package org.apache.james.jmap.http;

import com.github.fge.lambdas.Throwing;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import org.apache.james.core.Username;
import org.apache.james.jmap.exceptions.UnauthorizedException;
import org.apache.james.jwt.JwtTokenVerifier;
import org.apache.james.mailbox.MailboxManager;
import org.apache.james.mailbox.MailboxSession;
import org.apache.james.user.api.UsersRepository;
import org.apache.james.user.api.UsersRepositoryException;
import org.apache.james.util.ReactorUtils;
import reactor.core.publisher.Mono;
import reactor.netty.http.server.HttpServerRequest;

/* loaded from: input_file:org/apache/james/jmap/http/JWTAuthenticationStrategy.class */
public class JWTAuthenticationStrategy implements AuthenticationStrategy {

    @VisibleForTesting
    public static final String AUTHORIZATION_HEADER_PREFIX = "Bearer ";
    private final JwtTokenVerifier tokenManager;
    private final MailboxManager mailboxManager;
    private final UsersRepository usersRepository;

    @Inject
    @VisibleForTesting
    public JWTAuthenticationStrategy(@Named("jmap") JwtTokenVerifier jwtTokenVerifier, MailboxManager mailboxManager, UsersRepository usersRepository) {
        this.tokenManager = jwtTokenVerifier;
        this.mailboxManager = mailboxManager;
        this.usersRepository = usersRepository;
    }

    @Override // org.apache.james.jmap.http.AuthenticationStrategy
    public Mono<MailboxSession> createMailboxSession(HttpServerRequest httpServerRequest) {
        return Mono.fromCallable(() -> {
            return authHeaders(httpServerRequest);
        }).filter(str -> {
            return str.startsWith(AUTHORIZATION_HEADER_PREFIX);
        }).map(str2 -> {
            return str2.substring(AUTHORIZATION_HEADER_PREFIX.length());
        }).flatMap(str3 -> {
            return Mono.fromCallable(() -> {
                Username username = (Username) this.tokenManager.verifyAndExtractLogin(str3).map(Username::of).orElseThrow(() -> {
                    return new UnauthorizedException("Failed Jwt verification");
                });
                try {
                    this.usersRepository.assertValid(username);
                    return username;
                } catch (UsersRepositoryException e) {
                    throw new UnauthorizedException("Invalid username", e);
                }
            }).subscribeOn(ReactorUtils.BLOCKING_CALL_WRAPPER);
        }).map(Throwing.function(username -> {
            return this.mailboxManager.authenticate(username).withoutDelegation();
        }));
    }

    @Override // org.apache.james.jmap.http.AuthenticationStrategy
    public AuthenticationChallenge correspondingChallenge() {
        return AuthenticationChallenge.of(AuthenticationScheme.of("Bearer"), ImmutableMap.of("realm", "JWT"));
    }
}
