package io.unsecurity.auth.auth0.oidc;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.RSAKeyProvider;
import io.circe.Error;
import io.circe.parser.package$;
import io.unsecurity.auth.auth0.oidc.Jwt;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import java.time.OffsetDateTime;
import java.time.ZoneId;
import java.time.ZoneOffset;
import org.apache.commons.codec.binary.Base64;
import scala.MatchError;
import scala.runtime.Nothing$;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;

/* compiled from: TokenVerifier.scala */
/* loaded from: input_file:io/unsecurity/auth/auth0/oidc/TokenVerifier$.class */
public final class TokenVerifier$ {
    public static TokenVerifier$ MODULE$;

    static {
        new TokenVerifier$();
    }

    public String decodeBase64(String str) {
        return new String(Base64.decodeBase64(str), "UTF-8");
    }

    public RSAKeyProvider createPublicKeyProvider(final RSAPublicKey rSAPublicKey) {
        return new RSAKeyProvider(rSAPublicKey) { // from class: io.unsecurity.auth.auth0.oidc.TokenVerifier$$anon$1
            private final RSAPublicKey publicKey$1;

            public Nothing$ getPrivateKeyId() {
                throw new UnsupportedOperationException("The private key is stored at the IdP and should never hit our app. Use this KeyProvider only for verification, not signing!");
            }

            /* renamed from: getPublicKeyById, reason: merged with bridge method [inline-methods] */
            public RSAPublicKey m21getPublicKeyById(String str) {
                return this.publicKey$1;
            }

            /* renamed from: getPrivateKey, reason: merged with bridge method [inline-methods] */
            public RSAPrivateKey m20getPrivateKey() {
                throw new UnsupportedOperationException("The private key is stored at the IdP and should never hit our app. Use this KeyProvider only for verification, not signing!");
            }

            /* renamed from: getPrivateKeyId, reason: collision with other method in class */
            public /* bridge */ /* synthetic */ String m22getPrivateKeyId() {
                throw getPrivateKeyId();
            }

            {
                this.publicKey$1 = rSAPublicKey;
            }
        };
    }

    public Either<String, OidcAuthenticatedUser> validateIdToken(Algorithm algorithm, String str, String str2, String str3) {
        Left apply;
        Left left;
        Left left2;
        try {
            DecodedJWT verify = JWT.require(algorithm).withIssuer(new StringBuilder(9).append("https://").append(str).append("/").toString()).withAudience(new String[]{str2}).build().verify(str3);
            Left decode = package$.MODULE$.decode(decodeBase64(verify.getPayload()), Jwt$JwtPayload$.MODULE$.jwtPayloadDecoder());
            if (decode instanceof Left) {
                left2 = scala.package$.MODULE$.Left().apply(new StringBuilder(30).append("Unable to decode JWT payload: ").append((Error) decode.value()).toString());
            } else {
                if (!(decode instanceof Right)) {
                    throw new MatchError(decode);
                }
                OffsetDateTime from = OffsetDateTime.from(Instant.ofEpochSecond(((Jwt.JwtPayload) ((Right) decode).value()).exp()).atOffset(ZoneOffset.UTC));
                OffsetDateTime now = OffsetDateTime.now(ZoneId.from(ZoneOffset.UTC));
                if (now.isAfter(from)) {
                    left = scala.package$.MODULE$.Left().apply(new StringBuilder(44).append("Token is expired! ").append(now).append(" is after expirationTime: ").append(from).toString());
                } else {
                    Left decode2 = package$.MODULE$.decode(decodeBase64(verify.getPayload()), OidcAuthenticatedUser$.MODULE$.authenticatedUserDecoder());
                    if (decode2 instanceof Left) {
                        apply = scala.package$.MODULE$.Left().apply(new StringBuilder(50).append("Could not parse userprofile from auth0 ").append((Error) decode2.value()).append(". Payload: ").append(verify.getPayload()).toString());
                    } else {
                        if (!(decode2 instanceof Right)) {
                            throw new MatchError(decode2);
                        }
                        apply = scala.package$.MODULE$.Right().apply((OidcAuthenticatedUser) ((Right) decode2).value());
                    }
                    left = apply;
                }
                left2 = left;
            }
            return left2;
        } catch (Exception e) {
            return scala.package$.MODULE$.Left().apply(new StringBuilder(25).append("Exception decoding token ").append(e.getMessage()).toString());
        }
    }

    private TokenVerifier$() {
        MODULE$ = this;
    }
}
