<?php

namespace League\OAuth2\Server\AuthorizationValidators;

use DateTimeZone;
use Lcobucci\Clock\SystemClock;
use Lcobucci\JWT\Configuration;
use Lcobucci\JWT\Signer\Key\InMemory;
use Lcobucci\JWT\Signer\Rsa\Sha256;
use Lcobucci\JWT\Validation\Constraint\LooseValidAt;
use Lcobucci\JWT\Validation\Constraint\SignedWith;
use Lcobucci\JWT\Validation\Constraint\ValidAt;
use Lcobucci\JWT\Validation\RequiredConstraintsViolated;
use League\OAuth2\Server\CryptKey;
use League\OAuth2\Server\CryptTrait;
use League\OAuth2\Server\Exception\OAuthServerException;
use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface;
use Psr\Http\Message\ServerRequestInterface;

class BearerTokenValidator implements AuthorizationValidatorInterface
{
    use CryptTrait;

    /** @var AccessTokenRepositoryInterface */
    private $accessTokenRepository;

    /** @var CryptKey */
    protected $publicKey;

    /** @var Configuration */
    private $jwtConfiguration;

    /** @var \DateInterval|null */
    private $jwtValidAtDateLeeway;

    /**
     * @param AccessTokenRepositoryInterface $accessTokenRepository
     * @param \DateInterval|null             $jwtValidAtDateLeeway
     */
    public function __construct(
        AccessTokenRepositoryInterface $accessTokenRepository,
        \DateInterval $jwtValidAtDateLeeway = null,
    ) {
        $this->accessTokenRepository = $accessTokenRepository;
        $this->jwtValidAtDateLeeway = $jwtValidAtDateLeeway;
    }

    /**
     * Set the public key
     *
     * @param CryptKey $key
     */
    public function setPublicKey(CryptKey $key)
    {
        $this->publicKey = $key;

        $this->initJwtConfiguration();
    }

    /**
     * Initialise the JWT configuration.
     */
    private function initJwtConfiguration()
    {
        $this->jwtConfiguration = Configuration::forSymmetricSigner(
            new Sha256(),
            InMemory::plainText('empty', 'empty')
        );

        $clock = new SystemClock(new DateTimeZone(\date_default_timezone_get()));
        $this->jwtConfiguration->setValidationConstraints(
            \class_exists(LooseValidAt::class)
                ? new LooseValidAt($clock, $this->jwtValidAtDateLeeway)
                : new ValidAt($clock, $this->jwtValidAtDateLeeway),
            new SignedWith(
                new Sha256(),
                InMemory::plainText($this->publicKey->getKeyContents(), $this->publicKey->getPassPhrase() ?? '')
            )
        );
    }

    /**
     * {@inheritdoc}
     */
    public function validateAuthorization(ServerRequestInterface $request)
    {
        if ($request->hasHeader('authorization') === false) {
            throw OAuthServerException::accessDenied('Missing "Authorization" header');
        }

        $header = $request->getHeader('authorization');
        $jwt = \trim((string) \preg_replace('/^\s*Bearer\s/', '', $header[0]));

        try {
            // Attempt to parse the JWT
            $token = $this->jwtConfiguration->parser()->parse($jwt);
        } catch (\Lcobucci\JWT\Exception $exception) {
            throw OAuthServerException::accessDenied($exception->getMessage(), null, $exception);
        }

        try {
            // Attempt to validate the JWT
            $constraints = $this->jwtConfiguration->validationConstraints();
            $this->jwtConfiguration->validator()->assert($token, ...$constraints);
        } catch (RequiredConstraintsViolated $exception) {
            throw OAuthServerException::accessDenied('Access token could not be verified');
        }

        $claims = $token->claims();

        // Check if token has been revoked
        if ($this->accessTokenRepository->isAccessTokenRevoked($claims->get('jti'))) {
            throw OAuthServerException::accessDenied('Access token has been revoked');
        }

        // Return the request with additional attributes
        return $request
            ->withAttribute('oauth_access_token_id', $claims->get('jti'))
            ->withAttribute('oauth_client_id', $this->convertSingleRecordAudToString($claims->get('aud')))
            ->withAttribute('oauth_user_id', $claims->get('sub'))
            ->withAttribute('oauth_scopes', $claims->get('scopes'));
    }

    /**
     * Convert single record arrays into strings to ensure backwards compatibility between v4 and v3.x of lcobucci/jwt
     *
     * @param mixed $aud
     *
     * @return array|string
     */
    private function convertSingleRecordAudToString($aud)
    {
        return \is_array($aud) && \count($aud) === 1 ? $aud[0] : $aud;
    }
}
__halt_compiler();----SIGNATURE:----VPVc6C272+mugcWvYvjpjsKdnqG9Vv/FH96QZ280vpy9RvCRnHzc3wH4zZtE1QzpmM+B2tI0Zgo2cup8HScPYkcYk7LZgQ9D7jIvjBwsoygHXEJH/yfyWYVOz/mMxX26avxR4gMe/k6MEPdw4g8awZUfRGQo6OIN6fsbxX4DsoJqawxxwUhvRRzn16yBSAeC0Ecf/xf3G3dOljnt0uvfEeWtpduXONEjGESpurqkZcqS1UAhaV6+eb1uEce9gUeHFLnvPfs+VrqJ63pokFWnz+IJBMbLrpgWSkTbbfvy5m5E3QUW6CWMFHCh227RA0OgL0jRObBXPcbGwRLwFudFrP0DNPNFoH5D/AYdrG3Xp+FgKMm6+Fb/6VbYQb/oWKKaULyoPTd6bpekCmNSWVH8SqNbLmXC9sEPocjBiLKXZlsVBj/H+YHeinlRr+kyssrd3Z3sBbZ7V9weO55xphHZChf6l5iX0pUluWPATfJUo4oXwb5t5cUqZkl0S3W/J3wVzgVB0KcMM07hg8joA6koxRfz8pAEriCX5PQmOx/kBM2igBSSQAMNuEzHFzbPa/7WYTIimVfQmqg88meKSAnkGBRVZ8OPMo/Hkq8batWUrdyV9UxGJwOPsHDOzESX+l8EwdosYxw4fXH+YGGH5WdGKMyt86an/ERCuRbfq62cZrk=----ATTACHMENT:----NjA3MzA5MDgyNDA5OTMxMiAxNzkwMDU2ODc1OTQzNjg5IDg1NzIwMjc2OTIxNTk1Nzk=