package com.payneteasy.superfly.security.csrf;

import com.payneteasy.superfly.security.exception.CsrfLoginTokenException;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/payneteasy/superfly/security/csrf/CsrfValidatorImpl.class */
public class CsrfValidatorImpl implements CsrfValidator {
    private static final Logger logger = LoggerFactory.getLogger(CsrfValidatorImpl.class);
    private static final String ATTRIBUTE_NAME = CsrfValidatorImpl.class.getName().concat(".CSRF_TOKEN");
    private boolean enable;

    public void setEnable(boolean z) {
        this.enable = z;
    }

    @Override // com.payneteasy.superfly.security.csrf.CsrfValidator
    public String persistTokenIntoSession(HttpSession httpSession) {
        String uuid = UUID.randomUUID().toString();
        httpSession.setAttribute(ATTRIBUTE_NAME, uuid);
        return uuid;
    }

    @Override // com.payneteasy.superfly.security.csrf.CsrfValidator
    public void validateToken(HttpServletRequest httpServletRequest) {
        if (!this.enable) {
            logger.warn("CSRF login token check is disabled");
            return;
        }
        if (httpServletRequest == null) {
            throw new IllegalStateException("Cannot get request attribute - request is null!");
        }
        HttpSession session = httpServletRequest.getSession(false);
        if (session == null) {
            logger.warn("No session");
            throw new CsrfLoginTokenException("No session.", "Something was wrong with your session. Please try again.");
        }
        String str = (String) session.getAttribute(ATTRIBUTE_NAME);
        if (str == null) {
            logger.error("No {} value in session", ATTRIBUTE_NAME);
            throw new CsrfLoginTokenException("No any CSRF token in the session. Please check server config.", "Missing login token. This can be caused by ad- or script-blocking plugins, but also by the browser itself if it's not allowed to set cookies.\n");
        }
        String parameter = httpServletRequest.getParameter("_csrf");
        if (parameter == null || parameter.isEmpty()) {
            logger.error("Field _csrf is empty in request");
            throw new CsrfLoginTokenException("Missing CSRF token. This can be caused by ad- or script-blocking plugins, but also by the browser itself if it's not allowed to set cookies.", "Missing login token. This can be caused by ad- or script-blocking plugins, but also by the browser itself if it's not allowed to set cookies.\n");
        }
        if (parameter.equals(str)) {
            return;
        }
        logger.error("CSRF is invalid. Expected {} but was {}", str, parameter);
        throw new CsrfLoginTokenException("Invalid CSRF token.", "Invalid login token. This can be caused if you trying to login with multiple browser tabs.");
    }
}
