package com.blade.mvc.middlewares;

import com.blade.kit.StringKit;
import com.blade.kit.UUID;
import com.blade.mvc.WebContext;
import com.blade.mvc.hook.Invoker;
import com.blade.mvc.hook.WebHook;
import com.blade.mvc.http.Request;
import com.blade.mvc.http.Response;
import com.blade.mvc.route.RouteHandler;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/blade/mvc/middlewares/XssMiddleware.class */
public class XssMiddleware implements WebHook {
    public static final String CSRF_TOKEN = "_csrf.token";
    public static final String CSRF_PARAM_NAME = "_csrf.param";
    public static final String CSRF_HEADER_NAME = "_csrf.header";
    private static final Logger log = LoggerFactory.getLogger(XssMiddleware.class);
    private static final Set<String> tokens = new HashSet();
    private static String TOKEN_KEY = "csrf_token";

    @Target({ElementType.METHOD})
    @Retention(RetentionPolicy.RUNTIME)
    /* loaded from: input_file:com/blade/mvc/middlewares/XssMiddleware$ValidToken.class */
    public @interface ValidToken {
        Class<? extends RouteHandler> value() default RouteHandler.class;
    }

    public XssMiddleware() {
    }

    public XssMiddleware(String str) {
        TOKEN_KEY = str;
    }

    @Override // com.blade.mvc.hook.WebHook
    public boolean before(Invoker invoker) {
        Request request = invoker.request();
        if (!"GET".equals(request.method())) {
            if (null != ((ValidToken) request.route().getAction().getAnnotation(ValidToken.class))) {
                return validation();
            }
            return true;
        }
        request.attribute("_csrf.param", TOKEN_KEY);
        request.attribute("_csrf.header", TOKEN_KEY);
        String UU64 = UUID.UU64();
        request.attribute("_csrf.token", UU64);
        log.debug("gen token [{}]", UU64);
        tokens.add(UU64);
        return true;
    }

    public static boolean validation() {
        Request request = WebContext.request();
        Response response = WebContext.response();
        Optional<String> query = request.query(TOKEN_KEY);
        String header = query.isPresent() ? query.get() : request.header(TOKEN_KEY);
        if (StringKit.isBlank(header) || !tokens.contains(header)) {
            response.badRequest().text("Bad Request.");
            return false;
        }
        tokens.remove(header);
        return true;
    }
}
