package de.frachtwerk.essencium.backend.service;

import de.frachtwerk.essencium.backend.configuration.properties.JwtConfigProperties;
import de.frachtwerk.essencium.backend.model.AbstractBaseUser;
import de.frachtwerk.essencium.backend.model.SessionToken;
import de.frachtwerk.essencium.backend.model.SessionTokenType;
import de.frachtwerk.essencium.backend.model.dto.UserDto;
import de.frachtwerk.essencium.backend.model.representation.TokenRepresentation;
import de.frachtwerk.essencium.backend.repository.SessionTokenRepository;
import de.frachtwerk.essencium.backend.security.SessionTokenKeyLocator;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Clock;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import jakarta.annotation.Nullable;
import java.io.Serializable;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.crypto.SecretKey;
import lombok.Generated;
import org.springframework.scheduling.annotation.Scheduled;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

@Service
/* loaded from: input_file:de/frachtwerk/essencium/backend/service/JwtTokenService.class */
public class JwtTokenService implements Clock {
    private final SessionTokenRepository sessionTokenRepository;
    private final SessionTokenKeyLocator sessionTokenKeyLocator;
    public static final String CLAIM_UID = "uid";
    public static final String CLAIM_NONCE = "nonce";
    public static final String CLAIM_FIRST_NAME = "given_name";
    public static final String CLAIM_LAST_NAME = "family_name";
    private final JwtConfigProperties jwtConfigProperties;
    private AbstractUserService<? extends AbstractBaseUser<?>, ? extends Serializable, ? extends UserDto<?>> userService;
    private final UserMailService userMailService;

    public JwtTokenService(SessionTokenRepository sessionTokenRepository, SessionTokenKeyLocator sessionTokenKeyLocator, JwtConfigProperties jwtConfigProperties, UserMailService userMailService) {
        this.sessionTokenRepository = sessionTokenRepository;
        this.sessionTokenKeyLocator = sessionTokenKeyLocator;
        this.jwtConfigProperties = jwtConfigProperties;
        this.userMailService = userMailService;
    }

    public String login(AbstractBaseUser<? extends Serializable> abstractBaseUser, @Nullable String str) {
        return createToken(abstractBaseUser, SessionTokenType.REFRESH, str, null);
    }

    public String createToken(AbstractBaseUser<? extends Serializable> abstractBaseUser, SessionTokenType sessionTokenType, @Nullable String str, @Nullable String str2) {
        SessionToken createToken;
        SessionToken sessionToken = null;
        if (Objects.nonNull(str2)) {
            sessionToken = getRequestingToken(str2);
        }
        switch (sessionTokenType) {
            case ACCESS:
                createToken = createToken(abstractBaseUser, SessionTokenType.ACCESS, this.jwtConfigProperties.getAccessTokenExpiration(), str, sessionToken);
                break;
            case REFRESH:
                createToken = createToken(abstractBaseUser, SessionTokenType.REFRESH, this.jwtConfigProperties.getRefreshTokenExpiration(), str, null);
                break;
            default:
                throw new IncompatibleClassChangeError();
        }
        SessionToken sessionToken2 = createToken;
        if (sessionTokenType == SessionTokenType.REFRESH) {
            this.userMailService.sendLoginMail(abstractBaseUser.getEmail(), TokenRepresentation.builder().id(sessionToken2.getId()).type(sessionToken2.getType()).issuedAt(sessionToken2.getIssuedAt()).expiration(sessionToken2.getExpiration()).userAgent(sessionToken2.getUserAgent()).build(), abstractBaseUser.getLocale());
        }
        return ((JwtBuilder) Jwts.builder().header().keyId(sessionToken2.getId().toString()).type(sessionTokenType.name()).and()).subject(abstractBaseUser.getUsername()).issuedAt(sessionToken2.getIssuedAt()).expiration(sessionToken2.getExpiration()).issuer(this.jwtConfigProperties.getIssuer()).claim("nonce", abstractBaseUser.getNonce()).claim("given_name", abstractBaseUser.getFirstName()).claim("family_name", abstractBaseUser.getLastName()).claim(CLAIM_UID, abstractBaseUser.getId()).signWith(sessionToken2.getKey()).compact();
    }

    private SessionToken getRequestingToken(String str) {
        return (SessionToken) this.sessionTokenRepository.getReferenceById(UUID.fromString((String) Jwts.parser().keyLocator(this.sessionTokenKeyLocator).requireIssuer(this.jwtConfigProperties.getIssuer()).clock(this).build().parse(str).getHeader().get("kid")));
    }

    private SessionToken createToken(AbstractBaseUser<? extends Serializable> abstractBaseUser, SessionTokenType sessionTokenType, long j, String str, @Nullable SessionToken sessionToken) {
        if (sessionTokenType == SessionTokenType.ACCESS && sessionToken != null) {
            this.sessionTokenRepository.deleteAll(this.sessionTokenRepository.findAllByParentToken(sessionToken));
        }
        Date now = now();
        return (SessionToken) this.sessionTokenRepository.save(SessionToken.builder().key((SecretKey) Jwts.SIG.HS512.key().build()).username(abstractBaseUser.getUsername()).type(sessionTokenType).issuedAt(now).expiration(Date.from(now.toInstant().plusSeconds(j))).userAgent(str).parentToken(sessionToken).build());
    }

    public Claims verifyToken(String str) {
        return (Claims) Jwts.parser().keyLocator(this.sessionTokenKeyLocator).requireIssuer(this.jwtConfigProperties.getIssuer()).clock(this).build().parseSignedClaims(str).getPayload();
    }

    public String renew(String str, String str2) {
        SessionToken requestingToken = getRequestingToken(str);
        AbstractBaseUser<? extends Serializable> m28loadUserByUsername = this.userService.m28loadUserByUsername(requestingToken.getUsername());
        if (Objects.equals(requestingToken.getType(), SessionTokenType.REFRESH)) {
            return createToken(m28loadUserByUsername, SessionTokenType.ACCESS, str2, str);
        }
        throw new IllegalArgumentException("Session token is not a refresh token");
    }

    public List<SessionToken> getTokens(String str) {
        return this.sessionTokenRepository.findAllByUsernameAndType(str, SessionTokenType.REFRESH);
    }

    public void deleteToken(String str, UUID uuid) {
        SessionToken sessionToken = (SessionToken) this.sessionTokenRepository.getReferenceById(uuid);
        if (!Objects.equals(sessionToken.getUsername(), str)) {
            throw new IllegalArgumentException("Session token does not belong to user");
        }
        this.sessionTokenRepository.deleteAll(this.sessionTokenRepository.findAllByParentToken(sessionToken));
        this.sessionTokenRepository.delete(sessionToken);
    }

    @Transactional
    @Scheduled(fixedRateString = "${app.auth.jwt.cleanup-interval}", timeUnit = TimeUnit.SECONDS)
    public void cleanup() {
        this.sessionTokenRepository.deleteAllByExpirationBefore(now());
    }

    public Date now() {
        return new Date();
    }

    @Generated
    public void setUserService(AbstractUserService<? extends AbstractBaseUser<?>, ? extends Serializable, ? extends UserDto<?>> abstractUserService) {
        this.userService = abstractUserService;
    }
}
