package io.leopard.web4j.nobug.csrf;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:io/leopard/web4j/nobug/csrf/TokenVerifier.class */
public class TokenVerifier {
    protected Log logger = LogFactory.getLog(getClass());
    private boolean onlyLog = true;
    private CsrfDao csrfDao;

    public void setOnlyLog(boolean z) {
        this.onlyLog = z;
    }

    public TokenVerifier(CsrfDao csrfDao) {
        this.csrfDao = csrfDao;
    }

    public void verify(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String parameter = httpServletRequest.getParameter(CsrfServiceImpl.PARAMETER_NAME_CSRF_TOKEN);
        if (parameter == null || parameter.length() == 0 || "null".equals(parameter)) {
            this.logger.debug("checkToken ip:" + CsrfRequestUtil.getProxyIp(httpServletRequest) + " token为什么会为空?");
        } else {
            if (!this.onlyLog) {
                checkToken(httpServletRequest, httpServletResponse, parameter);
                return;
            }
            try {
                checkToken(httpServletRequest, httpServletResponse, parameter);
            } catch (CsrfTokenInvalidException e) {
                this.logger.error(e.getMessage(), e);
            }
        }
    }

    protected void checkToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String account = this.csrfDao.getAccount(httpServletRequest);
        String[] split = str.split("-");
        if (split.length != 3) {
            throw new CsrfTokenInvalidException("非法token[" + str + "].");
        }
        String str2 = split[1];
        long parseLong = Long.parseLong(split[2]);
        String encrypt = this.csrfDao.encrypt(parseLong + " " + account + " " + CsrfServiceImpl.publicKey);
        if (encrypt.startsWith(str2)) {
            return;
        }
        this.logger.error("prefix:" + str2 + " account:" + account + " time:" + parseLong + " sha1:" + encrypt + " token:" + str);
        throw new CsrfTokenInvalidException("token[" + str + "]不正确.");
    }
}
