package org.thingsboard.server.service.security.model.token;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.Keys;
import java.util.Base64;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
import org.thingsboard.server.common.data.StringUtils;

@Component
/* loaded from: input_file:org/thingsboard/server/service/security/model/token/OAuth2AppTokenFactory.class */
public class OAuth2AppTokenFactory {
    private static final String CALLBACK_URL_SCHEME = "callbackUrlScheme";
    private static final Logger log = LoggerFactory.getLogger(OAuth2AppTokenFactory.class);
    private static final long MAX_EXPIRATION_TIME_DIFF_MS = TimeUnit.MINUTES.toMillis(5);

    public String validateTokenAndGetCallbackUrlScheme(String str, String str2, String str3) {
        try {
            Claims claims = (Claims) Jwts.parser().verifyWith(Keys.hmacShaKeyFor(Base64.getDecoder().decode(str3))).build().parseSignedClaims(str2).getPayload();
            Date expiration = claims.getExpiration();
            if (expiration == null) {
                throw new IllegalArgumentException("Application token must have expiration date");
            }
            if (expiration.getTime() - System.currentTimeMillis() > MAX_EXPIRATION_TIME_DIFF_MS) {
                throw new IllegalArgumentException("Application token expiration time can't be longer than 5 minutes");
            }
            if (!claims.getIssuer().equals(str)) {
                throw new IllegalArgumentException("Application token issuer doesn't match application package");
            }
            String str4 = (String) claims.get(CALLBACK_URL_SCHEME, String.class);
            if (StringUtils.isEmpty(str4)) {
                throw new IllegalArgumentException("Application token doesn't have callbackUrlScheme");
            }
            return str4;
        } catch (ExpiredJwtException e) {
            throw new IllegalArgumentException("Application token expired", e);
        } catch (UnsupportedJwtException | MalformedJwtException | IllegalArgumentException | SignatureException e2) {
            throw new IllegalArgumentException("Invalid Application token: ", e2);
        }
    }
}
