package org.keycloak.authentication.actiontoken.updateemail;

import jakarta.ws.rs.core.Response;
import java.util.Objects;
import org.keycloak.TokenVerifier;
import org.keycloak.authentication.AuthenticatorUtil;
import org.keycloak.authentication.actiontoken.AbstractActionTokenHandler;
import org.keycloak.authentication.actiontoken.ActionTokenContext;
import org.keycloak.authentication.actiontoken.DefaultActionToken;
import org.keycloak.authentication.actiontoken.TokenUtils;
import org.keycloak.authentication.requiredactions.UpdateEmail;
import org.keycloak.events.EventType;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.validation.Validation;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.userprofile.ValidationException;

/* loaded from: input_file:org/keycloak/authentication/actiontoken/updateemail/UpdateEmailActionTokenHandler.class */
public class UpdateEmailActionTokenHandler extends AbstractActionTokenHandler<UpdateEmailActionToken> {
    public UpdateEmailActionTokenHandler() {
        super(UpdateEmailActionToken.TOKEN_TYPE, UpdateEmailActionToken.class, Messages.STALE_VERIFY_EMAIL_LINK, EventType.EXECUTE_ACTIONS, "invalid_token");
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public TokenVerifier.Predicate<? super UpdateEmailActionToken>[] getVerifiers(ActionTokenContext<UpdateEmailActionToken> actionTokenContext) {
        return TokenUtils.predicates(TokenUtils.checkThat(updateEmailActionToken -> {
            return Objects.equals(updateEmailActionToken.getOldEmail(), actionTokenContext.getAuthenticationSession().getAuthenticatedUser().getEmail());
        }, "invalid_email", getDefaultErrorMessage()));
    }

    public Response handleToken(UpdateEmailActionToken updateEmailActionToken, ActionTokenContext<UpdateEmailActionToken> actionTokenContext) {
        AuthenticationSessionModel authenticationSession = actionTokenContext.getAuthenticationSession();
        UserModel authenticatedUser = authenticationSession.getAuthenticatedUser();
        KeycloakSession session = actionTokenContext.getSession();
        LoginFormsProvider user = session.getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationSession).setUser(authenticatedUser);
        String newEmail = updateEmailActionToken.getNewEmail();
        try {
            UpdateEmail.updateEmailNow(actionTokenContext.getEvent(), authenticatedUser, UpdateEmail.validateEmailUpdate(session, authenticatedUser, newEmail));
            if (Boolean.TRUE.equals(updateEmailActionToken.getLogoutSessions())) {
                AuthenticatorUtil.logoutOtherSessions((ActionTokenContext<? extends DefaultActionToken>) actionTokenContext);
            }
            actionTokenContext.getEvent().success();
            authenticatedUser.setEmailVerified(true);
            authenticatedUser.removeRequiredAction(UserModel.RequiredAction.UPDATE_EMAIL);
            actionTokenContext.getAuthenticationSession().removeRequiredAction(UserModel.RequiredAction.UPDATE_EMAIL);
            authenticatedUser.removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
            actionTokenContext.getAuthenticationSession().removeRequiredAction(UserModel.RequiredAction.VERIFY_EMAIL);
            return user.setAttribute("messageHeader", user.getMessage("emailUpdatedTitle")).setSuccess("emailUpdated", new Object[]{newEmail}).createInfoPage();
        } catch (ValidationException e) {
            return user.setErrors(Validation.getFormErrorsFromValidation(e.getErrors())).createErrorPage(Response.Status.BAD_REQUEST);
        }
    }

    public boolean canUseTokenRepeatedly(UpdateEmailActionToken updateEmailActionToken, ActionTokenContext<UpdateEmailActionToken> actionTokenContext) {
        return false;
    }

    @Override // org.keycloak.authentication.actiontoken.AbstractActionTokenHandler, org.keycloak.authentication.actiontoken.ActionTokenHandler
    public /* bridge */ /* synthetic */ boolean canUseTokenRepeatedly(JsonWebToken jsonWebToken, ActionTokenContext actionTokenContext) {
        return canUseTokenRepeatedly((UpdateEmailActionToken) jsonWebToken, (ActionTokenContext<UpdateEmailActionToken>) actionTokenContext);
    }

    @Override // org.keycloak.authentication.actiontoken.ActionTokenHandler
    public /* bridge */ /* synthetic */ Response handleToken(JsonWebToken jsonWebToken, ActionTokenContext actionTokenContext) {
        return handleToken((UpdateEmailActionToken) jsonWebToken, (ActionTokenContext<UpdateEmailActionToken>) actionTokenContext);
    }
}
