package org.springframework.security.oauth2.server.resource.web.server;

import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.BearerTokenError;
import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
import org.springframework.security.web.server.authentication.ServerAuthenticationConverter;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-resource-server-5.5.2.jar:org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.class */
public class ServerBearerTokenAuthenticationConverter implements ServerAuthenticationConverter {
    private static final Pattern authorizationPattern = Pattern.compile("^Bearer (?<token>[a-zA-Z0-9-._~+/]+=*)$", 2);
    private boolean allowUriQueryParameter = false;
    private String bearerTokenHeaderName = "Authorization";

    @Override // org.springframework.security.web.server.authentication.ServerAuthenticationConverter
    public Mono<Authentication> convert(ServerWebExchange serverWebExchange) {
        return Mono.fromCallable(() -> {
            return token(serverWebExchange.getRequest());
        }).map(str -> {
            if (str.isEmpty()) {
                throw new OAuth2AuthenticationException(invalidTokenError());
            }
            return new BearerTokenAuthenticationToken(str);
        });
    }

    private String token(ServerHttpRequest serverHttpRequest) {
        String resolveFromAuthorizationHeader = resolveFromAuthorizationHeader(serverHttpRequest.getHeaders());
        String first = serverHttpRequest.getQueryParams().getFirst(OAuth2ParameterNames.ACCESS_TOKEN);
        if (resolveFromAuthorizationHeader != null) {
            if (first != null) {
                throw new OAuth2AuthenticationException(BearerTokenErrors.invalidRequest("Found multiple bearer tokens in the request"));
            }
            return resolveFromAuthorizationHeader;
        }
        if (first == null || !isParameterTokenSupportedForRequest(serverHttpRequest)) {
            return null;
        }
        return first;
    }

    public void setAllowUriQueryParameter(boolean z) {
        this.allowUriQueryParameter = z;
    }

    public void setBearerTokenHeaderName(String str) {
        this.bearerTokenHeaderName = str;
    }

    private String resolveFromAuthorizationHeader(HttpHeaders httpHeaders) {
        String first = httpHeaders.getFirst(this.bearerTokenHeaderName);
        if (!StringUtils.startsWithIgnoreCase(first, "bearer")) {
            return null;
        }
        Matcher matcher = authorizationPattern.matcher(first);
        if (matcher.matches()) {
            return matcher.group(OAuth2ParameterNames.TOKEN);
        }
        throw new OAuth2AuthenticationException(invalidTokenError());
    }

    private static BearerTokenError invalidTokenError() {
        return BearerTokenErrors.invalidToken("Bearer token is malformed");
    }

    private boolean isParameterTokenSupportedForRequest(ServerHttpRequest serverHttpRequest) {
        return this.allowUriQueryParameter && HttpMethod.GET.equals(serverHttpRequest.getMethod());
    }
}
