package com.v5analytics.webster.handlers;

import com.v5analytics.webster.HandlerChain;
import com.v5analytics.webster.RequestResponseHandler;
import java.math.BigInteger;
import java.security.SecureRandom;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

/* loaded from: input_file:WEB-INF/lib/webster-2.2.1.jar:com/v5analytics/webster/handlers/CSRFHandler.class */
public class CSRFHandler implements RequestResponseHandler {
    public static final String CSRF_TOKEN_ATTR = "webster.csrf.token";
    private final String tokenRequestParameterName;
    private final String tokenRequestHeaderName;

    /* loaded from: input_file:WEB-INF/lib/webster-2.2.1.jar:com/v5analytics/webster/handlers/CSRFHandler$TokenException.class */
    public class TokenException extends Exception {
        public TokenException(String str) {
            super(str);
        }
    }

    public static String getSavedToken(HttpServletRequest httpServletRequest) {
        return getSavedToken(httpServletRequest, false);
    }

    public static String getSavedToken(HttpServletRequest httpServletRequest, boolean z) {
        HttpSession session = httpServletRequest.getSession(z);
        if (session == null) {
            return null;
        }
        String str = (String) session.getAttribute(CSRF_TOKEN_ATTR);
        if (str == null && z) {
            str = resetSavedToken(httpServletRequest);
        }
        return str;
    }

    private static String resetSavedToken(HttpServletRequest httpServletRequest) {
        String bigInteger = new BigInteger(120, new SecureRandom()).toString(32);
        httpServletRequest.getSession().setAttribute(CSRF_TOKEN_ATTR, bigInteger);
        return bigInteger;
    }

    private static void clearSavedToken(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getSession(false) != null) {
            httpServletRequest.getSession().removeAttribute(CSRF_TOKEN_ATTR);
        }
    }

    public CSRFHandler(String str) {
        this.tokenRequestParameterName = str;
        this.tokenRequestHeaderName = null;
    }

    public CSRFHandler(String str, String str2) {
        this.tokenRequestParameterName = str;
        this.tokenRequestHeaderName = str2;
    }

    @Override // com.v5analytics.webster.RequestResponseHandler
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HandlerChain handlerChain) throws Exception {
        if (httpServletRequest.getMethod().equals("GET")) {
            verifyTokenAbsence(httpServletRequest);
        } else {
            verifyToken(httpServletRequest, httpServletResponse);
        }
        handlerChain.next(httpServletRequest, httpServletResponse);
    }

    private void verifyToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws TokenException {
        String tokenFromRequest = getTokenFromRequest(httpServletRequest);
        String savedToken = getSavedToken(httpServletRequest);
        if (tokenFromRequest == null) {
            throw new TokenException("CSRF token not found in request parameter " + this.tokenRequestParameterName);
        }
        if (savedToken == null) {
            throw new TokenException("CSRF token has not been set in the user's session");
        }
        if (!tokenFromRequest.equals(savedToken)) {
            throw new TokenException("CSRF token from request parameter " + this.tokenRequestParameterName + " does not match the one stored in the user's session");
        }
    }

    private void verifyTokenAbsence(HttpServletRequest httpServletRequest) throws TokenException {
        if (getTokenFromRequest(httpServletRequest) != null) {
            resetSavedToken(httpServletRequest);
            throw new TokenException("CSRF token found in a " + httpServletRequest.getMethod() + " request. Token has been reset");
        }
    }

    private String getTokenFromRequest(HttpServletRequest httpServletRequest) {
        String str = null;
        if (this.tokenRequestParameterName != null) {
            str = httpServletRequest.getParameter(this.tokenRequestParameterName);
        }
        if (str == null && this.tokenRequestHeaderName != null) {
            str = httpServletRequest.getHeader(this.tokenRequestHeaderName);
        }
        return str;
    }
}
