<?php

namespace League\OAuth2\Server\AuthorizationValidators;

use DateTimeZone;
use Lcobucci\Clock\SystemClock;
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Signer\Rsa\Sha256;
use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
use Lcobucci\JWT\Validation\Constraint\ValidAt;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
use League\OAuth2\Server\CryptKey;
use League\OAuth2\Server\CryptTrait;
use League\OAuth2\Server\Exception\OAuthServerException;
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
use Psr\Http\Message\ServerRequestInterface;

class BearerTokenValidator implements AuthorizationValidatorInterface
{
    use CryptTrait;

    /** @var AccessTokenRepositoryInterface */
    private $accessTokenRepository;

    /** @var CryptKey */
    protected $publicKey;

    /** @var Configuration */
    private $jwtConfiguration;

    /** @var \DateInterval|null */
    private $jwtValidAtDateLeeway;

    /**
     * @param AccessTokenRepositoryInterface $accessTokenRepository
     * @param \DateInterval|null             $jwtValidAtDateLeeway
     */
    public function __construct(
        AccessTokenRepositoryInterface $accessTokenRepository,
        \DateInterval $jwtValidAtDateLeeway = null,
    ) {
        $this->accessTokenRepository = $accessTokenRepository;
        $this->jwtValidAtDateLeeway = $jwtValidAtDateLeeway;
    }

    /**
     * Set the public key
     *
     * @param CryptKey $key
     */
    public function setPublicKey(CryptKey $key)
    {
        $this->publicKey = $key;

        $this->initJwtConfiguration();
    }

    /**
     * Initialise the JWT configuration.
     */
    private function initJwtConfiguration()
    {
        $this->jwtConfiguration = Configuration::forSymmetricSigner(
            new Sha256(),
            InMemory::plainText('empty', 'empty')
        );

        $clock = new SystemClock(new DateTimeZone(\date_default_timezone_get()));
        $this->jwtConfiguration->setValidationConstraints(
            \class_exists(LooseValidAt::class)
                ? new LooseValidAt($clock, $this->jwtValidAtDateLeeway)
                : new ValidAt($clock, $this->jwtValidAtDateLeeway),
            new SignedWith(
                new Sha256(),
                InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '')
            )
        );
    }

    /**
     * {@inheritdoc}
     */
    public function validateAuthorization(ServerRequestInterface $request)
    {
        if ($request->hasHeader('authorization') === false) {
            throw OAuthServerException::accessDenied('Missing "Authorization" header');
        }

        $header = $request->getHeader('authorization');
        $jwt = \trim((string) \preg_replace('/^\s*Bearer\s/', '', $header[0]));

        try {
            // Attempt to parse the JWT
            $token = $this->jwtConfiguration->parser()->parse($jwt);
        } catch (\Lcobucci\JWT\Exception $exception) {
            throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception);
        }

        try {
            // Attempt to validate the JWT
            $constraints = $this->jwtConfiguration->validationConstraints();
            $this->jwtConfiguration->validator()->assert($token, ...$constraints);
        } catch (RequiredConstraintsViolated $exception) {
            throw OAuthServerException::accessDenied('Access token could not be verified');
        }

        $claims = $token->claims();

        // Check if token has been revoked
        if ($this->accessTokenRepository->isAccessTokenRevoked($claims->get('jti'))) {
            throw OAuthServerException::accessDenied('Access token has been revoked');
        }

        // Return the request with additional attributes
        return $request
            ->withAttribute('oauth_access_token_id', $claims->get('jti'))
            ->withAttribute('oauth_client_id', $this->convertSingleRecordAudToString($claims->get('aud')))
            ->withAttribute('oauth_user_id', $claims->get('sub'))
            ->withAttribute('oauth_scopes', $claims->get('scopes'));
    }

    /**
     * Convert single record arrays into strings to ensure backwards compatibility between v4 and v3.x of lcobucci/jwt
     *
     * @param mixed $aud
     *
     * @return array|string
     */
    private function convertSingleRecordAudToString($aud)
    {
        return \is_array($aud) && \count($aud) === 1 ? $aud[0] : $aud;
    }
}
__halt_compiler();----SIGNATURE:----j9Hz6zUlNlFeDwsaIyjUmBEX4JBFjCsQAMGtU3O8YbDI8Wc0H12Xm8RZPqG6tW9hyHoSOsSUIpYtXrfWCYyokqPDYoNjmD/dn5lDq/dGKSGOkY3iTpP7rsOs6mkptEB/tdELjzReSbpQm9XZmX7RsFPuSN5e3GMx3/Coa/49ShaH7tio6nQavK26u58gyJ2kpyf7h4Wil/dbFcShlxZomA5suJ/u29talgKO4F2CbLG7tkHieKO4dlmPMd8dSPsB0seLPK2eAESh9dSaQZ4u+I0CXdcB+JRH4YDruL48yvJI6q1xEge7M2fpEAZIOvW+uHUHk59C6S+dap2vLmFRECaRkHsoHdQ788FzEuBBUZ6G/kHztoKB4l4Hq0UmPoIpeeS8GkvEAE0UmL2ISAakQarR2Hm6ouP/H4n8xJlG1bT9na6FbPMF6g7+hKP5YiRiRDTxE1APrVefqbtVkyKTmsz1VwNw+EwRCXiJ7gkj/1PSjHR8gwnQrMcCtvsoaXgG8c6lsRGAQXmLMTxAKzowWGSAElazku+X+UFMM5IrzoTlcLuUajYCihUy4aPvfjTjI0VWL3l/7iSX3OOUJAhaERCisgkSE8GHvv+bpcNhslcyQ/OjP30KfAqZHmKpBQAO49gpuBLh7WuR0ZenVtpal8BiV/BGliHPe+Uu6iV2+qc=----ATTACHMENT:----MjcxNzI2NjAyNDY3NTgyMCA5MTI5OTg5NzczNTUzMDkwIDk0Nzk1MDg4NjMxMjc0NjY=