package org.keycloak.authentication.actiontoken.verifyemail;

import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.util.Objects;
import java.util.stream.Stream;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.authentication.actiontoken.AbstractActionTokenHandler;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.TokenUtils;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.sessions.AuthenticationSessionCompoundId;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:org/keycloak/authentication/actiontoken/verifyemail/VerifyEmailActionTokenHandler.class */
public class VerifyEmailActionTokenHandler extends AbstractActionTokenHandler<VerifyEmailActionToken> {
    public VerifyEmailActionTokenHandler() {
        super(VerifyEmailActionToken.TOKEN_TYPE, VerifyEmailActionToken.class, Messages.STALE_VERIFY_EMAIL_LINK, EventType.VERIFY_EMAIL, "invalid_token");
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public TokenVerifier.Predicate<? super VerifyEmailActionToken>[] getVerifiers(ActionTokenContext<VerifyEmailActionToken> actionTokenContext) {
        return TokenUtils.predicates(TokenUtils.checkThat(verifyEmailActionToken -> {
            return Objects.equals(verifyEmailActionToken.getEmail(), actionTokenContext.getAuthenticationSession().getAuthenticatedUser().getEmail());
        }, "invalid_email", getDefaultErrorMessage()));
    }

    public Response handleToken(VerifyEmailActionToken verifyEmailActionToken, ActionTokenContext<VerifyEmailActionToken> actionTokenContext) {
        UserModel authenticatedUser = actionTokenContext.getAuthenticationSession().getAuthenticatedUser();
        KeycloakSession session = actionTokenContext.getSession();
        AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
        EventBuilder event = actionTokenContext.getEvent();
        event.event(EventType.VERIFY_EMAIL).detail("email", authenticatedUser.getEmail());
        if (authenticatedUser.isEmailVerified() && !isVerifyEmailActionSet(authenticatedUser, authenticationSession)) {
            event.user(authenticatedUser).error("email_already_verified");
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setInfo(Messages.EMAIL_VERIFIED_ALREADY, new Object[]{authenticatedUser.getEmail()}).createInfoPage();
        }
        UriInfo uriInfo = actionTokenContext.getUriInfo();
        RealmModel realm = actionTokenContext.getRealm();
        if (actionTokenContext.isAuthenticationSessionFresh()) {
            verifyEmailActionToken.setCompoundOriginalAuthenticationSessionId(verifyEmailActionToken.getCompoundAuthenticationSessionId());
            verifyEmailActionToken.setCompoundAuthenticationSessionId(AuthenticationSessionCompoundId.fromAuthSession(authenticationSession).getEncodedId());
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setSuccess(Messages.CONFIRM_EMAIL_ADDRESS_VERIFICATION, new Object[]{authenticatedUser.getEmail()}).setAttribute("actionUri", Urls.actionTokenBuilder(uriInfo.getBaseUri(), verifyEmailActionToken.serialize(session, realm, uriInfo), authenticationSession.getClient().getClientId(), authenticationSession.getTabId(), AuthenticationProcessor.getClientData(session, authenticationSession)).build(new Object[]{realm.getName()}).toString()).createInfoPage();
        }
        authenticatedUser.setEmailVerified(true);
        authenticatedUser.removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        authenticationSession.removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
        String verifyRedirectUri = RedirectUtils.verifyRedirectUri(actionTokenContext.getSession(), verifyEmailActionToken.getRedirectUri(), authenticationSession.getClient());
        if (verifyRedirectUri != null) {
            authenticationSession.setAuthNote(AuthenticationManager.SET_REDIRECT_URI_AFTER_REQUIRED_ACTIONS, "true");
            authenticationSession.setRedirectUri(verifyRedirectUri);
            authenticationSession.setClientNote("redirect_uri", verifyRedirectUri);
        }
        event.success();
        if (verifyEmailActionToken.getCompoundOriginalAuthenticationSessionId() != null) {
            new AuthenticationSessionManager(session).removeAuthenticationSession(actionTokenContext.getRealm(), authenticationSession, true);
            return session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setSuccess(Messages.EMAIL_VERIFIED, new Object[0]).createInfoPage();
        }
        actionTokenContext.setEvent(event.clone().removeDetail("email").event(EventType.LOGIN));
        return AuthenticationManager.redirectToRequiredActions(session, realm, authenticationSession, uriInfo, AuthenticationManager.nextRequiredAction(session, authenticationSession, actionTokenContext.getRequest(), event));
    }

    private boolean isVerifyEmailActionSet(UserModel userModel, AuthenticationSessionModel authenticationSessionModel) {
        Stream concat = Stream.concat(userModel.getRequiredActionsStream(), authenticationSessionModel.getRequiredActions().stream());
        String name = UserModel.RequiredAction.VERIFY_EMAIL.name();
        Objects.requireNonNull(name);
        return concat.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public /* bridge */ /* synthetic */ Response handleToken(JsonWebToken jsonWebToken, ActionTokenContext actionTokenContext) {
        return handleToken((VerifyEmailActionToken) jsonWebToken, (ActionTokenContext<VerifyEmailActionToken>) actionTokenContext);
    }
}
