package org.tbk.spring.lnurl.security.wallet;

import fr.acinq.bitcoin.Crypto;
import fr.acinq.bitcoin.PublicKey;
import lombok.NonNull;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.tbk.lnurl.auth.K1;
import org.tbk.lnurl.auth.K1Manager;
import org.tbk.lnurl.auth.LinkingKey;
import org.tbk.lnurl.auth.Signature;
import org.tbk.lnurl.auth.SignedLnurlAuth;
import org.tbk.spring.lnurl.security.AbstractTokenAuthenticationProvider;
import org.tbk.spring.lnurl.security.LnurlAuthenticationException;
import org.tbk.spring.lnurl.security.userdetails.LnurlAuthUserPairingService;

/* loaded from: input_file:org/tbk/spring/lnurl/security/wallet/LnurlAuthWalletAuthenticationProvider.class */
public class LnurlAuthWalletAuthenticationProvider extends AbstractTokenAuthenticationProvider {

    @NonNull
    private final K1Manager k1Manager;

    @NonNull
    private final LnurlAuthUserPairingService lnurlAuthUserPairingService;

    public boolean supports(Class<?> cls) {
        return LnurlAuthWalletToken.class.isAssignableFrom(cls);
    }

    @Override // org.tbk.spring.lnurl.security.AbstractTokenAuthenticationProvider
    protected UserDetails retrieveUser(Authentication authentication) throws AuthenticationException {
        LnurlAuthWalletToken lnurlAuthWalletToken = (LnurlAuthWalletToken) authentication;
        if (lnurlAuthWalletToken.isAuthenticated()) {
            throw new LnurlAuthenticationException("Already authenticated.");
        }
        SignedLnurlAuth auth = lnurlAuthWalletToken.getAuth();
        K1 k1 = auth.getK1();
        if (!this.k1Manager.isValid(k1)) {
            throw new BadCredentialsException("k1 value has either expired or was not generated by this service.");
        }
        if (!verifyLogin(auth)) {
            throw new BadCredentialsException("k1 and signature could not be verified.");
        }
        try {
            UserDetails pairUserWithK1 = this.lnurlAuthUserPairingService.pairUserWithK1(auth);
            this.k1Manager.invalidate(k1);
            return pairUserWithK1;
        } catch (Exception e) {
            throw new AuthenticationServiceException("Could not pair k1 with user", e);
        }
    }

    @Override // org.tbk.spring.lnurl.security.AbstractTokenAuthenticationProvider
    protected Authentication createSuccessAuthentication(Authentication authentication, UserDetails userDetails) {
        return new LnurlAuthWalletToken(((LnurlAuthWalletToken) authentication).getAuth(), userDetails, userDetails.getAuthorities());
    }

    private boolean verifyLogin(SignedLnurlAuth signedLnurlAuth) {
        return verifyLogin(signedLnurlAuth.getK1(), signedLnurlAuth.getSignature(), signedLnurlAuth.getLinkingKey());
    }

    private boolean verifyLogin(K1 k1, Signature signature, LinkingKey linkingKey) {
        return Crypto.verifySignature(k1.toArray(), Crypto.der2compact(signature.toArray()), PublicKey.fromHex(linkingKey.toHex()));
    }

    public LnurlAuthWalletAuthenticationProvider(@NonNull K1Manager k1Manager, @NonNull LnurlAuthUserPairingService lnurlAuthUserPairingService) {
        if (k1Manager == null) {
            throw new IllegalArgumentException("k1Manager is marked non-null but is null");
        }
        if (lnurlAuthUserPairingService == null) {
            throw new IllegalArgumentException("lnurlAuthUserPairingService is marked non-null but is null");
        }
        this.k1Manager = k1Manager;
        this.lnurlAuthUserPairingService = lnurlAuthUserPairingService;
    }
}
