package com.gu.pandomainauth.action;

import com.gu.pandomainauth.PanDomain$;
import com.gu.pandomainauth.PanDomainAuthSettingsRefresher;
import com.gu.pandomainauth.model.Authenticated;
import com.gu.pandomainauth.model.AuthenticatedUser;
import com.gu.pandomainauth.model.AuthenticationStatus;
import com.gu.pandomainauth.model.Expired;
import com.gu.pandomainauth.model.GracePeriod;
import com.gu.pandomainauth.model.InvalidCookie;
import com.gu.pandomainauth.model.NotAuthenticated$;
import com.gu.pandomainauth.model.NotAuthorized;
import com.gu.pandomainauth.model.PanDomainAuthSettings;
import com.gu.pandomainauth.service.CookieUtils$;
import com.gu.pandomainauth.service.Google2FAGroupChecker;
import com.gu.pandomainauth.service.OAuth;
import java.net.URLDecoder;
import java.net.URLEncoder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import play.api.http.Writeable$;
import play.api.libs.ws.WSClient;
import play.api.mvc.ActionBuilder;
import play.api.mvc.AnyContent;
import play.api.mvc.BodyParser;
import play.api.mvc.Codec$;
import play.api.mvc.ControllerComponents;
import play.api.mvc.Cookie;
import play.api.mvc.Cookie$;
import play.api.mvc.Cookie$SameSite$None$;
import play.api.mvc.DiscardingCookie;
import play.api.mvc.DiscardingCookie$;
import play.api.mvc.Request;
import play.api.mvc.RequestHeader;
import play.api.mvc.Result;
import play.api.mvc.Results;
import play.api.mvc.Results$;
import scala.Function1;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.collection.immutable.Seq;
import scala.collection.immutable.Set;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.package$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;

/* compiled from: Actions.scala */
@ScalaSignature(bytes = "\u0006\u0005\ruaaB\u001f?!\u0003\r\ta\u0012\u0005\u0006\u001d\u0002!\ta\u0014\u0005\b'\u0002\u0011\r\u0011\"\u0003U\u0011\u0015i\u0006A\"\u0001_\u0011\u0015Y\u0007A\"\u0001m\u0011\u0015\u0019\bA\"\u0001u\u0011\u0015I\b\u0001\"\u0003{\u0011\u0019\ti\u0001\u0001C\u0005u\"9\u0011q\u0002\u0001\u0005\n\u0005E\u0001\"CA\u0010\u0001\t\u0007I1BA\u0011\u0011\u001d\ty\u0003\u0001D\u0001\u0003cAq!a\u0011\u0001\t\u0003\t)\u0005C\u0004\u0002H\u0001!\t!!\u0013\t\r\u0005E\u0003A\"\u0001{\u0011%\t\u0019\u0006\u0001b\u0001\n\u0003\t)\u0006\u0003\u0005\u0002d\u0001\u0011\r\u0011\"\u0001{\u0011%\t)\u0007\u0001b\u0001\n\u0003\t9\u0007C\u0005\u0002v\u0001\u0011\r\u0011\"\u0001\u0002x!I\u0011q\u0011\u0001C\u0002\u0013\u0005\u0011q\u000f\u0005\n\u0003\u0013\u0003!\u0019!C\u0005\u0003oBq!a#\u0001\t\u0013\ti\t\u0003\u0006\u0002\u001e\u0002A)\u0019!C\u0005\u0003?Cq!a.\u0001\t\u0003\tI\fC\u0005\u0002l\u0002\t\n\u0011\"\u0001\u0002n\"9!q\u0001\u0001\u0005\u0002\t%\u0001b\u0002B\u0007\u0001\u0011\u0005!q\u0002\u0005\b\u00053\u0001A\u0011\u0001B\u000e\u0011\u001d\u0011\t\u0003\u0001C\u0005\u0005GAqA!\f\u0001\t\u0003\u0011y\u0003C\u0004\u00036\u0001!\tAa\u000e\t\u000f\tm\u0002\u0001\"\u0001\u0003>!9!1\t\u0001\u0005\u0002\t\u0015\u0003b\u0002B*\u0001\u0011\u0005!Q\u000b\u0005\b\u00053\u0002A\u0011\u0001B.\u0011\u001d\u0011)\u0007\u0001C\u0001\u0005OBqAa\u001b\u0001\t\u0003\u0011igB\u0004\u0003x\u0001A\tA!\u001f\u0007\u000f\tu\u0004\u0001#\u0001\u0003��!9!1S\u0013\u0005\u0002\tU\u0005b\u0002BLK\u0011\u0005#\u0011\u0014\u0005\b\u0005C+C\u0011KA\u0011\u0011\u001d\u0011\u0019+\nC!\u0005K;qAa1\u0001\u0011\u0003\u0011)MB\u0004\u0003H\u0002A\tA!3\t\u000f\tM5\u0006\"\u0001\u0004\u001c\u0019I!\u0011 \u0001\u0011\u0002\u0007\u0005!1 \u0005\u0006\u001d6\"\ta\u0014\u0005\n\u0005#l#\u0019!C\u0001\u0005{D\u0011B!6.\u0005\u0004%\tA!@\t\u0013\t]WF1A\u0005\u0002\tu\b\"\u0003Bm[\t\u0007I\u0011\u0001B\u007f\r%\u0011i\r\u0001I\u0001\u0004\u0003\u0011y\rC\u0003Og\u0011\u0005q\nC\u0004\u0003\u0018N\"\tE!'\t\u000f\t\u00056\u0007\"\u0015\u0002\"!I!\u0011[\u001aC\u0002\u001b\u0005!1\u001b\u0005\n\u0005+\u001c$\u0019!D\u0001\u0005'D\u0011Ba64\u0005\u00045\tAa5\t\u0013\te7G1A\u0007\u0002\tM\u0007b\u0002BRg\u0011\u0005#1\u001c\u0005\b\u0005[\u001cD\u0011\u0001Bx\u0005-\tU\u000f\u001e5BGRLwN\\:\u000b\u0005}\u0002\u0015AB1di&|gN\u0003\u0002B\u0005\u0006i\u0001/\u00198e_6\f\u0017N\\1vi\"T!a\u0011#\u0002\u0005\u001d,(\"A#\u0002\u0007\r|Wn\u0001\u0001\u0014\u0005\u0001A\u0005CA%M\u001b\u0005Q%\"A&\u0002\u000bM\u001c\u0017\r\\1\n\u00055S%AB!osJ+g-\u0001\u0004%S:LG\u000f\n\u000b\u0002!B\u0011\u0011*U\u0005\u0003%*\u0013A!\u00168ji\u00061An\\4hKJ,\u0012!\u0016\t\u0003-nk\u0011a\u0016\u0006\u00031f\u000bQa\u001d7gi)T\u0011AW\u0001\u0004_J<\u0017B\u0001/X\u0005\u0019aunZ4fe\u0006Aqo]\"mS\u0016tG/F\u0001`!\t\u0001\u0017.D\u0001b\u0015\t\u00117-\u0001\u0002xg*\u0011A-Z\u0001\u0005Y&\u00147O\u0003\u0002gO\u0006\u0019\u0011\r]5\u000b\u0003!\fA\u0001\u001d7bs&\u0011!.\u0019\u0002\t/N\u001bE.[3oi\u0006!2m\u001c8ue>dG.\u001a:D_6\u0004xN\\3oiN,\u0012!\u001c\t\u0003]Fl\u0011a\u001c\u0006\u0003a\u0016\f1!\u001c<d\u0013\t\u0011xN\u0001\u000bD_:$(o\u001c7mKJ\u001cu.\u001c9p]\u0016tGo]\u0001\u0012a\u0006tGi\\7bS:\u001cV\r\u001e;j]\u001e\u001cX#A;\u0011\u0005Y<X\"\u0001!\n\u0005a\u0004%A\b)b]\u0012{W.Y5o\u0003V$\bnU3ui&twm\u001d*fMJ,7\u000f[3s\u0003\u0019\u0019\u0018p\u001d;f[V\t1\u0010E\u0002}\u0003\u000fq1!`A\u0002!\tq(*D\u0001��\u0015\r\t\tAR\u0001\u0007yI|w\u000e\u001e \n\u0007\u0005\u0015!*\u0001\u0004Qe\u0016$WMZ\u0005\u0005\u0003\u0013\tYA\u0001\u0004TiJLgn\u001a\u0006\u0004\u0003\u000bQ\u0015A\u00023p[\u0006Lg.\u0001\u0005tKR$\u0018N\\4t+\t\t\u0019\u0002\u0005\u0003\u0002\u0016\u0005mQBAA\f\u0015\r\tI\u0002Q\u0001\u0006[>$W\r\\\u0005\u0005\u0003;\t9BA\u000bQC:$u.\\1j]\u0006+H\u000f[*fiRLgnZ:\u0002\u0005\u0015\u001cWCAA\u0012!\u0011\t)#a\u000b\u000e\u0005\u0005\u001d\"bAA\u0015\u0015\u0006Q1m\u001c8dkJ\u0014XM\u001c;\n\t\u00055\u0012q\u0005\u0002\u0011\u000bb,7-\u001e;j_:\u001cuN\u001c;fqR\fAB^1mS\u0012\fG/Z+tKJ$B!a\r\u0002:A\u0019\u0011*!\u000e\n\u0007\u0005]\"JA\u0004C_>dW-\u00198\t\u000f\u0005m\"\u00021\u0001\u0002>\u0005Q\u0011-\u001e;iK\u0012,6/\u001a:\u0011\t\u0005U\u0011qH\u0005\u0005\u0003\u0003\n9BA\tBkRDWM\u001c;jG\u0006$X\rZ+tKJ\fqbY1dQ\u00164\u0016\r\\5eCRLwN\\\u000b\u0003\u0003g\ta\"\u00199j\u000fJ\f7-\u001a)fe&|G-\u0006\u0002\u0002LA\u0019\u0011*!\u0014\n\u0007\u0005=#J\u0001\u0003M_:<\u0017aD1vi\"\u001c\u0015\r\u001c7cC\u000e\\WK\u001d7\u0002\u000b=\u000bU\u000f\u001e5\u0016\u0005\u0005]\u0003\u0003BA-\u0003?j!!a\u0017\u000b\u0007\u0005u\u0003)A\u0004tKJ4\u0018nY3\n\t\u0005\u0005\u00141\f\u0002\u0006\u001f\u0006+H\u000f[\u0001\u0010CB\u0004H.[2bi&|gNT1nK\u0006\u0011R.\u001e7uS\u001a\f7\r^8s\u0007\",7m[3s+\t\tI\u0007E\u0003J\u0003W\ny'C\u0002\u0002n)\u0013aa\u00149uS>t\u0007\u0003BA-\u0003cJA!a\u001d\u0002\\\t)ri\\8hY\u0016\u0014d)Q$s_V\u00048\t[3dW\u0016\u0014\u0018\u0001\u0005'P\u000f&sul\u0014*J\u000f&sulS#Z+\t\tI\b\u0005\u0003\u0002|\u0005\u0015UBAA?\u0015\u0011\ty(!!\u0002\t1\fgn\u001a\u0006\u0003\u0003\u0007\u000bAA[1wC&!\u0011\u0011BA?\u0003A\te\nV%`\r>\u0013v)\u0012*Z?.+\u0015,\u0001\tG\u001fJ\u001bUiX#Y!&\u0013\u0016lX&F3\u000611m\\8lS\u0016$b!a$\u0002\u0016\u0006e\u0005c\u00018\u0002\u0012&\u0019\u00111S8\u0003\r\r{wn[5f\u0011\u0019\t9\n\u0006a\u0001w\u0006!a.Y7f\u0011\u0019\tY\n\u0006a\u0001w\u0006)a/\u00197vK\u0006qA-[:dCJ$7i\\8lS\u0016\u001cXCAAQ!\u0019\t\u0019+!,\u000226\u0011\u0011Q\u0015\u0006\u0005\u0003O\u000bI+A\u0005j[6,H/\u00192mK*\u0019\u00111\u0016&\u0002\u0015\r|G\u000e\\3di&|g.\u0003\u0003\u00020\u0006\u0015&aA*fcB\u0019a.a-\n\u0007\u0005UvN\u0001\tESN\u001c\u0017M\u001d3j]\u001e\u001cun\\6jK\u0006Y1/\u001a8e\r>\u0014\u0018)\u001e;i+\u0011\tY,!7\u0015\r\u0005u\u0016\u0011ZAj!\u0019\t)#a0\u0002D&!\u0011\u0011YA\u0014\u0005\u00191U\u000f^;sKB\u0019a.!2\n\u0007\u0005\u001dwN\u0001\u0004SKN,H\u000e\u001e\u0005\b\u0003\u00174\u00029AAg\u0003\u001d\u0011X-];fgR\u00042A\\Ah\u0013\r\t\tn\u001c\u0002\u000e%\u0016\fX/Z:u\u0011\u0016\fG-\u001a:\t\u0013\u0005Ug\u0003%AA\u0004\u0005]\u0017!B3nC&d\u0007\u0003B%\u0002lm$q!a7\u0017\u0005\u0004\tiNA\u0001B#\u0011\ty.!:\u0011\u0007%\u000b\t/C\u0002\u0002d*\u0013qAT8uQ&tw\rE\u0002J\u0003OL1!!;K\u0005\r\te._\u0001\u0016g\u0016tGMR8s\u0003V$\b\u000e\n3fM\u0006,H\u000e\u001e\u00133+\u0011\tyO!\u0002\u0016\u0005\u0005E(\u0006BAl\u0003g\\#!!>\u0011\t\u0005](\u0011A\u0007\u0003\u0003sTA!a?\u0002~\u0006IQO\\2iK\u000e\\W\r\u001a\u0006\u0004\u0003\u007fT\u0015AC1o]>$\u0018\r^5p]&!!1AA}\u0005E)hn\u00195fG.,GMV1sS\u0006t7-\u001a\u0003\b\u00037<\"\u0019AAo\u0003A\u0019\u0007.Z2l\u001bVdG/\u001b4bGR|'\u000f\u0006\u0003\u00024\t-\u0001bBA\u001e1\u0001\u0007\u0011QH\u0001\u0014g\"|w/\u00168bkRDW\rZ'fgN\fw-\u001a\u000b\u0005\u0005#\u0011)\u0002\u0006\u0003\u0002D\nM\u0001bBAf3\u0001\u000f\u0011Q\u001a\u0005\u0007\u0005/I\u0002\u0019A>\u0002\u000f5,7o]1hK\u0006\u0011\u0012N\u001c<bY&$Wk]3s\u001b\u0016\u001c8/Y4f)\rY(Q\u0004\u0005\b\u0005?Q\u0002\u0019AA\u001f\u0003-\u0019G.Y5nK\u0012\fU\u000f\u001e5\u0002\u0019\u0011,7m\u001c3f\u0007>|7.[3\u0015\t\t\u0015\"1\u0006\u000b\u0005\u0005O\u0011I\u0003E\u0003J\u0003W\nI\bC\u0004\u0002Ln\u0001\u001d!!4\t\r\u0005]5\u00041\u0001|\u0003Q\u0001(o\\2fgN|\u0015)\u001e;i\u0007\u0006dGNY1dWR\u0011!\u0011\u0007\u000b\u0005\u0003{\u0013\u0019\u0004C\u0004\u0002Lr\u0001\u001d!!4\u0002\u001bA\u0014xnY3tg2{wm\\;u)\u0011\t\u0019M!\u000f\t\u000f\u0005-W\u0004q\u0001\u0002N\u0006)\"/Z1e\u0003V$\b.\u001a8uS\u000e\fG/\u001a3Vg\u0016\u0014H\u0003\u0002B \u0005\u0003\u0002R!SA6\u0003{Aq!a3\u001f\u0001\u0004\ti-\u0001\u0006sK\u0006$7i\\8lS\u0016$BAa\u0012\u0003RA)\u0011*a\u001b\u0003JA!!1\nB'\u001b\u0005q\u0014b\u0001B(}\ty\u0001+\u00198e_6\f\u0017N\\\"p_.LW\rC\u0004\u0002L~\u0001\r!!4\u0002\u001d\u001d,g.\u001a:bi\u0016\u001cun\\6jKR!\u0011q\u0012B,\u0011\u001d\tY\u0004\ta\u0001\u0003{\tQ#\u001b8dYV$WmU=ti\u0016l\u0017J\\\"p_.LW\r\u0006\u0003\u0003^\t\rD\u0003BAb\u0005?BqA!\u0019\"\u0001\u0004\t\u0019-\u0001\u0004sKN,H\u000e\u001e\u0005\b\u0003w\t\u0003\u0019AA\u001f\u0003-1G.^:i\u0007>|7.[3\u0015\t\u0005\r'\u0011\u000e\u0005\b\u0005C\u0012\u0003\u0019AAb\u0003-)\u0007\u0010\u001e:bGR\fU\u000f\u001e5\u0015\t\t=$Q\u000f\t\u0005\u0003+\u0011\t(\u0003\u0003\u0003t\u0005]!\u0001F!vi\",g\u000e^5dCRLwN\\*uCR,8\u000fC\u0004\u0002L\u000e\u0002\r!!4\u0002\u0015\u0005+H\u000f[!di&|g\u000eE\u0002\u0003|\u0015j\u0011\u0001\u0001\u0002\u000b\u0003V$\b.Q2uS>t7\u0003B\u0013I\u0005\u0003\u0003rA\u001cBB\u0005\u000f\u0013i)C\u0002\u0003\u0006>\u0014Q\"Q2uS>t')^5mI\u0016\u0014\b\u0003\u0002B&\u0005\u0013K1Aa#?\u0005-)6/\u001a:SKF,Xm\u001d;\u0011\u00079\u0014y)C\u0002\u0003\u0012>\u0014!\"\u00118z\u0007>tG/\u001a8u\u0003\u0019a\u0014N\\5u}Q\u0011!\u0011P\u0001\u0007a\u0006\u00148/\u001a:\u0016\u0005\tm\u0005#\u00028\u0003\u001e\n5\u0015b\u0001BP_\nQ!i\u001c3z!\u0006\u00148/\u001a:\u0002!\u0015DXmY;uS>t7i\u001c8uKb$\u0018aC5om>\\WM\u00117pG.,BAa*\u00036R1\u0011Q\u0018BU\u0005oCq!a3*\u0001\u0004\u0011Y\u000bE\u0003o\u0005[\u0013\t,C\u0002\u00030>\u0014qAU3rk\u0016\u001cH\u000f\u0005\u0003\u00034\nUF\u0002\u0001\u0003\b\u00037L#\u0019AAo\u0011\u001d\u0011I,\u000ba\u0001\u0005w\u000bQA\u00197pG.\u0004r!\u0013B_\u0005\u0003\fi,C\u0002\u0003@*\u0013\u0011BR;oGRLwN\\\u0019\u0011\r\t-#\u0011\u0012BY\u00035\t\u0005+S!vi\"\f5\r^5p]B\u0019!1P\u0016\u0003\u001b\u0005\u0003\u0016*Q;uQ\u0006\u001bG/[8o'\u0019Y\u0003Ja3\u0003xB\u0019!1P\u001a\u0003+\u0005\u00137\u000f\u001e:bGR\f\u0005/[!vi\"\f5\r^5p]N!1\u0007\u0013BA\u0003Yqw\u000e^!vi\",g\u000e^5dCR,GMU3tk2$XCAAb\u0003MIgN^1mS\u0012\u001cun\\6jKJ+7/\u001e7u\u00035)\u0007\u0010]5sK\u0012\u0014Vm];mi\u0006\u0019bn\u001c;BkRDwN]5{K\u0012\u0014Vm];miV!!Q\u001cBs)\u0019\tiLa8\u0003h\"9\u00111Z\u001eA\u0002\t\u0005\b#\u00028\u0003.\n\r\b\u0003\u0002BZ\u0005K$q!a7<\u0005\u0004\ti\u000eC\u0004\u0003:n\u0002\rA!;\u0011\u000f%\u0013iLa;\u0002>B1!1\nBE\u0005G\f\u0001D]3ta>t7/Z,ji\"\u001c\u0016p\u001d;f[\u000e{wn[5f)\u0019\tiL!=\u0003v\"9!1\u001f\u001fA\u0002\u0005u\u0016\u0001\u0003:fgB|gn]3\t\u000f\u0005mB\b1\u0001\u0002>A\u0019!1P\u0017\u0003'Ac\u0017-\u001b8FeJ|'OU3ta>t7/Z:\u0014\u00055BUC\u0001B��!\u0011\u0019\taa\u0005\u000f\t\r\r1q\u0002\b\u0005\u0007\u000b\u0019iA\u0004\u0003\u0004\b\r-ab\u0001@\u0004\n%\t\u0001.\u0003\u0002gO&\u0011\u0001/Z\u0005\u0004\u0007#y\u0017a\u0002*fgVdGo]\u0005\u0005\u0007+\u00199B\u0001\u0004Ti\u0006$Xo]\u0005\u0004\u00073y'a\u0002*fgVdGo\u001d\u000b\u0003\u0005\u000b\u0004")
/* loaded from: input_file:com/gu/pandomainauth/action/AuthActions.class */
public interface AuthActions {

    /* compiled from: Actions.scala */
    /* loaded from: input_file:com/gu/pandomainauth/action/AuthActions$AbstractApiAuthAction.class */
    public interface AbstractApiAuthAction extends ActionBuilder<UserRequest, AnyContent> {
        default BodyParser<AnyContent> parser() {
            return com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().controllerComponents().parsers().default();
        }

        default ExecutionContext executionContext() {
            return com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().controllerComponents().executionContext();
        }

        /* renamed from: notAuthenticatedResult */
        Result mo4notAuthenticatedResult();

        /* renamed from: invalidCookieResult */
        Result mo3invalidCookieResult();

        /* renamed from: expiredResult */
        Result mo2expiredResult();

        /* renamed from: notAuthorizedResult */
        Result mo1notAuthorizedResult();

        default <A> Future<Result> invokeBlock(Request<A> request, Function1<UserRequest<A>, Future<Result>> function1) {
            Future<Result> responseWithSystemCookie;
            InvalidCookie extractAuth = com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().extractAuth(request);
            if (NotAuthenticated$.MODULE$.equals(extractAuth)) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(36).append("user not authed against ").append(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$domain()).append(", return 401").toString());
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo4notAuthenticatedResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else if (extractAuth instanceof InvalidCookie) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().warn("error checking user's auth, clear cookie and return 401", extractAuth.exception());
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo3invalidCookieResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec()).map(result -> {
                    return this.com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().flushCookie(result);
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else if (extractAuth instanceof Expired) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(31).append("user ").append(((Expired) extractAuth).authedUser().user().email()).append(" login expired, return 419").toString());
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo2expiredResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else if (extractAuth instanceof GracePeriod) {
                AuthenticatedUser authedUser = ((GracePeriod) extractAuth).authedUser();
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(43).append("user ").append(authedUser.user().email()).append(" login expired but is in grace period.").toString());
                responseWithSystemCookie = responseWithSystemCookie((Future) function1.apply(new UserRequest(authedUser.user(), request)), authedUser);
            } else if (extractAuth instanceof NotAuthorized) {
                AuthenticatedUser authedUser2 = ((NotAuthorized) extractAuth).authedUser();
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug("user not authorized, return 403");
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().invalidUserMessage(authedUser2));
                responseWithSystemCookie = Future$.MODULE$.apply(() -> {
                    return this.mo1notAuthorizedResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            } else {
                if (!(extractAuth instanceof Authenticated)) {
                    throw new MatchError(extractAuth);
                }
                AuthenticatedUser authedUser3 = ((Authenticated) extractAuth).authedUser();
                responseWithSystemCookie = responseWithSystemCookie((Future) function1.apply(new UserRequest(authedUser3.user(), request)), authedUser3);
            }
            return responseWithSystemCookie;
        }

        default Future<Result> responseWithSystemCookie(Future<Result> future, AuthenticatedUser authenticatedUser) {
            if (authenticatedUser.authenticatedIn().apply(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$system())) {
                return future;
            }
            com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(51).append("user ").append(authenticatedUser.user().email()).append(" from other system valid: adding validity in ").append(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$system()).append(".").toString());
            return future.map(result -> {
                return this.com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().includeSystemInCookie(authenticatedUser, result);
            }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
        }

        /* synthetic */ AuthActions com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer();

        static void $init$(AbstractApiAuthAction abstractApiAuthAction) {
        }
    }

    /* compiled from: Actions.scala */
    /* loaded from: input_file:com/gu/pandomainauth/action/AuthActions$PlainErrorResponses.class */
    public interface PlainErrorResponses {
        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthenticatedResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$invalidCookieResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$expiredResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthorizedResult_$eq(Results.Status status);

        Results.Status notAuthenticatedResult();

        Results.Status invalidCookieResult();

        Results.Status expiredResult();

        Results.Status notAuthorizedResult();

        /* synthetic */ AuthActions com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$$$outer();

        static void $init$(PlainErrorResponses plainErrorResponses) {
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthenticatedResult_$eq(Results$.MODULE$.Unauthorized());
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$invalidCookieResult_$eq(Results$.MODULE$.Unauthorized());
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$expiredResult_$eq(new Results.Status(Results$.MODULE$, 419));
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthorizedResult_$eq(Results$.MODULE$.Forbidden());
        }
    }

    AuthActions$AuthAction$ AuthAction();

    AuthActions$APIAuthAction$ APIAuthAction();

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$logger_$eq(Logger logger);

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$ec_$eq(ExecutionContext executionContext);

    void com$gu$pandomainauth$action$AuthActions$_setter_$OAuth_$eq(OAuth oAuth);

    void com$gu$pandomainauth$action$AuthActions$_setter_$applicationName_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$multifactorChecker_$eq(Option<Google2FAGroupChecker> option);

    void com$gu$pandomainauth$action$AuthActions$_setter_$LOGIN_ORIGIN_KEY_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$ANTI_FORGERY_KEY_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY_$eq(String str);

    Logger com$gu$pandomainauth$action$AuthActions$$logger();

    WSClient wsClient();

    ControllerComponents controllerComponents();

    PanDomainAuthSettingsRefresher panDomainSettings();

    default String com$gu$pandomainauth$action$AuthActions$$system() {
        return panDomainSettings().system();
    }

    default String com$gu$pandomainauth$action$AuthActions$$domain() {
        return panDomainSettings().domain();
    }

    private default PanDomainAuthSettings settings() {
        return panDomainSettings().settings();
    }

    ExecutionContext com$gu$pandomainauth$action$AuthActions$$ec();

    boolean validateUser(AuthenticatedUser authenticatedUser);

    default boolean cacheValidation() {
        return false;
    }

    default long apiGracePeriod() {
        return 0L;
    }

    String authCallbackUrl();

    OAuth OAuth();

    String applicationName();

    Option<Google2FAGroupChecker> multifactorChecker();

    String LOGIN_ORIGIN_KEY();

    String ANTI_FORGERY_KEY();

    String com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY();

    private default Cookie cookie(String str, String str2) {
        return new Cookie(str, URLEncoder.encode(str2, "UTF-8"), Cookie$.MODULE$.apply$default$3(), Cookie$.MODULE$.apply$default$4(), Cookie$.MODULE$.apply$default$5(), true, true, new Some(Cookie$SameSite$None$.MODULE$));
    }

    default Seq<DiscardingCookie> com$gu$pandomainauth$action$AuthActions$$discardCookies() {
        return package$.MODULE$.Seq().apply(ScalaRunTime$.MODULE$.wrapRefArray(new DiscardingCookie[]{new DiscardingCookie(LOGIN_ORIGIN_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true, DiscardingCookie$.MODULE$.apply$default$5()), new DiscardingCookie(ANTI_FORGERY_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true, DiscardingCookie$.MODULE$.apply$default$5()), new DiscardingCookie(com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true, DiscardingCookie$.MODULE$.apply$default$5())}));
    }

    default <A> Future<Result> sendForAuth(RequestHeader requestHeader, Option<String> option) {
        String generateAntiForgeryToken = OAuth().generateAntiForgeryToken();
        return OAuth().redirectToOAuthProvider(generateAntiForgeryToken, option, com$gu$pandomainauth$action$AuthActions$$ec(), requestHeader, wsClient()).map(result -> {
            return result.withCookies(ScalaRunTime$.MODULE$.wrapRefArray(new Cookie[]{this.cookie(this.ANTI_FORGERY_KEY(), generateAntiForgeryToken), this.cookie(this.LOGIN_ORIGIN_KEY(), requestHeader.uri())}));
        }, com$gu$pandomainauth$action$AuthActions$$ec());
    }

    default <A> Option<String> sendForAuth$default$2() {
        return None$.MODULE$;
    }

    default boolean checkMultifactor(AuthenticatedUser authenticatedUser) {
        return multifactorChecker().exists(google2FAGroupChecker -> {
            return BoxesRunTime.boxToBoolean($anonfun$checkMultifactor$1(authenticatedUser, google2FAGroupChecker));
        });
    }

    default Result showUnauthedMessage(String str, RequestHeader requestHeader) {
        com$gu$pandomainauth$action$AuthActions$$logger().info(str);
        return Results$.MODULE$.Forbidden();
    }

    default String invalidUserMessage(AuthenticatedUser authenticatedUser) {
        return new StringBuilder(20).append("user ").append(authenticatedUser.user().email()).append(" not valid for ").append(com$gu$pandomainauth$action$AuthActions$$system()).toString();
    }

    private default Option<String> decodeCookie(String str, RequestHeader requestHeader) {
        return requestHeader.cookies().get(str).map(cookie -> {
            return URLDecoder.decode(cookie.value(), "UTF-8");
        });
    }

    default Future<Result> processOAuthCallback(RequestHeader requestHeader) {
        return (Future) decodeCookie(ANTI_FORGERY_KEY(), requestHeader).flatMap(str -> {
            return this.decodeCookie(this.LOGIN_ORIGIN_KEY(), requestHeader).map(str -> {
                return this.OAuth().validatedUserIdentity(str, requestHeader, this.com$gu$pandomainauth$action$AuthActions$$ec(), this.wsClient()).map(authenticatedUser -> {
                    AuthenticatedUser copy = authenticatedUser.copy(authenticatedUser.copy$default$1(), this.com$gu$pandomainauth$action$AuthActions$$system(), (Set) this.readAuthenticatedUser(requestHeader).map(authenticatedUser -> {
                        return authenticatedUser.authenticatedIn();
                    }).fold(() -> {
                        return (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{this.com$gu$pandomainauth$action$AuthActions$$system()}));
                    }, set -> {
                        return set.$plus(this.com$gu$pandomainauth$action$AuthActions$$system());
                    }), authenticatedUser.copy$default$4(), this.checkMultifactor(authenticatedUser));
                    if (!this.validateUser(copy)) {
                        return this.showUnauthedMessage(this.invalidUserMessage(authenticatedUser), requestHeader);
                    }
                    return Results$.MODULE$.Redirect(str, Results$.MODULE$.Redirect$default$2(), Results$.MODULE$.Redirect$default$3()).withCookies(ScalaRunTime$.MODULE$.wrapRefArray(new Cookie[]{this.generateCookie(copy)})).discardingCookies(this.com$gu$pandomainauth$action$AuthActions$$discardCookies());
                }, this.com$gu$pandomainauth$action$AuthActions$$ec());
            });
        }).getOrElse(() -> {
            return Future$.MODULE$.successful(Results$.MODULE$.BadRequest().apply("Missing cookies", Writeable$.MODULE$.wString(Codec$.MODULE$.utf_8())));
        });
    }

    default Result processLogout(RequestHeader requestHeader) {
        return flushCookie(showUnauthedMessage("logged out", requestHeader));
    }

    default Option<AuthenticatedUser> readAuthenticatedUser(RequestHeader requestHeader) {
        return readCookie(requestHeader).map(pandomainCookie -> {
            return CookieUtils$.MODULE$.parseCookieData(pandomainCookie.cookie().value(), this.settings().publicKey());
        });
    }

    default Option<PandomainCookie> readCookie(RequestHeader requestHeader) {
        return requestHeader.cookies().get(settings().cookieSettings().cookieName()).map(cookie -> {
            return new PandomainCookie(cookie, requestHeader.cookies().get(this.com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY()).exists(cookie -> {
                return BoxesRunTime.boxToBoolean($anonfun$readCookie$2(cookie));
            }));
        });
    }

    default Cookie generateCookie(AuthenticatedUser authenticatedUser) {
        return new Cookie(settings().cookieSettings().cookieName(), CookieUtils$.MODULE$.generateCookieData(authenticatedUser, settings().privateKey()), Cookie$.MODULE$.apply$default$3(), Cookie$.MODULE$.apply$default$4(), new Some(com$gu$pandomainauth$action$AuthActions$$domain()), true, true, Cookie$.MODULE$.apply$default$8());
    }

    default Result includeSystemInCookie(AuthenticatedUser authenticatedUser, Result result) {
        return result.withCookies(ScalaRunTime$.MODULE$.wrapRefArray(new Cookie[]{generateCookie(authenticatedUser.copy(authenticatedUser.copy$default$1(), authenticatedUser.copy$default$2(), authenticatedUser.authenticatedIn().$plus(com$gu$pandomainauth$action$AuthActions$$system()), authenticatedUser.copy$default$4(), authenticatedUser.copy$default$5()))}));
    }

    default Result flushCookie(Result result) {
        return result.discardingCookies(ScalaRunTime$.MODULE$.wrapRefArray(new DiscardingCookie[]{new DiscardingCookie(settings().cookieSettings().cookieName(), DiscardingCookie$.MODULE$.apply$default$2(), new Some(com$gu$pandomainauth$action$AuthActions$$domain()), true, DiscardingCookie$.MODULE$.apply$default$5())}));
    }

    default AuthenticationStatus extractAuth(RequestHeader requestHeader) {
        return (AuthenticationStatus) readCookie(requestHeader).map(pandomainCookie -> {
            return PanDomain$.MODULE$.authStatus(pandomainCookie.cookie().value(), this.settings().publicKey(), authenticatedUser -> {
                return BoxesRunTime.boxToBoolean(this.validateUser(authenticatedUser));
            }, this.apiGracePeriod(), this.com$gu$pandomainauth$action$AuthActions$$system(), this.cacheValidation(), pandomainCookie.forceExpiry());
        }).getOrElse(() -> {
            return NotAuthenticated$.MODULE$;
        });
    }

    static /* synthetic */ boolean $anonfun$checkMultifactor$1(AuthenticatedUser authenticatedUser, Google2FAGroupChecker google2FAGroupChecker) {
        return google2FAGroupChecker.checkMultifactor(authenticatedUser);
    }

    static /* synthetic */ boolean $anonfun$readCookie$2(Cookie cookie) {
        String value = cookie.value();
        return value != null ? !value.equals("0") : "0" != 0;
    }

    static void $init$(AuthActions authActions) {
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$logger_$eq(LoggerFactory.getLogger(authActions.getClass()));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$ec_$eq(authActions.controllerComponents().executionContext());
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$OAuth_$eq(new OAuth(authActions.settings().oAuthSettings(), authActions.com$gu$pandomainauth$action$AuthActions$$system(), authActions.authCallbackUrl()));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$applicationName_$eq(new StringBuilder(26).append("pan-domain-authentication-").append(authActions.com$gu$pandomainauth$action$AuthActions$$system()).toString());
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$multifactorChecker_$eq(authActions.settings().google2FAGroupSettings().map(google2FAGroupSettings -> {
            return new Google2FAGroupChecker(google2FAGroupSettings, authActions.panDomainSettings().bucketName(), authActions.panDomainSettings().s3Client(), authActions.applicationName());
        }));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$LOGIN_ORIGIN_KEY_$eq("panda-loginOriginUrl");
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$ANTI_FORGERY_KEY_$eq("panda-antiForgeryToken");
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY_$eq("panda-forceExpiry");
    }
}
