package leap.web.security.csrf;

import leap.core.annotation.Inject;
import leap.core.validation.Validation;
import leap.lang.Strings;
import leap.lang.http.HTTP;
import leap.lang.intercepting.State;
import leap.web.Request;
import leap.web.action.ActionContext;
import leap.web.action.ActionInterceptor;
import leap.web.route.Route;
import leap.web.security.SecurityConfig;

/* loaded from: input_file:leap/web/security/csrf/CsrfActionInterceptor.class */
public class CsrfActionInterceptor implements ActionInterceptor {

    @Inject
    protected SecurityConfig securityConfig;

    @Inject
    protected CsrfManager csrfManager;

    @Override // leap.web.action.ActionInterceptor
    public State preExecuteAction(ActionContext actionContext, Validation validation) throws Throwable {
        if (!isEnabled(actionContext)) {
            return State.CONTINUE;
        }
        Request request = actionContext.getRequest();
        if (!request.isMethod(HTTP.Method.GET) && !CSRF.isIgnored(request.getServletRequest())) {
            checkCsrfToken(request, CSRF.getGeneratedToken(request));
            return State.CONTINUE;
        }
        return State.CONTINUE;
    }

    protected boolean isEnabled(ActionContext actionContext) {
        Route route = actionContext.getRoute();
        if (route.isCsrfEnabled()) {
            return true;
        }
        if (route.isCsrfDisabled()) {
            return false;
        }
        return this.securityConfig.isCsrfEnabled();
    }

    protected void checkCsrfToken(Request request, CsrfToken csrfToken) throws Throwable {
        String csrfTokenString = getCsrfTokenString(request);
        if (this.csrfManager.verifyToken(request, csrfTokenString, csrfToken)) {
            return;
        }
        if (!csrfToken.isNew()) {
            throw new InvalidCsrfTokenException("Invalid CSRF Token '" + csrfTokenString + "' was found on the request parameter '" + this.securityConfig.getCsrfParameterName() + "' or header '" + this.securityConfig.getCsrfHeaderName() + "'.");
        }
        throw new MissingCsrfTokenException("Expected CSRF token not found. Has your session expired?");
    }

    protected String getCsrfTokenString(Request request) {
        String header = request.getHeader(this.securityConfig.getCsrfHeaderName());
        if (Strings.isEmpty(header)) {
            header = request.getParameter(this.securityConfig.getCsrfParameterName());
            if (Strings.isEmpty(header)) {
                header = CSRF.getRequestToken(request);
            }
        }
        return header;
    }
}
