB)AN!%\u0003HB!!q\u0013Be\t\u001d\t\t.\u000fb\u0001\u0003'DqA!(:\u0001\u0004\u0011i\rE\u0004H\u0005C\u0013y-a-\u0011\r\t-$Q\u000eBd\u0003a\u0011Xm\u001d9p]N,w+\u001b;i'f\u001cH/Z7D_>\\\u0017.\u001a\u000b\u0007\u0003g\u0013)N!7\t\u000f\t]'\b1\u0001\u00024\u0006A!/Z:q_:\u001cX\rC\u0004\u00028i\u0002\r!!\u000f\u0011\u0007\tu3FA\nQY\u0006Lg.\u0012:s_J\u0014Vm\u001d9p]N,7o\u0005\u0002,\rV\u0011!1\u001d\t\u0005\u0005K\u00149P\u0004\u0003\u0003h\nMh\u0002\u0002Bu\u0005ctAAa;\u0003p:\u0019AP!<\n\u0003\u0019L!\u0001Z3\n\u00059\u001c\u0017b\u0001B{[\u00069!+Z:vYR\u001c\u0018\u0002\u0002B}\u0005w\u0014aa\u0015;biV\u001c\u0018b\u0001B\u007f[\n9!+Z:vYR\u001cHC\u0001BU\u0001")
/* loaded from: input_file:com/gu/pandomainauth/action/AuthActions.class */
public interface AuthActions {

    /* compiled from: Actions.scala */
    /* loaded from: input_file:com/gu/pandomainauth/action/AuthActions$AbstractApiAuthAction.class */
    public interface AbstractApiAuthAction extends ActionBuilder<UserRequest, AnyContent> {
        default BodyParser<AnyContent> parser() {
            return com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().controllerComponents().parsers().default();
        }

        default ExecutionContext executionContext() {
            return com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().controllerComponents().executionContext();
        }

        /* renamed from: notAuthenticatedResult */
        Result mo4notAuthenticatedResult();

        /* renamed from: invalidCookieResult */
        Result mo3invalidCookieResult();

        /* renamed from: expiredResult */
        Result mo2expiredResult();

        /* renamed from: notAuthorizedResult */
        Result mo1notAuthorizedResult();

        default <A> Future<Result> invokeBlock(Request<A> request, Function1<UserRequest<A>, Future<Result>> function1) {
            Future<Result> responseWithSystemCookie;
            InvalidCookie extractAuth = com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().extractAuth(request);
            if (NotAuthenticated$.MODULE$.equals(extractAuth)) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(36).append("user not authed against ").append(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$domain()).append(", return 401").toString());
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo4notAuthenticatedResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else if (extractAuth instanceof InvalidCookie) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().warn("error checking user's auth, clear cookie and return 401", extractAuth.exception());
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo3invalidCookieResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec()).map(result -> {
                    return this.com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().flushCookie(result);
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else if (extractAuth instanceof Expired) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(31).append("user ").append(((Expired) extractAuth).authedUser().user().email()).append(" login expired, return 419").toString());
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo2expiredResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else if (extractAuth instanceof GracePeriod) {
                AuthenticatedUser authedUser = ((GracePeriod) extractAuth).authedUser();
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(43).append("user ").append(authedUser.user().email()).append(" login expired but is in grace period.").toString());
                responseWithSystemCookie = responseWithSystemCookie((Future) function1.apply(new UserRequest(authedUser.user(), request)), authedUser);
            } else if (extractAuth instanceof NotAuthorized) {
                AuthenticatedUser authedUser2 = ((NotAuthorized) extractAuth).authedUser();
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug("user not authorized, return 403");
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().invalidUserMessage(authedUser2));
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo1notAuthorizedResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else {
                if (!(extractAuth instanceof Authenticated)) {
                    throw new MatchError(extractAuth);
                }
                AuthenticatedUser authedUser3 = ((Authenticated) extractAuth).authedUser();
                responseWithSystemCookie = responseWithSystemCookie((Future) function1.apply(new UserRequest(authedUser3.user(), request)), authedUser3);
            }
            return responseWithSystemCookie;
        }

        default Future<Result> responseWithSystemCookie(Future<Result> future, AuthenticatedUser authenticatedUser) {
            if (authenticatedUser.authenticatedIn().apply(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$system())) {
                return future;
            }
            com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(51).append("user ").append(authenticatedUser.user().email()).append(" from other system valid: adding validity in ").append(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$system()).append(".").toString());
            return future.map(result -> {
                return this.com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().includeSystemInCookie(authenticatedUser, result);
            }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
        }

        /* synthetic */ AuthActions com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer();

        static void $init$(AbstractApiAuthAction abstractApiAuthAction) {
        }
    }

    /* compiled from: Actions.scala */
    /* loaded from: input_file:com/gu/pandomainauth/action/AuthActions$PlainErrorResponses.class */
    public interface PlainErrorResponses {
        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthenticatedResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$invalidCookieResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$expiredResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthorizedResult_$eq(Results.Status status);

        Results.Status notAuthenticatedResult();

        Results.Status invalidCookieResult();

        Results.Status expiredResult();

        Results.Status notAuthorizedResult();

        /* synthetic */ AuthActions com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$$$outer();

        static void $init$(PlainErrorResponses plainErrorResponses) {
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthenticatedResult_$eq(Results$.MODULE$.Unauthorized());
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$invalidCookieResult_$eq(Results$.MODULE$.Unauthorized());
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$expiredResult_$eq(new Results.Status(Results$.MODULE$, 419));
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthorizedResult_$eq(Results$.MODULE$.Forbidden());
        }
    }

    AuthActions$AuthAction$ AuthAction();

    AuthActions$APIAuthAction$ APIAuthAction();

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$logger_$eq(Logger logger);

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$ec_$eq(ExecutionContext executionContext);

    void com$gu$pandomainauth$action$AuthActions$_setter_$OAuth_$eq(OAuth oAuth);

    void com$gu$pandomainauth$action$AuthActions$_setter_$applicationName_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$multifactorChecker_$eq(Option<Google2FAGroupChecker> option);

    void com$gu$pandomainauth$action$AuthActions$_setter_$LOGIN_ORIGIN_KEY_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$ANTI_FORGERY_KEY_$eq(String str);

    Logger com$gu$pandomainauth$action$AuthActions$$logger();

    WSClient wsClient();

    ControllerComponents controllerComponents();

    PanDomainAuthSettingsRefresher panDomainSettings();

    default String com$gu$pandomainauth$action$AuthActions$$system() {
        return panDomainSettings().system();
    }

    default String com$gu$pandomainauth$action$AuthActions$$domain() {
        return panDomainSettings().domain();
    }

    private default PanDomainAuthSettings settings() {
        return panDomainSettings().settings();
    }

    ExecutionContext com$gu$pandomainauth$action$AuthActions$$ec();

    boolean validateUser(AuthenticatedUser authenticatedUser);

    default boolean cacheValidation() {
        return false;
    }

    default long apiGracePeriod() {
        return 0L;
    }

    String authCallbackUrl();

    OAuth OAuth();

    String applicationName();

    Option<Google2FAGroupChecker> multifactorChecker();

    String LOGIN_ORIGIN_KEY();

    String ANTI_FORGERY_KEY();

    private default Cookie cookie(String str, String str2) {
        return new Cookie(str, URLEncoder.encode(str2, "UTF-8"), Cookie$.MODULE$.apply$default$3(), Cookie$.MODULE$.apply$default$4(), Cookie$.MODULE$.apply$default$5(), true, true, new Some(Cookie$SameSite$None$.MODULE$));
    }

    default Seq<DiscardingCookie> com$gu$pandomainauth$action$AuthActions$$discardCookies() {
        return new $colon.colon<>(new DiscardingCookie(LOGIN_ORIGIN_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true), new $colon.colon(new DiscardingCookie(ANTI_FORGERY_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true), Nil$.MODULE$));
    }

    default <A> Future<Result> sendForAuth(RequestHeader requestHeader, Option<String> option) {
        String generateAntiForgeryToken = OAuth().generateAntiForgeryToken();
        return OAuth().redirectToOAuthProvider(generateAntiForgeryToken, option, com$gu$pandomainauth$action$AuthActions$$ec(), requestHeader, wsClient()).map(result -> {
            return result.withCookies(Predef$.MODULE$.wrapRefArray(new Cookie[]{this.cookie(this.ANTI_FORGERY_KEY(), generateAntiForgeryToken), this.cookie(this.LOGIN_ORIGIN_KEY(), requestHeader.uri())}));
        }, com$gu$pandomainauth$action$AuthActions$$ec());
    }

    default <A> Option<String> sendForAuth$default$2() {
        return None$.MODULE$;
    }

    default boolean checkMultifactor(AuthenticatedUser authenticatedUser) {
        return multifactorChecker().exists(google2FAGroupChecker -> {
            return BoxesRunTime.boxToBoolean($anonfun$checkMultifactor$1(authenticatedUser, google2FAGroupChecker));
        });
    }

    default Result showUnauthedMessage(String str, RequestHeader requestHeader) {
        com$gu$pandomainauth$action$AuthActions$$logger().info(str);
        return Results$.MODULE$.Forbidden();
    }

    default String invalidUserMessage(AuthenticatedUser authenticatedUser) {
        return new StringBuilder(20).append("user ").append(authenticatedUser.user().email()).append(" not valid for ").append(com$gu$pandomainauth$action$AuthActions$$system()).toString();
    }

    default Future<Result> processOAuthCallback(RequestHeader requestHeader) {
        String str = (String) requestHeader.cookies().get(ANTI_FORGERY_KEY()).map(cookie -> {
            return URLDecoder.decode(cookie.value(), "UTF-8");
        }).getOrElse(() -> {
            throw new OAuthException("missing anti forgery token", OAuthException$.MODULE$.$lessinit$greater$default$2());
        });
        String str2 = (String) requestHeader.cookies().get(LOGIN_ORIGIN_KEY()).map(cookie2 -> {
            return URLDecoder.decode(cookie2.value(), "UTF-8");
        }).getOrElse(() -> {
            throw new OAuthException("missing original url", OAuthException$.MODULE$.$lessinit$greater$default$2());
        });
        Option<Cookie> readCookie = readCookie(requestHeader);
        return OAuth().validatedUserIdentity(str, requestHeader, com$gu$pandomainauth$action$AuthActions$$ec(), wsClient()).map(authenticatedUser -> {
            AuthenticatedUser copy;
            if (readCookie instanceof Some) {
                AuthenticatedUser parseCookieData = CookieUtils$.MODULE$.parseCookieData(((Cookie) ((Some) readCookie).value()).value(), this.settings().publicKey());
                this.com$gu$pandomainauth$action$AuthActions$$logger().debug("user re-authed, merging auth data");
                copy = authenticatedUser.copy(authenticatedUser.copy$default$1(), this.com$gu$pandomainauth$action$AuthActions$$system(), parseCookieData.authenticatedIn().$plus$plus(Predef$.MODULE$.Set().apply(Predef$.MODULE$.wrapRefArray(new String[]{this.com$gu$pandomainauth$action$AuthActions$$system()}))), authenticatedUser.copy$default$4(), this.checkMultifactor(authenticatedUser));
            } else {
                if (!None$.MODULE$.equals(readCookie)) {
                    throw new MatchError(readCookie);
                }
                this.com$gu$pandomainauth$action$AuthActions$$logger().debug("fresh user login");
                copy = authenticatedUser.copy(authenticatedUser.copy$default$1(), authenticatedUser.copy$default$2(), authenticatedUser.copy$default$3(), authenticatedUser.copy$default$4(), this.checkMultifactor(authenticatedUser));
            }
            AuthenticatedUser authenticatedUser = copy;
            if (!this.validateUser(authenticatedUser)) {
                return this.showUnauthedMessage(this.invalidUserMessage(authenticatedUser), requestHeader);
            }
            return Results$.MODULE$.Redirect(str2, Results$.MODULE$.Redirect$default$2(), Results$.MODULE$.Redirect$default$3()).withCookies(Predef$.MODULE$.wrapRefArray(new Cookie[]{this.generateCookie(authenticatedUser)})).discardingCookies(this.com$gu$pandomainauth$action$AuthActions$$discardCookies());
        }, com$gu$pandomainauth$action$AuthActions$$ec());
    }

    default Result processLogout(RequestHeader requestHeader) {
        return flushCookie(showUnauthedMessage("logged out", requestHeader));
    }

    default Option<AuthenticatedUser> readAuthenticatedUser(RequestHeader requestHeader) {
        return readCookie(requestHeader).map(cookie -> {
            return CookieUtils$.MODULE$.parseCookieData(cookie.value(), this.settings().publicKey());
        });
    }

    default Option<Cookie> readCookie(RequestHeader requestHeader) {
        return requestHeader.cookies().get(settings().cookieSettings().cookieName());
    }

    default Cookie generateCookie(AuthenticatedUser authenticatedUser) {
        return new Cookie(settings().cookieSettings().cookieName(), CookieUtils$.MODULE$.generateCookieData(authenticatedUser, settings().privateKey()), Cookie$.MODULE$.apply$default$3(), Cookie$.MODULE$.apply$default$4(), new Some(com$gu$pandomainauth$action$AuthActions$$domain()), true, true, Cookie$.MODULE$.apply$default$8());
    }

    default Result includeSystemInCookie(AuthenticatedUser authenticatedUser, Result result) {
        return result.withCookies(Predef$.MODULE$.wrapRefArray(new Cookie[]{generateCookie(authenticatedUser.copy(authenticatedUser.copy$default$1(), authenticatedUser.copy$default$2(), authenticatedUser.authenticatedIn().$plus(com$gu$pandomainauth$action$AuthActions$$system()), authenticatedUser.copy$default$4(), authenticatedUser.copy$default$5()))}));
    }

    default Result flushCookie(Result result) {
        return result.discardingCookies(Predef$.MODULE$.wrapRefArray(new DiscardingCookie[]{new DiscardingCookie(settings().cookieSettings().cookieName(), DiscardingCookie$.MODULE$.apply$default$2(), new Some(com$gu$pandomainauth$action$AuthActions$$domain()), true)}));
    }

    default AuthenticationStatus extractAuth(RequestHeader requestHeader) {
        return (AuthenticationStatus) readCookie(requestHeader).map(cookie -> {
            return PanDomain$.MODULE$.authStatus(cookie.value(), this.settings().publicKey(), authenticatedUser -> {
                return BoxesRunTime.boxToBoolean(this.validateUser(authenticatedUser));
            }, this.apiGracePeriod(), this.com$gu$pandomainauth$action$AuthActions$$system(), this.cacheValidation());
        }).getOrElse(() -> {
            return NotAuthenticated$.MODULE$;
        });
    }

    static /* synthetic */ boolean $anonfun$checkMultifactor$1(AuthenticatedUser authenticatedUser, Google2FAGroupChecker google2FAGroupChecker) {
        return google2FAGroupChecker.checkMultifactor(authenticatedUser);
    }

    static void $init$(AuthActions authActions) {
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$logger_$eq(LoggerFactory.getLogger(authActions.getClass()));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$ec_$eq(authActions.controllerComponents().executionContext());
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$OAuth_$eq(new OAuth(authActions.settings().oAuthSettings(), authActions.com$gu$pandomainauth$action$AuthActions$$system(), authActions.authCallbackUrl()));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$applicationName_$eq(new StringBuilder(26).append("pan-domain-authentication-").append(authActions.com$gu$pandomainauth$action$AuthActions$$system()).toString());
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$multifactorChecker_$eq(authActions.settings().google2FAGroupSettings().map(google2FAGroupSettings -> {
            return new Google2FAGroupChecker(google2FAGroupSettings, authActions.panDomainSettings().bucketName(), authActions.panDomainSettings().s3Client(), authActions.applicationName());
        }));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$LOGIN_ORIGIN_KEY_$eq("panda-loginOriginUrl");
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$ANTI_FORGERY_KEY_$eq("panda-antiForgeryToken");
    }
}
