package com.blade.security.web.csrf;

import com.blade.kit.EncryptKit;
import com.blade.kit.StringKit;
import com.blade.kit.UUID;
import com.blade.mvc.hook.Signature;
import com.blade.mvc.hook.WebHook;
import com.blade.mvc.http.Request;
import com.blade.mvc.http.Response;
import com.blade.mvc.http.Session;
import com.blade.server.netty.HttpConst;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.function.Consumer;
import java.util.function.Function;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/blade/security/web/csrf/CsrfMiddleware.class */
public class CsrfMiddleware implements WebHook {
    private static final Logger log = LoggerFactory.getLogger(CsrfMiddleware.class);
    static final List<String> DEFAULT_IGNORE_METHODS = Arrays.asList(HttpConst.METHOD_GET, "HEAD", "OPTIONS");
    static final Consumer<Response> DEFAULT_ERROR_HANDLER = response -> {
        response.badRequest().text("CSRF token mismatch.");
    };
    static final Function<Request, String> DEFAULT_TOKEN_GETTER = request -> {
        return request.query("_token").orElseGet(() -> {
            return StringKit.isNotBlank(request.header("X-CSRF-TOKEN")) ? request.header("X-CSRF-TOKEN") : StringKit.isNotBlank(request.header("X-XSRF-TOKEN")) ? request.header("X-XSRF-TOKEN") : "";
        });
    };
    private CsrfOption csrfOption;
    private final String csrfSecret = "csrfSecret";
    private final String csrfSalt = "csrfSalt";

    public CsrfMiddleware() {
        this.csrfOption = CsrfOption.builder().build();
        this.csrfSecret = "csrfSecret";
        this.csrfSalt = "csrfSalt";
    }

    public CsrfMiddleware(CsrfOption csrfOption) {
        this.csrfOption = CsrfOption.builder().build();
        this.csrfSecret = "csrfSecret";
        this.csrfSalt = "csrfSalt";
        this.csrfOption = csrfOption;
    }

    @Override // com.blade.mvc.hook.WebHook
    public boolean before(Signature signature) {
        Request request = signature.request();
        Session session = request.session();
        session.attribute("csrfSecret", this.csrfOption.getSecret());
        getToken(request);
        if (this.csrfOption.isIgnoreMethod(request.method())) {
            return true;
        }
        String str = (String) session.attribute("csrfSalt");
        if (StringKit.isEmpty(str)) {
            this.csrfOption.getErrorHandler().accept(signature.response());
            return false;
        }
        if (this.csrfOption.getTokenGetter().apply(request).equals(tokenize(this.csrfOption.getSecret(), str))) {
            return true;
        }
        this.csrfOption.getErrorHandler().accept(signature.response());
        return false;
    }

    public String getToken(Request request) {
        String str = (String) request.attribute("csrfSecret");
        if (StringKit.isNotBlank(str)) {
            return str;
        }
        String str2 = (String) request.session().attribute("csrfSalt");
        if (StringKit.isEmpty(str2)) {
            str2 = UUID.UU64();
            request.session().attribute("csrfSalt", str2);
        }
        String str3 = tokenize(str, str2);
        request.attribute("_csrf_token", str3);
        request.attribute("_csrf_token_input", "<input type='hidden' name='_token' value='" + str3 + "'/>");
        return str3;
    }

    private String tokenize(String str, String str2) {
        return Base64.getEncoder().encodeToString(EncryptKit.SHA1(str2 + "-" + str).getBytes(StandardCharsets.UTF_8));
    }
}
