package dev.dsf.common.auth;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.DecodedJWT;
import jakarta.servlet.ServletRequest;
import jakarta.servlet.ServletResponse;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Objects;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.UserIdentity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/common/auth/BearerTokenAuthenticator.class */
public class BearerTokenAuthenticator extends LoginAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(BearerTokenAuthenticator.class);
    private final DsfOpenIdConfiguration openIdConfiguration;

    public BearerTokenAuthenticator(DsfOpenIdConfiguration dsfOpenIdConfiguration) {
        Objects.requireNonNull(dsfOpenIdConfiguration, "openIdConfiguration");
        this.openIdConfiguration = dsfOpenIdConfiguration;
    }

    public String getAuthMethod() {
        return "BEARER_TOKEN";
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        try {
            String header = ((HttpServletRequest) servletRequest).getHeader(HttpHeader.AUTHORIZATION.asString());
            if (header == null || !header.startsWith("Bearer ")) {
                httpServletResponse.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Bearer");
                httpServletResponse.sendError(401);
                return Authentication.SEND_FAILURE;
            }
            JWTVerifier build = JWT.require(Algorithm.RSA256(this.openIdConfiguration.getRsaKeyProvider())).withIssuer(this.openIdConfiguration.getIssuer()).acceptLeeway(1L).build();
            String substring = header.substring(7, header.length());
            try {
                try {
                    DecodedJWT verify = build.verify(substring);
                    if (!verify.getClaims().containsKey("sub") && !verify.getClaims().containsKey("sid")) {
                        logger.warn("Access token has no sub and no sid claim");
                        httpServletResponse.sendError(400);
                        return Authentication.SEND_FAILURE;
                    }
                    logger.debug("Access token claims: {}", verify.getClaims());
                    UserIdentity login = login(null, substring, servletRequest);
                    if (login != null) {
                        return new UserAuthentication(getAuthMethod(), login);
                    }
                    httpServletResponse.sendError(403);
                    return Authentication.SEND_FAILURE;
                } catch (TokenExpiredException e) {
                    httpServletResponse.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Bearer error=\"invalid_token\", error_description=\"The access token expired\"");
                    httpServletResponse.sendError(401);
                    return Authentication.SEND_FAILURE;
                }
            } catch (JWTVerificationException e2) {
                httpServletResponse.sendError(400);
                return Authentication.SEND_FAILURE;
            }
        } catch (IOException e3) {
            throw new ServerAuthException(e3);
        }
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) throws ServerAuthException {
        return true;
    }
}
