package com.vaadin.fusion.auth;

import com.vaadin.flow.server.VaadinService;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/vaadin/fusion/auth/CsrfChecker.class */
public class CsrfChecker {
    private boolean csrfProtectionEnabled = true;

    public boolean validateCsrfTokenInRequest(HttpServletRequest httpServletRequest) {
        HttpSession session;
        if (!isCsrfProtectionEnabled() || (session = httpServletRequest.getSession(false)) == null) {
            return true;
        }
        String str = (String) session.getAttribute(VaadinService.getCsrfTokenAttributeName());
        if (str == null) {
            if (!getLogger().isInfoEnabled()) {
                return false;
            }
            getLogger().info("Unable to verify CSRF token for endpoint request, got null token in session");
            return false;
        }
        String header = httpServletRequest.getHeader("X-CSRF-Token");
        if (header != null && MessageDigest.isEqual(str.getBytes(StandardCharsets.UTF_8), header.getBytes(StandardCharsets.UTF_8))) {
            return true;
        }
        if (!getLogger().isInfoEnabled()) {
            return false;
        }
        getLogger().info("Invalid CSRF token in endpoint request");
        return false;
    }

    public void setCsrfProtection(boolean z) {
        this.csrfProtectionEnabled = z;
    }

    public boolean isCsrfProtectionEnabled() {
        return this.csrfProtectionEnabled;
    }

    private static Logger getLogger() {
        return LoggerFactory.getLogger(FusionAccessChecker.class);
    }
}
