package org.spincast.plugins.formsprotection.csrf;

import com.google.inject.Inject;
import java.net.URI;
import java.time.Instant;
import java.util.Base64;
import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.spincast.core.config.SpincastConfig;
import org.spincast.core.dictionary.Dictionary;
import org.spincast.core.exceptions.PublicExceptionDefault;
import org.spincast.core.exchange.RequestContext;
import org.spincast.core.json.JsonObject;
import org.spincast.core.routing.HttpMethod;
import org.spincast.core.utils.SpincastStatics;
import org.spincast.plugins.crypto.SpincastCryptoUtils;
import org.spincast.plugins.formsprotection.config.SpincastFormsProtectionConfig;
import org.spincast.plugins.formsprotection.dictionary.SpincastFormsProtectionPluginDictionaryEntries;
import org.spincast.plugins.formsprotection.exceptions.FormInvalidCsrfTokenException;
import org.spincast.plugins.formsprotection.exceptions.FormInvalidOriginException;
import org.spincast.plugins.session.SpincastSession;
import org.spincast.plugins.session.SpincastSessionFilter;
import org.spincast.plugins.session.SpincastSessionManager;

/* loaded from: input_file:org/spincast/plugins/formsprotection/csrf/SpincastFormsCsrfProtectionFilterDefault.class */
public class SpincastFormsCsrfProtectionFilterDefault implements SpincastFormsCsrfProtectionFilter {
    protected final Logger logger = LoggerFactory.getLogger(SpincastFormsCsrfProtectionFilterDefault.class);
    private final SpincastFormsProtectionConfig spincastFormsProtectionConfig;
    private final SpincastCryptoUtils spincastCryptoUtils;
    private final SpincastSessionManager spincastSessionManager;
    private final SpincastConfig spincastConfig;
    private final Dictionary dictionary;

    @Inject
    public SpincastFormsCsrfProtectionFilterDefault(SpincastFormsProtectionConfig spincastFormsProtectionConfig, SpincastCryptoUtils spincastCryptoUtils, SpincastSessionManager spincastSessionManager, SpincastConfig spincastConfig, Dictionary dictionary) {
        this.spincastFormsProtectionConfig = spincastFormsProtectionConfig;
        this.spincastCryptoUtils = spincastCryptoUtils;
        this.spincastSessionManager = spincastSessionManager;
        this.spincastConfig = spincastConfig;
        this.dictionary = dictionary;
    }

    protected SpincastFormsProtectionConfig getSpincastFormsProtectionConfig() {
        return this.spincastFormsProtectionConfig;
    }

    protected SpincastCryptoUtils getSpincastCryptoUtils() {
        return this.spincastCryptoUtils;
    }

    protected SpincastSessionManager getSpincastSessionManager() {
        return this.spincastSessionManager;
    }

    protected SpincastConfig getSpincastConfig() {
        return this.spincastConfig;
    }

    protected Dictionary getDictionary() {
        return this.dictionary;
    }

    @Override // org.spincast.plugins.formsprotection.csrf.SpincastFormsCsrfProtectionFilter
    public void handle(RequestContext<?> requestContext) throws FormInvalidOriginException, FormInvalidCsrfTokenException {
        if (requestContext.routing().getRoutingResult().getMainRouteHandlerMatch().getSourceRoute().isResourceRoute()) {
            return;
        }
        try {
            if (getSpincastSessionManager().getCurrentSession() == null) {
                throw new RuntimeException("No Session available. Makes sur the " + SpincastSessionFilter.class.getSimpleName() + " filter is run *before* this " + SpincastFormsCsrfProtectionFilter.class.getSimpleName() + " filter!");
            }
            SpincastCsrfToken currentCsrfToken = getCurrentCsrfToken(false);
            HttpMethod httpMethod = requestContext.request().getHttpMethod();
            if (httpMethod == HttpMethod.GET || httpMethod == HttpMethod.HEAD || httpMethod == HttpMethod.OPTIONS || httpMethod == HttpMethod.CONNECT) {
                return;
            }
            if (currentCsrfToken == null) {
                this.logger.debug("No CSRF token found in the user's session...");
                csrfDoesntMatchAction(requestContext, getDictionary().get(SpincastFormsProtectionPluginDictionaryEntries.MESSAGE_KEY_FORM_CSRF_TOKEN_NOT_FOUND_IN_SESSION));
            }
            String formCsrfProtectionIdFieldName = getSpincastFormsProtectionConfig().getFormCsrfProtectionIdFieldName();
            String string = requestContext.request().getFormBodyAsJsonObject().getString(formCsrfProtectionIdFieldName);
            if (string == null) {
                string = requestContext.request().getQueryStringParamFirst(formCsrfProtectionIdFieldName);
                if (string == null) {
                    this.logger.warn(requestContext.request().getHttpMethod() + " without a CSRF \"" + formCsrfProtectionIdFieldName + "\" token : " + requestContext.request().getFullUrl());
                    csrfDoesntMatchAction(requestContext, getDictionary().get(SpincastFormsProtectionPluginDictionaryEntries.MESSAGE_KEY_FORM_NO_CSRF_TOKEN_PROVIDED));
                    return;
                }
            }
            if (!string.equals(currentCsrfToken.getId())) {
                this.logger.warn("Request with an invalid CSRF token : " + requestContext.request().getFullUrl() + " => " + currentCsrfToken);
                csrfDoesntMatchAction(requestContext, getDictionary().get(SpincastFormsProtectionPluginDictionaryEntries.MESSAGE_KEY_FORM_INVALID_CSRF_TOKEN));
                return;
            }
            String headerFirst = requestContext.request().getHeaderFirst("Origin");
            String headerFirst2 = requestContext.request().getHeaderFirst("Referer");
            if (headerFirst == null && headerFirst2 == null) {
                this.logger.warn("Request without origin or referer header : " + requestContext.request().getFullUrl());
                csrfDoesntMatchAction(requestContext, getDictionary().get(SpincastFormsProtectionPluginDictionaryEntries.MESSAGE_KEY_FORM_INVALID_ORGIN));
                return;
            }
            if (headerFirst != null) {
                URI uri = new URI(headerFirst);
                if (getSpincastConfig().getPublicServerHost().equalsIgnoreCase(uri.getHost())) {
                    return;
                }
                this.logger.warn("Request with origin header '" + uri.getHost() + "' that doesn't contain the right host : " + getSpincastConfig().getPublicServerHost());
                csrfDoesntMatchAction(requestContext, getDictionary().get(SpincastFormsProtectionPluginDictionaryEntries.MESSAGE_KEY_FORM_INVALID_ORGIN));
                return;
            }
            if (headerFirst2 != null) {
                URI uri2 = new URI(headerFirst2);
                if (getSpincastConfig().getPublicServerHost().equalsIgnoreCase(uri2.getHost())) {
                    return;
                }
                this.logger.warn("Request with referer header '" + uri2.getHost() + "' that doesn't contain the right host : " + getSpincastConfig().getPublicServerHost());
                csrfDoesntMatchAction(requestContext, getDictionary().get(SpincastFormsProtectionPluginDictionaryEntries.MESSAGE_KEY_FORM_INVALID_ORGIN));
            }
        } catch (Exception e) {
            throw SpincastStatics.runtimize(e);
        }
    }

    @Override // org.spincast.plugins.formsprotection.csrf.SpincastFormsCsrfProtectionFilter
    public SpincastCsrfToken getCurrentCsrfToken() {
        return getCurrentCsrfToken(true);
    }

    public SpincastCsrfToken getCurrentCsrfToken(boolean z) {
        JsonObject jsonObject;
        SpincastCsrfToken spincastCsrfToken = null;
        SpincastSession currentSession = getSpincastSessionManager().getCurrentSession();
        if (currentSession != null && (jsonObject = currentSession.getAttributes().getJsonObject(SpincastFormsProtectionConfig.SESSION_VARIABLE_NAME_CSRF_TOKEN)) != null) {
            spincastCsrfToken = new SpincastCsrfToken(jsonObject.getString("id"), jsonObject.getInstant("creationDate"));
        }
        if (spincastCsrfToken == null && z) {
            spincastCsrfToken = createCsrfToken();
            currentSession.getAttributes().set(SpincastFormsProtectionConfig.SESSION_VARIABLE_NAME_CSRF_TOKEN, spincastCsrfToken);
        }
        return spincastCsrfToken;
    }

    protected SpincastCsrfToken createCsrfToken() {
        try {
            return new SpincastCsrfToken(Base64.getUrlEncoder().encodeToString(UUID.randomUUID().toString().getBytes("UTF-8")), Instant.now());
        } catch (Exception e) {
            throw SpincastStatics.runtimize(e);
        }
    }

    protected void csrfDoesntMatchAction(RequestContext<?> requestContext, String str) throws Exception {
        throw new PublicExceptionDefault(str, 400);
    }
}
