package dev.sanda.authentifi.security.jwt;

import dev.sanda.authentifi.config.AuthenticationServerConfiguration;
import dev.sanda.authentifi.security.AES;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import org.springframework.transaction.annotation.Transactional;

@Component
/* loaded from: input_file:dev/sanda/authentifi/security/jwt/JwtTokenProvider.class */
public class JwtTokenProvider {

    @Autowired
    private AuthenticationServerConfiguration config;

    @Autowired
    private AES aes;

    public Cookie createAccessTokenCookie(String str, Collection<? extends GrantedAuthority> collection, HttpServletRequest httpServletRequest) {
        List list = (List) collection.stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList());
        Claims subject = Jwts.claims().setSubject(str);
        subject.put("roles", list);
        Date date = new Date();
        Date date2 = new Date(date.getTime() - 1);
        Date date3 = new Date(date.getTime() + this.config.jwtTtlInMs().longValue());
        Cookie cookie = new Cookie("access_token", generateEncryptedToken(subject, date3, date2));
        cookie.setMaxAge(Math.toIntExact(date3.getTime() - date.getTime()) / 1000);
        setCommonCookieProperties(httpServletRequest, cookie);
        return cookie;
    }

    private String generateEncryptedToken(Claims claims, Date date, Date date2) {
        return this.aes.encrypt(Jwts.builder().setClaims(claims).setNotBefore(date2).setIssuedAt(new Date()).setExpiration(date).signWith(SignatureAlgorithm.HS256, this.config.jwtSigningSecret()).compact());
    }

    @Transactional
    public Authentication getAuthentication(String str) {
        UserDetails loadUserByUsername = this.config.userDetailsService().loadUserByUsername(getUsername(str));
        return new UsernamePasswordAuthenticationToken(loadUserByUsername, "", loadUserByUsername.getAuthorities());
    }

    public String getUsername(String str) {
        return ((Claims) Jwts.parser().setSigningKey(this.config.jwtSigningSecret()).parseClaimsJws(str).getBody()).getSubject();
    }

    public String resolveAndValidateToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String resolveDecryptedTokenCookie = resolveDecryptedTokenCookie(httpServletRequest, "access_token");
        if (resolveDecryptedTokenCookie != null && isValidToken(resolveDecryptedTokenCookie)) {
            return resolveDecryptedTokenCookie;
        }
        String resolveDecryptedTokenCookie2 = resolveDecryptedTokenCookie(httpServletRequest, "refresh_token");
        if (resolveDecryptedTokenCookie2 == null || !isValidToken(resolveDecryptedTokenCookie2)) {
            return null;
        }
        UserDetails loadUserByUsername = this.config.userDetailsService().loadUserByUsername(getUsername(resolveDecryptedTokenCookie2));
        if (loadUserByUsername == null) {
            throw new BadCredentialsException("Invalid refresh token - please login again");
        }
        Cookie createAccessTokenCookie = createAccessTokenCookie(loadUserByUsername.getUsername(), loadUserByUsername.getAuthorities(), httpServletRequest);
        httpServletResponse.addCookie(createAccessTokenCookie);
        addRefreshTokenCookieIfEnabled(loadUserByUsername.getUsername(), true, httpServletRequest, httpServletResponse);
        return this.aes.decrypt(createAccessTokenCookie.getValue());
    }

    private String resolveDecryptedTokenCookie(HttpServletRequest httpServletRequest, String str) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(str)) {
                return this.aes.decrypt(cookie.getValue());
            }
        }
        return null;
    }

    public boolean isValidToken(String str) {
        try {
            return !((Claims) Jwts.parser().setSigningKey(this.config.jwtSigningSecret()).parseClaimsJws(str).getBody()).getExpiration().before(new Date());
        } catch (JwtException | IllegalArgumentException e) {
            throw new InvalidJwtAuthenticationException("Expired or invalid JWT token");
        }
    }

    public void addRefreshTokenCookieIfEnabled(String str, boolean z, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (this.config.rememberMeEnabled().booleanValue() && z) {
            Claims subject = Jwts.claims().setSubject(str);
            Date date = new Date(new Date().getTime() + this.config.jwtTtlInMs().longValue());
            Cookie cookie = new Cookie("refresh_token", this.aes.encrypt(generateEncryptedToken(subject, new Date(date.getTime() + (this.config.rememberMeExpInSeconds().intValue() * 1000)), date)));
            cookie.setMaxAge(this.config.rememberMeExpInSeconds().intValue());
            setCommonCookieProperties(httpServletRequest, cookie);
            httpServletResponse.addCookie(cookie);
        }
    }

    private void setCommonCookieProperties(HttpServletRequest httpServletRequest, Cookie cookie) {
        String replaceFirst = httpServletRequest.getHeader("origin").replaceFirst("http[s]?://", "").replaceFirst(":.+", "");
        if (replaceFirst.equals("localhost")) {
            cookie.setDomain("127.0.0.1");
        } else {
            cookie.setDomain(replaceFirst);
        }
        cookie.setPath("/");
        cookie.setHttpOnly(true);
    }
}
