package org.thingsboard.server.controller;

import io.swagger.v3.oas.annotations.Parameter;
import jakarta.servlet.http.HttpServletRequest;
import java.beans.ConstructorProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import org.thingsboard.rule.engine.api.MailService;
import org.thingsboard.server.cache.limits.RateLimitService;
import org.thingsboard.server.common.data.User;
import org.thingsboard.server.common.data.audit.ActionType;
import org.thingsboard.server.common.data.exception.ThingsboardErrorCode;
import org.thingsboard.server.common.data.exception.ThingsboardException;
import org.thingsboard.server.common.data.id.TenantId;
import org.thingsboard.server.common.data.limit.LimitedApi;
import org.thingsboard.server.common.data.security.UserCredentials;
import org.thingsboard.server.common.data.security.event.UserCredentialsInvalidationEvent;
import org.thingsboard.server.common.data.security.event.UserSessionInvalidationEvent;
import org.thingsboard.server.common.data.security.model.JwtPair;
import org.thingsboard.server.common.data.security.model.SecuritySettings;
import org.thingsboard.server.common.data.security.model.UserPasswordPolicy;
import org.thingsboard.server.config.annotations.ApiOperation;
import org.thingsboard.server.dao.settings.SecuritySettingsService;
import org.thingsboard.server.queue.util.TbCoreComponent;
import org.thingsboard.server.service.security.auth.rest.RestAuthenticationDetails;
import org.thingsboard.server.service.security.model.ActivateUserRequest;
import org.thingsboard.server.service.security.model.ChangePasswordRequest;
import org.thingsboard.server.service.security.model.ResetPasswordEmailRequest;
import org.thingsboard.server.service.security.model.ResetPasswordRequest;
import org.thingsboard.server.service.security.model.SecurityUser;
import org.thingsboard.server.service.security.model.UserPrincipal;
import org.thingsboard.server.service.security.model.token.JwtTokenFactory;
import org.thingsboard.server.service.security.system.SystemSecurityService;

@RequestMapping({"/api"})
@TbCoreComponent
@RestController
/* loaded from: input_file:org/thingsboard/server/controller/AuthController.class */
public class AuthController extends BaseController {
    private static final Logger log = LoggerFactory.getLogger(AuthController.class);

    @Value("${server.rest.rate_limits.reset_password_per_user:5:3600}")
    private String defaultLimitsConfiguration;
    private final BCryptPasswordEncoder passwordEncoder;
    private final JwtTokenFactory tokenFactory;
    private final MailService mailService;
    private final SystemSecurityService systemSecurityService;
    private final SecuritySettingsService securitySettingsService;
    private final RateLimitService rateLimitService;
    private final ApplicationEventPublisher eventPublisher;

    @GetMapping({"/auth/user"})
    @ApiOperation(value = "Get current User (getUser)", notes = "Get the information about the User which credentials are used to perform this REST API call.")
    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
    public User getUser() throws ThingsboardException {
        SecurityUser currentUser = getCurrentUser();
        User findUserById = this.userService.findUserById(currentUser.getTenantId(), currentUser.getId());
        checkDashboardInfo(findUserById.getAdditionalInfo());
        return findUserById;
    }

    @PostMapping({"/auth/logout"})
    @ApiOperation(value = "Logout (logout)", notes = "Special API call to record the 'logout' of the user to the Audit Logs. Since platform uses [JWT](https://jwt.io/), the actual logout is the procedure of clearing the [JWT](https://jwt.io/) token on the client side. ")
    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
    public void logout(HttpServletRequest httpServletRequest) throws ThingsboardException {
        logLogoutAction(httpServletRequest);
    }

    @PostMapping({"/auth/changePassword"})
    @ApiOperation(value = "Change password for current User (changePassword)", notes = "Change the password for the User which credentials are used to perform this REST API call. Be aware that previously generated [JWT](https://jwt.io/) tokens will be still valid until they expire.")
    @PreAuthorize("hasAnyAuthority('SYS_ADMIN', 'TENANT_ADMIN', 'CUSTOMER_USER')")
    public JwtPair changePassword(@Parameter(description = "Change Password Request") @RequestBody ChangePasswordRequest changePasswordRequest) throws ThingsboardException {
        String currentPassword = changePasswordRequest.getCurrentPassword();
        String newPassword = changePasswordRequest.getNewPassword();
        SecurityUser currentUser = getCurrentUser();
        UserCredentials findUserCredentialsByUserId = this.userService.findUserCredentialsByUserId(TenantId.SYS_TENANT_ID, currentUser.getId());
        if (!this.passwordEncoder.matches(currentPassword, findUserCredentialsByUserId.getPassword())) {
            throw new ThingsboardException("Current password doesn't match!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
        }
        this.systemSecurityService.validatePassword(newPassword, findUserCredentialsByUserId);
        if (this.passwordEncoder.matches(newPassword, findUserCredentialsByUserId.getPassword())) {
            throw new ThingsboardException("New password should be different from existing!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
        }
        findUserCredentialsByUserId.setPassword(this.passwordEncoder.encode(newPassword));
        this.userService.replaceUserCredentials(currentUser.getTenantId(), findUserCredentialsByUserId);
        this.eventPublisher.publishEvent(new UserCredentialsInvalidationEvent(currentUser.getId()));
        return this.tokenFactory.createTokenPair(currentUser);
    }

    @GetMapping({"/noauth/userPasswordPolicy"})
    @ApiOperation(value = "Get the current User password policy (getUserPasswordPolicy)", notes = "API call to get the password policy for the password validation form(s).")
    public UserPasswordPolicy getUserPasswordPolicy() throws ThingsboardException {
        return ((SecuritySettings) checkNotNull((AuthController) this.securitySettingsService.getSecuritySettings())).getPasswordPolicy();
    }

    @GetMapping(value = {"/noauth/activate"}, params = {"activateToken"})
    @ApiOperation(value = "Check Activate User Token (checkActivateToken)", notes = "Checks the activation token and forwards user to 'Create Password' page. If token is valid, returns '303 See Other' (redirect) response code with the correct address of 'Create Password' page and same 'activateToken' specified in the URL parameters. If token is not valid, returns '409 Conflict'. If token is expired, redirects to error page.")
    public ResponseEntity<?> checkActivateToken(@RequestParam("activateToken") @Parameter(description = "The activate token string.") String str) {
        UserCredentials findUserCredentialsByActivateToken = this.userService.findUserCredentialsByActivateToken(TenantId.SYS_TENANT_ID, str);
        return findUserCredentialsByActivateToken == null ? response(HttpStatus.CONFLICT) : findUserCredentialsByActivateToken.isActivationTokenExpired() ? redirectTo("/activationLinkExpired") : redirectTo("/login/createPassword?activateToken=" + str);
    }

    @PostMapping({"/noauth/resetPasswordByEmail"})
    @ApiOperation(value = "Request reset password email (requestResetPasswordByEmail)", notes = "Request to send the reset password email if the user with specified email address is present in the database. Always return '200 OK' status for security purposes.")
    public void requestResetPasswordByEmail(@Parameter(description = "The JSON object representing the reset password email request.") @RequestBody ResetPasswordEmailRequest resetPasswordEmailRequest, HttpServletRequest httpServletRequest) throws ThingsboardException {
        try {
            String email = resetPasswordEmailRequest.getEmail();
            UserCredentials requestPasswordReset = this.userService.requestPasswordReset(TenantId.SYS_TENANT_ID, email);
            User findUserById = this.userService.findUserById(TenantId.SYS_TENANT_ID, requestPasswordReset.getUserId());
            this.mailService.sendResetPasswordEmailAsync(String.format("%s/api/noauth/resetPassword?resetToken=%s", this.systemSecurityService.getBaseUrl(findUserById.getTenantId(), findUserById.getCustomerId(), httpServletRequest), requestPasswordReset.getResetToken()), requestPasswordReset.getResetTokenTtl(), email);
        } catch (Exception e) {
            log.warn("Error occurred: {}", e.getMessage());
        }
    }

    @GetMapping(value = {"/noauth/resetPassword"}, params = {"resetToken"})
    @ApiOperation(value = "Check password reset token (checkResetToken)", notes = "Checks the password reset token and forwards user to 'Reset Password' page. If token is valid, returns '303 See Other' (redirect) response code with the correct address of 'Reset Password' page and same 'resetToken' specified in the URL parameters. If token is not valid, returns '409 Conflict'. If token is expired, redirects to error page.")
    public ResponseEntity<?> checkResetToken(@RequestParam("resetToken") @Parameter(description = "The reset token string.") String str) {
        UserCredentials findUserCredentialsByResetToken = this.userService.findUserCredentialsByResetToken(TenantId.SYS_TENANT_ID, str);
        return findUserCredentialsByResetToken == null ? response(HttpStatus.CONFLICT) : findUserCredentialsByResetToken.isResetTokenExpired() ? redirectTo("/passwordResetLinkExpired") : !this.rateLimitService.checkRateLimit(LimitedApi.PASSWORD_RESET, findUserCredentialsByResetToken.getUserId(), this.defaultLimitsConfiguration) ? response(HttpStatus.TOO_MANY_REQUESTS) : redirectTo("/login/resetPassword?resetToken=" + str);
    }

    @PostMapping({"/noauth/activate"})
    @ApiOperation(value = "Activate User", notes = "Checks the activation token and updates corresponding user password in the database. Now the user may start using his password to login. The response already contains the [JWT](https://jwt.io) activation and refresh tokens, to simplify the user activation flow and avoid asking user to input password again after activation. If token is valid, returns the object that contains [JWT](https://jwt.io/) access and refresh tokens. If token is not valid, returns '400 Bad Request'.")
    public JwtPair activateUser(@Parameter(description = "Activate user request.") @RequestBody ActivateUserRequest activateUserRequest, @RequestParam(required = false, defaultValue = "true") boolean z, HttpServletRequest httpServletRequest) {
        String activateToken = activateUserRequest.getActivateToken();
        String password = activateUserRequest.getPassword();
        this.systemSecurityService.validatePassword(password, null);
        UserCredentials activateUserCredentials = this.userService.activateUserCredentials(TenantId.SYS_TENANT_ID, activateToken, this.passwordEncoder.encode(password));
        User findUserById = this.userService.findUserById(TenantId.SYS_TENANT_ID, activateUserCredentials.getUserId());
        SecurityUser securityUser = new SecurityUser(findUserById, activateUserCredentials.isEnabled(), new UserPrincipal(UserPrincipal.Type.USER_NAME, findUserById.getEmail()));
        this.userService.setUserCredentialsEnabled(findUserById.getTenantId(), findUserById.getId(), true);
        String format = String.format("%s/login", this.systemSecurityService.getBaseUrl(findUserById.getTenantId(), findUserById.getCustomerId(), httpServletRequest));
        String email = findUserById.getEmail();
        if (z) {
            try {
                this.mailService.sendAccountActivatedEmail(format, email);
            } catch (Exception e) {
                log.warn("Unable to send account activation email [{}]", e.getMessage());
            }
        }
        JwtPair createTokenPair = this.tokenFactory.createTokenPair(securityUser);
        this.systemSecurityService.logLoginAction(findUserById, new RestAuthenticationDetails(httpServletRequest), ActionType.LOGIN, null);
        return createTokenPair;
    }

    @PostMapping({"/noauth/resetPassword"})
    @ApiOperation(value = "Reset password (resetPassword)", notes = "Checks the password reset token and updates the password. If token is not valid, returns '400 Bad Request'.")
    public void resetPassword(@Parameter(description = "Reset password request.") @RequestBody ResetPasswordRequest resetPasswordRequest, HttpServletRequest httpServletRequest) throws ThingsboardException {
        String resetToken = resetPasswordRequest.getResetToken();
        String password = resetPasswordRequest.getPassword();
        UserCredentials findUserCredentialsByResetToken = this.userService.findUserCredentialsByResetToken(TenantId.SYS_TENANT_ID, resetToken);
        if (findUserCredentialsByResetToken == null) {
            throw new ThingsboardException("Invalid reset token!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
        }
        if (findUserCredentialsByResetToken.isResetTokenExpired()) {
            throw new ThingsboardException("Password reset token expired", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
        }
        this.systemSecurityService.validatePassword(password, findUserCredentialsByResetToken);
        if (this.passwordEncoder.matches(password, findUserCredentialsByResetToken.getPassword())) {
            throw new ThingsboardException("New password should be different from existing!", ThingsboardErrorCode.BAD_REQUEST_PARAMS);
        }
        findUserCredentialsByResetToken.setPassword(this.passwordEncoder.encode(password));
        findUserCredentialsByResetToken.setResetToken((String) null);
        findUserCredentialsByResetToken.setResetTokenExpTime((Long) null);
        UserCredentials replaceUserCredentials = this.userService.replaceUserCredentials(TenantId.SYS_TENANT_ID, findUserCredentialsByResetToken);
        User findUserById = this.userService.findUserById(TenantId.SYS_TENANT_ID, replaceUserCredentials.getUserId());
        SecurityUser securityUser = new SecurityUser(findUserById, replaceUserCredentials.isEnabled(), new UserPrincipal(UserPrincipal.Type.USER_NAME, findUserById.getEmail()));
        try {
            this.mailService.sendPasswordWasResetEmail(String.format("%s/login", this.systemSecurityService.getBaseUrl(findUserById.getTenantId(), findUserById.getCustomerId(), httpServletRequest)), findUserById.getEmail());
        } catch (Exception e) {
            log.warn("Couldn't send password was reset email: {}", e.getMessage());
        }
        this.eventPublisher.publishEvent(new UserCredentialsInvalidationEvent(securityUser.getId()));
    }

    private void logLogoutAction(HttpServletRequest httpServletRequest) throws ThingsboardException {
        SecurityUser currentUser = getCurrentUser();
        this.systemSecurityService.logLoginAction(currentUser, new RestAuthenticationDetails(httpServletRequest), ActionType.LOGOUT, null);
        this.eventPublisher.publishEvent(new UserSessionInvalidationEvent(currentUser.getSessionId()));
    }

    @ConstructorProperties({"passwordEncoder", "tokenFactory", "mailService", "systemSecurityService", "securitySettingsService", "rateLimitService", "eventPublisher"})
    public AuthController(BCryptPasswordEncoder bCryptPasswordEncoder, JwtTokenFactory jwtTokenFactory, MailService mailService, SystemSecurityService systemSecurityService, SecuritySettingsService securitySettingsService, RateLimitService rateLimitService, ApplicationEventPublisher applicationEventPublisher) {
        this.passwordEncoder = bCryptPasswordEncoder;
        this.tokenFactory = jwtTokenFactory;
        this.mailService = mailService;
        this.systemSecurityService = systemSecurityService;
        this.securitySettingsService = securitySettingsService;
        this.rateLimitService = rateLimitService;
        this.eventPublisher = applicationEventPublisher;
    }
}
