package ro.pippo.core.route;

import ch.qos.logback.core.CoreConstants;
import java.util.Arrays;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ro.pippo.core.HttpConstants;
import ro.pippo.core.ParameterValue;
import ro.pippo.core.StatusCodeException;
import ro.pippo.core.util.CryptoUtils;
import ro.pippo.core.util.StringUtils;

/* loaded from: input_file:lib/pippo-core-0.9.1.jar:ro/pippo/core/route/CSRFHandler.class */
public class CSRFHandler implements RouteHandler<RouteContext> {
    public static final String TOKEN = "_csrf_token";
    public static final String BINDING = "csrfToken";
    private static final Logger log = LoggerFactory.getLogger(CSRFHandler.class);
    private final List<String> guardedTypes;
    private final String secretKey;
    private final String algorithm;

    public CSRFHandler() {
        this(CryptoUtils.generateSecretKey());
    }

    public CSRFHandler(String str) {
        this(str, CryptoUtils.HMAC_SHA256);
    }

    public CSRFHandler(String str, String str2) {
        this.guardedTypes = Arrays.asList(HttpConstants.ContentType.APPLICATION_FORM_URLENCODED, HttpConstants.ContentType.MULTIPART_FORM_DATA, HttpConstants.ContentType.TEXT_PLAIN);
        this.secretKey = str;
        this.algorithm = str2;
    }

    public String getSecretKey() {
        return this.secretKey;
    }

    public String getAlgorithm() {
        return this.algorithm;
    }

    protected String getSessionCsrfToken(RouteContext routeContext) {
        return (String) routeContext.getSession(TOKEN);
    }

    protected void setSessionCsrfToken(RouteContext routeContext, String str) {
        routeContext.setSession(TOKEN, str);
    }

    protected String getTokenId(RouteContext routeContext) {
        return routeContext.getSession().getId().toString();
    }

    @Override // ro.pippo.core.route.RouteHandler
    public void handle(RouteContext routeContext) {
        String method = routeContext.getRequest().getHttpServletRequest().getMethod();
        if (HttpConstants.Method.POST.equals(method)) {
            String trim = StringUtils.getPrefix(new ParameterValue(routeContext.getHeader("Content-Type")).toString(CoreConstants.EMPTY_STRING).toLowerCase(), ';').trim();
            if (!this.guardedTypes.contains(trim)) {
                log.debug("Ignoring '{}' request for {} '{}'", trim, routeContext.getRequestMethod(), routeContext.getRequestUri());
                return;
            }
            String header = routeContext.getHeader("Csrf-Token");
            if ("nocheck".equals(header)) {
                log.debug("Ignoring 'nocheck' request for {} '{}'", routeContext.getRequestMethod(), routeContext.getRequestUri());
                return;
            }
            if (StringUtils.isNullOrEmpty(header)) {
                header = routeContext.getParameter(TOKEN).toString();
            }
            if (StringUtils.isNullOrEmpty(header)) {
                throw new StatusCodeException(403, "Illegal request, no '{}'!", TOKEN);
            }
            String sessionCsrfToken = getSessionCsrfToken(routeContext);
            if (!header.equals(sessionCsrfToken)) {
                throw new StatusCodeException(403, "Illegal request, invalid '{}'!", TOKEN);
            }
            log.debug("Validated '{}' for {} '{}'", TOKEN, routeContext.getRequestMethod(), routeContext.getRequestUri());
            routeContext.setLocal(BINDING, sessionCsrfToken);
        } else if (HttpConstants.Method.GET.equals(method)) {
            if (getSessionCsrfToken(routeContext) == null) {
                setSessionCsrfToken(routeContext, CryptoUtils.hmacDigest(getTokenId(routeContext), this.secretKey, this.algorithm));
                log.debug("Generated '{}' for {} '{}'", TOKEN, routeContext.getRequestMethod(), routeContext.getRequestUri());
            }
            routeContext.setLocal(BINDING, getSessionCsrfToken(routeContext));
        }
        routeContext.next();
    }
}
