package io.micronaut.security.token.jwt.endpoints;

import io.micronaut.context.annotation.Requirements;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.core.async.annotation.SingleResult;
import io.micronaut.core.util.StringUtils;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.HttpResponse;
import io.micronaut.http.HttpStatus;
import io.micronaut.http.MutableHttpResponse;
import io.micronaut.http.annotation.Body;
import io.micronaut.http.annotation.Consumes;
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.CookieValue;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.annotation.Post;
import io.micronaut.security.annotation.Secured;
import io.micronaut.security.errors.IssuingAnAccessTokenErrorCode;
import io.micronaut.security.errors.OauthErrorResponseException;
import io.micronaut.security.handlers.LoginHandler;
import io.micronaut.security.token.refresh.RefreshTokenPersistence;
import io.micronaut.security.token.validator.RefreshTokenValidator;
import io.micronaut.validation.Validated;
import java.util.Optional;
import org.reactivestreams.Publisher;
import reactor.core.publisher.Mono;

@Requirements({@Requires(property = "micronaut.security.endpoints.oauth.enabled", notEquals = "false"), @Requires(beans = {RefreshTokenPersistence.class}), @Requires(beans = {RefreshTokenValidator.class})})
@Secured({"isAnonymous()"})
@Controller("${micronaut.security.endpoints.oauth.path:/oauth/access_token}")
@Validated
/* loaded from: input_file:io/micronaut/security/token/jwt/endpoints/OauthController.class */
public class OauthController {
    private final RefreshTokenPersistence refreshTokenPersistence;
    private final RefreshTokenValidator refreshTokenValidator;
    private final OauthControllerConfigurationProperties oauthControllerConfigurationProperties;
    private final LoginHandler loginHandler;

    public OauthController(RefreshTokenPersistence refreshTokenPersistence, RefreshTokenValidator refreshTokenValidator, OauthControllerConfigurationProperties oauthControllerConfigurationProperties, LoginHandler loginHandler) {
        this.refreshTokenPersistence = refreshTokenPersistence;
        this.refreshTokenValidator = refreshTokenValidator;
        this.oauthControllerConfigurationProperties = oauthControllerConfigurationProperties;
        this.loginHandler = loginHandler;
    }

    @SingleResult
    @Consumes({"application/x-www-form-urlencoded", "application/json"})
    @Post
    public Publisher<MutableHttpResponse<?>> index(HttpRequest<?> httpRequest, @Nullable @Body TokenRefreshRequest tokenRefreshRequest, @CookieValue("JWT_REFRESH_TOKEN") @Nullable String str) {
        return createResponse(httpRequest, resolveRefreshToken(tokenRefreshRequest, str));
    }

    @SingleResult
    @Get
    public Publisher<MutableHttpResponse<?>> index(HttpRequest<?> httpRequest, @CookieValue("JWT_REFRESH_TOKEN") @Nullable String str) {
        return !this.oauthControllerConfigurationProperties.isGetAllowed() ? Mono.just(HttpResponse.status(HttpStatus.METHOD_NOT_ALLOWED)) : createResponse(httpRequest, resolveRefreshToken(null, str));
    }

    @SingleResult
    private Publisher<MutableHttpResponse<?>> createResponse(HttpRequest<?> httpRequest, String str) {
        Optional validate = this.refreshTokenValidator.validate(str);
        if (validate.isPresent()) {
            return Mono.from(this.refreshTokenPersistence.getAuthentication((String) validate.get())).map(authentication -> {
                return this.loginHandler.loginRefresh(authentication, str, httpRequest);
            });
        }
        throw new OauthErrorResponseException(IssuingAnAccessTokenErrorCode.INVALID_GRANT, "Refresh token is invalid", (String) null);
    }

    @NonNull
    private String resolveRefreshToken(TokenRefreshRequest tokenRefreshRequest, String str) {
        String str2 = null;
        if (tokenRefreshRequest != null) {
            if (StringUtils.isEmpty(tokenRefreshRequest.getGrantType()) || StringUtils.isEmpty(tokenRefreshRequest.getRefreshToken())) {
                throw new OauthErrorResponseException(IssuingAnAccessTokenErrorCode.INVALID_REQUEST, "refresh_token and grant_type are required", (String) null);
            }
            if (!tokenRefreshRequest.getGrantType().equals(TokenRefreshRequest.GRANT_TYPE_REFRESH_TOKEN)) {
                throw new OauthErrorResponseException(IssuingAnAccessTokenErrorCode.UNSUPPORTED_GRANT_TYPE, "grant_type must be refresh_token", (String) null);
            }
            str2 = tokenRefreshRequest.getRefreshToken();
        } else if (str != null) {
            str2 = str;
        }
        if (StringUtils.isEmpty(str2)) {
            throw new OauthErrorResponseException(IssuingAnAccessTokenErrorCode.INVALID_REQUEST, "refresh_token is required", (String) null);
        }
        return str2;
    }
}
