package com.gu.pandomainauth.action;

import com.gu.pandomainauth.PanDomain$;
import com.gu.pandomainauth.PanDomainAuthSettingsRefresher;
import com.gu.pandomainauth.model.Authenticated;
import com.gu.pandomainauth.model.AuthenticatedUser;
import com.gu.pandomainauth.model.AuthenticationStatus;
import com.gu.pandomainauth.model.Expired;
import com.gu.pandomainauth.model.GracePeriod;
import com.gu.pandomainauth.model.InvalidCookie;
import com.gu.pandomainauth.model.NotAuthenticated$;
import com.gu.pandomainauth.model.NotAuthorized;
import com.gu.pandomainauth.model.PanDomainAuthSettings;
import com.gu.pandomainauth.model.User;
import com.gu.pandomainauth.service.CookieUtils$;
import com.gu.pandomainauth.service.Google2FAGroupChecker;
import com.gu.pandomainauth.service.OAuth;
import java.net.URLDecoder;
import java.net.URLEncoder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import play.api.http.Writeable$;
import play.api.libs.ws.WSClient;
import play.api.mvc.ActionBuilder;
import play.api.mvc.AnyContent;
import play.api.mvc.BodyParser;
import play.api.mvc.Codec$;
import play.api.mvc.ControllerComponents;
import play.api.mvc.Cookie;
import play.api.mvc.Cookie$;
import play.api.mvc.Cookie$SameSite$None$;
import play.api.mvc.DiscardingCookie;
import play.api.mvc.DiscardingCookie$;
import play.api.mvc.Request;
import play.api.mvc.RequestHeader;
import play.api.mvc.Result;
import play.api.mvc.Results;
import play.api.mvc.Results$;
import scala.Function1;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.collection.immutable.Seq;
import scala.collection.immutable.Set;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;

/* compiled from: Actions.scala */
@ScalaSignature(bytes = "\u0006\u0005\rUbaB!C!\u0003\r\ta\u0013\u0005\u0006%\u0002!\ta\u0015\u0005\b/\u0002\u0011\r\u0011\"\u0003Y\r\u001d\t\u0007\u0001%A\u0002\u0002\tDQAU\u0002\u0005\u0002MCQ\u0001^\u0002\u0007\u0002UDq!!\t\u0004\t\u0003\n\u0019\u0003C\u0004\u0002N\u00011\t!a\u0014\t\u000f\u0005\u0005\u0004A\"\u0001\u0002d!9\u00111\u000e\u0001\u0007\u0002\u00055\u0004bBA<\u0001\u0011%\u0011\u0011\u0010\u0005\b\u0003#\u0003A\u0011BA=\u0011\u001d\t\u0019\n\u0001C\u0005\u0003+C\u0011\"!(\u0001\u0005\u0004%Y!a(\t\u000f\u0005\u001d\u0006A\"\u0001\u0002*\"9\u00111\u0018\u0001\u0005\u0002\u0005u\u0006bBA`\u0001\u0011\u0005\u0011\u0011\u0019\u0005\b\u0003\u0013\u0004a\u0011AA=\u0011%\tY\r\u0001b\u0001\n\u0003\ti\rC\u0005\u0002\\\u0002\u0011\r\u0011\"\u0001\u0002z!I\u0011Q\u001c\u0001C\u0002\u0013\u0005\u0011q\u001c\u0005\n\u0003[\u0004!\u0019!C\u0001\u0003_D\u0011\"a@\u0001\u0005\u0004%\t!a<\t\u0013\t\u0005\u0001A1A\u0005\n\u0005=\bb\u0002B\u0002\u0001\u0011%!Q\u0001\u0005\u000b\u0005+\u0001\u0001R1A\u0005\n\t]\u0001b\u0002B\u0018\u0001\u0011\u0005!\u0011\u0007\u0005\n\u0005w\u0001\u0011\u0013!C\u0001\u0005{AqAa\u0015\u0001\t\u0003\u0011)\u0006C\u0004\u0003Z\u0001!\tAa\u0017\t\u000f\t\u0015\u0004\u0001\"\u0001\u0003h!9!Q\u000e\u0001\u0005\n\t=\u0004b\u0002B=\u0001\u0011\u0005!1\u0010\u0005\b\u0005\u0003\u0003A\u0011\u0001BB\u0011\u001d\u00119\t\u0001C\u0001\u0005\u0013CqAa$\u0001\t\u0003\u0011\t\nC\u0004\u0003\u001e\u0002!\tAa(\t\u000f\t\r\u0006\u0001\"\u0001\u0003&\"9!q\u0016\u0001\u0005\u0002\tE\u0006b\u0002B[\u0001\u0011\u0005!qW\u0004\b\u0005\u0003\u0004\u0001\u0012\u0001Bb\r\u001d\u00119\r\u0001E\u0001\u0005\u0013DqA!4*\t\u0003\u0011y\rC\u0004\u0003R&\"\tEa5\t\u000f\tm\u0017\u0006\"\u0015\u0002 \"1A/\u000bC\u0001\u0005;<qA!:\u0001\u0011\u0003\u00119OB\u0004\u0003j\u0002A\tAa;\t\u000f\t5w\u0006\"\u0001\u00044\u0019I1\u0011\u0003\u0001\u0011\u0002\u0007\u000511\u0003\u0005\u0006%F\"\ta\u0015\u0005\n\u0005g\f$\u0019!C\u0001\u0007+A\u0011Ba>2\u0005\u0004%\ta!\u0006\t\u0013\te\u0018G1A\u0005\u0002\rU\u0001\"\u0003B~c\t\u0007I\u0011AB\u000b\r%\u0011y\u000f\u0001I\u0001\u0004\u0003\u0011\t\u0010C\u0003So\u0011\u00051\u000bC\u0004\u0003R^\"\tEa5\t\u000f\tmw\u0007\"\u0015\u0002 \"I!1_\u001cC\u0002\u001b\u0005!Q\u001f\u0005\n\u0005o<$\u0019!D\u0001\u0005kD\u0011B!?8\u0005\u00045\tA!>\t\u0013\tmxG1A\u0007\u0002\tU\bB\u0002;8\t\u0003\u0011i\u0010C\u0004\u0004\u0006]\"\taa\u0002\u0003\u0017\u0005+H\u000f[!di&|gn\u001d\u0006\u0003\u0007\u0012\u000ba!Y2uS>t'BA#G\u00035\u0001\u0018M\u001c3p[\u0006Lg.Y;uQ*\u0011q\tS\u0001\u0003OVT\u0011!S\u0001\u0004G>l7\u0001A\n\u0003\u00011\u0003\"!\u0014)\u000e\u00039S\u0011aT\u0001\u0006g\u000e\fG.Y\u0005\u0003#:\u0013a!\u00118z%\u00164\u0017A\u0002\u0013j]&$H\u0005F\u0001U!\tiU+\u0003\u0002W\u001d\n!QK\\5u\u0003\u0019awnZ4feV\t\u0011\f\u0005\u0002[?6\t1L\u0003\u0002];\u0006)1\u000f\u001c45U*\ta,A\u0002pe\u001eL!\u0001Y.\u0003\r1{wmZ3s\u0005Q\tU\u000f\u001e5f]RL7-\u0019;j_:\f5\r^5p]N\u00191\u0001T2\u0011\t\u0011\\W.]\u0007\u0002K*\u0011amZ\u0001\u0004[Z\u001c'B\u00015j\u0003\r\t\u0007/\u001b\u0006\u0002U\u0006!\u0001\u000f\\1z\u0013\taWMA\u0007BGRLwN\u001c\"vS2$WM\u001d\t\u0003]>l\u0011AQ\u0005\u0003a\n\u00131\"V:feJ+\u0017/^3tiB\u0011AM]\u0005\u0003g\u0016\u0014!\"\u00118z\u0007>tG/\u001a8u\u0003M\tW\u000f\u001e5f]RL7-\u0019;f%\u0016\fX/Z:u)\r1\u0018q\u0003\u000b\u0004o\u0006\u0005\u0001c\u0001=|{6\t\u0011P\u0003\u0002{\u001d\u0006Q1m\u001c8dkJ\u0014XM\u001c;\n\u0005qL(A\u0002$viV\u0014X\r\u0005\u0002e}&\u0011q0\u001a\u0002\u0007%\u0016\u001cX\u000f\u001c;\t\u000f\u0005\rQ\u00011\u0001\u0002\u0006\u0005a\u0002O]8ek\u000e,'+Z:vYR<\u0015N^3o\u0003V$\b.\u001a3Vg\u0016\u0014\bCB'\u0002\b\u0005-q/C\u0002\u0002\n9\u0013\u0011BR;oGRLwN\\\u0019\u0011\t\u00055\u00111C\u0007\u0003\u0003\u001fQ1!!\u0005E\u0003\u0015iw\u000eZ3m\u0013\u0011\t)\"a\u0004\u0003\tU\u001bXM\u001d\u0005\b\u00033)\u0001\u0019AA\u000e\u0003\u001d\u0011X-];fgR\u00042\u0001ZA\u000f\u0013\r\ty\"\u001a\u0002\u000e%\u0016\fX/Z:u\u0011\u0016\fG-\u001a:\u0002\u0017%tgo\\6f\u00052|7m[\u000b\u0005\u0003K\t\u0019\u0004F\u0003x\u0003O\t)\u0005C\u0004\u0002\u001a\u0019\u0001\r!!\u000b\u0011\u000b\u0011\fY#a\f\n\u0007\u00055RMA\u0004SKF,Xm\u001d;\u0011\t\u0005E\u00121\u0007\u0007\u0001\t\u001d\t)D\u0002b\u0001\u0003o\u0011\u0011!Q\t\u0005\u0003s\ty\u0004E\u0002N\u0003wI1!!\u0010O\u0005\u001dqu\u000e\u001e5j]\u001e\u00042!TA!\u0013\r\t\u0019E\u0014\u0002\u0004\u0003:L\bbBA$\r\u0001\u0007\u0011\u0011J\u0001\u0006E2|7m\u001b\t\u0007\u001b\u0006\u001d\u00111J<\u0011\t9|\u0017qF\u0001\toN\u001cE.[3oiV\u0011\u0011\u0011\u000b\t\u0005\u0003'\ni&\u0004\u0002\u0002V)!\u0011qKA-\u0003\t98OC\u0002\u0002\\\u001d\fA\u0001\\5cg&!\u0011qLA+\u0005!96k\u00117jK:$\u0018\u0001F2p]R\u0014x\u000e\u001c7fe\u000e{W\u000e]8oK:$8/\u0006\u0002\u0002fA\u0019A-a\u001a\n\u0007\u0005%TM\u0001\u000bD_:$(o\u001c7mKJ\u001cu.\u001c9p]\u0016tGo]\u0001\u0012a\u0006tGi\\7bS:\u001cV\r\u001e;j]\u001e\u001cXCAA8!\u0011\t\t(a\u001d\u000e\u0003\u0011K1!!\u001eE\u0005y\u0001\u0016M\u001c#p[\u0006Lg.Q;uQN+G\u000f^5oON\u0014VM\u001a:fg\",'/\u0001\u0004tsN$X-\\\u000b\u0003\u0003w\u0002B!! \u0002\f:!\u0011qPAD!\r\t\tIT\u0007\u0003\u0003\u0007S1!!\"K\u0003\u0019a$o\\8u}%\u0019\u0011\u0011\u0012(\u0002\rA\u0013X\rZ3g\u0013\u0011\ti)a$\u0003\rM#(/\u001b8h\u0015\r\tIIT\u0001\u0007I>l\u0017-\u001b8\u0002\u0011M,G\u000f^5oON,\"!a&\u0011\t\u00055\u0011\u0011T\u0005\u0005\u00037\u000byAA\u000bQC:$u.\\1j]\u0006+H\u000f[*fiRLgnZ:\u0002\u0005\u0015\u001cWCAAQ!\rA\u00181U\u0005\u0004\u0003KK(\u0001E#yK\u000e,H/[8o\u0007>tG/\u001a=u\u000311\u0018\r\\5eCR,Wk]3s)\u0011\tY+!-\u0011\u00075\u000bi+C\u0002\u00020:\u0013qAQ8pY\u0016\fg\u000eC\u0004\u00024:\u0001\r!!.\u0002\u0015\u0005,H\u000f[3e+N,'\u000f\u0005\u0003\u0002\u000e\u0005]\u0016\u0002BA]\u0003\u001f\u0011\u0011#Q;uQ\u0016tG/[2bi\u0016$Wk]3s\u0003=\u0019\u0017m\u00195f-\u0006d\u0017\u000eZ1uS>tWCAAV\u00039\t\u0007/[$sC\u000e,\u0007+\u001a:j_\u0012,\"!a1\u0011\u00075\u000b)-C\u0002\u0002H:\u0013A\u0001T8oO\u0006y\u0011-\u001e;i\u0007\u0006dGNY1dWV\u0013H.A\u0003P\u0003V$\b.\u0006\u0002\u0002PB!\u0011\u0011[Al\u001b\t\t\u0019NC\u0002\u0002V\u0012\u000bqa]3sm&\u001cW-\u0003\u0003\u0002Z\u0006M'!B(BkRD\u0017aD1qa2L7-\u0019;j_:t\u0015-\\3\u0002%5,H\u000e^5gC\u000e$xN]\"iK\u000e\\WM]\u000b\u0003\u0003C\u0004R!TAr\u0003OL1!!:O\u0005\u0019y\u0005\u000f^5p]B!\u0011\u0011[Au\u0013\u0011\tY/a5\u0003+\u001d{wn\u001a7fe\u0019\u000buI]8va\u000eCWmY6fe\u0006\u0001BjT$J\u001d~{%+S$J\u001d~[U)W\u000b\u0003\u0003c\u0004B!a=\u0002~6\u0011\u0011Q\u001f\u0006\u0005\u0003o\fI0\u0001\u0003mC:<'BAA~\u0003\u0011Q\u0017M^1\n\t\u00055\u0015Q_\u0001\u0011\u0003:#\u0016j\u0018$P%\u001e+%+W0L\u000bf\u000b\u0001CR(S\u0007\u0016{V\t\u0017)J%f{6*R-\u0002\r\r|wn[5f)\u0019\u00119A!\u0004\u0003\u0012A\u0019AM!\u0003\n\u0007\t-QM\u0001\u0004D_>\\\u0017.\u001a\u0005\b\u0005\u001fA\u0002\u0019AA>\u0003\u0011q\u0017-\\3\t\u000f\tM\u0001\u00041\u0001\u0002|\u0005)a/\u00197vK\u0006qA-[:dCJ$7i\\8lS\u0016\u001cXC\u0001B\r!\u0019\u0011YB!\n\u0003*5\u0011!Q\u0004\u0006\u0005\u0005?\u0011\t#A\u0005j[6,H/\u00192mK*\u0019!1\u0005(\u0002\u0015\r|G\u000e\\3di&|g.\u0003\u0003\u0003(\tu!aA*fcB\u0019AMa\u000b\n\u0007\t5RM\u0001\tESN\u001c\u0017M\u001d3j]\u001e\u001cun\\6jK\u0006Y1/\u001a8e\r>\u0014\u0018)\u001e;i)\u00159(1\u0007B\u001b\u0011\u001d\tIB\u0007a\u0002\u00037A\u0011Ba\u000e\u001b!\u0003\u0005\u001dA!\u000f\u0002\u000b\u0015l\u0017-\u001b7\u0011\u000b5\u000b\u0019/a\u001f\u0002+M,g\u000e\u001a$pe\u0006+H\u000f\u001b\u0013eK\u001a\fW\u000f\u001c;%eU\u0011!q\b\u0016\u0005\u0005s\u0011\te\u000b\u0002\u0003DA!!Q\tB(\u001b\t\u00119E\u0003\u0003\u0003J\t-\u0013!C;oG\",7m[3e\u0015\r\u0011iET\u0001\u000bC:tw\u000e^1uS>t\u0017\u0002\u0002B)\u0005\u000f\u0012\u0011#\u001e8dQ\u0016\u001c7.\u001a3WCJL\u0017M\\2f\u0003A\u0019\u0007.Z2l\u001bVdG/\u001b4bGR|'\u000f\u0006\u0003\u0002,\n]\u0003bBAZ9\u0001\u0007\u0011QW\u0001\u0014g\"|w/\u00168bkRDW\rZ'fgN\fw-\u001a\u000b\u0005\u0005;\u0012\t\u0007F\u0002~\u0005?Bq!!\u0007\u001e\u0001\b\tY\u0002C\u0004\u0003du\u0001\r!a\u001f\u0002\u000f5,7o]1hK\u0006\u0011\u0012N\u001c<bY&$Wk]3s\u001b\u0016\u001c8/Y4f)\u0011\t\tP!\u001b\t\u000f\t-d\u00041\u0001\u00026\u0006Y1\r\\1j[\u0016$\u0017)\u001e;i\u00031!WmY8eK\u000e{wn[5f)\u0011\u0011\tHa\u001e\u0015\t\tM$Q\u000f\t\u0006\u001b\u0006\r\u0018\u0011\u001f\u0005\b\u00033y\u00029AA\u000e\u0011\u001d\u0011ya\ba\u0001\u0003w\nA\u0003\u001d:pG\u0016\u001c8oT!vi\"\u001c\u0015\r\u001c7cC\u000e\\GC\u0001B?)\r9(q\u0010\u0005\b\u00033\u0001\u00039AA\u000e\u00035\u0001(o\\2fgNdunZ8viR\u0019QP!\"\t\u000f\u0005e\u0011\u0005q\u0001\u0002\u001c\u0005)\"/Z1e\u0003V$\b.\u001a8uS\u000e\fG/\u001a3Vg\u0016\u0014H\u0003\u0002BF\u0005\u001b\u0003R!TAr\u0003kCq!!\u0007#\u0001\u0004\tY\"\u0001\u0006sK\u0006$7i\\8lS\u0016$BAa%\u0003\u001cB)Q*a9\u0003\u0016B\u0019aNa&\n\u0007\te%IA\bQC:$w.\\1j]\u000e{wn[5f\u0011\u001d\tIb\ta\u0001\u00037\tabZ3oKJ\fG/Z\"p_.LW\r\u0006\u0003\u0003\b\t\u0005\u0006bBAZI\u0001\u0007\u0011QW\u0001\u0016S:\u001cG.\u001e3f'f\u001cH/Z7J]\u000e{wn[5f)\u0011\u00119K!,\u0015\u0007u\u0014I\u000b\u0003\u0004\u0003,\u0016\u0002\r!`\u0001\u0007e\u0016\u001cX\u000f\u001c;\t\u000f\u0005MV\u00051\u0001\u00026\u0006Ya\r\\;tQ\u000e{wn[5f)\ri(1\u0017\u0005\u0007\u0005W3\u0003\u0019A?\u0002\u0017\u0015DHO]1di\u0006+H\u000f\u001b\u000b\u0005\u0005s\u0013y\f\u0005\u0003\u0002\u000e\tm\u0016\u0002\u0002B_\u0003\u001f\u0011A#Q;uQ\u0016tG/[2bi&|gn\u0015;biV\u001c\bbBA\rO\u0001\u0007\u00111D\u0001\u000b\u0003V$\b.Q2uS>t\u0007c\u0001BcS5\t\u0001A\u0001\u0006BkRD\u0017i\u0019;j_:\u001cB!\u000b'\u0003LB\u0019!QY\u0002\u0002\rqJg.\u001b;?)\t\u0011\u0019-\u0001\u0004qCJ\u001cXM]\u000b\u0003\u0005+\u0004B\u0001\u001aBlc&\u0019!\u0011\\3\u0003\u0015\t{G-\u001f)beN,'/\u0001\tfq\u0016\u001cW\u000f^5p]\u000e{g\u000e^3yiR!!q\u001cBr)\r9(\u0011\u001d\u0005\b\u0003\u0007i\u0003\u0019AA\u0003\u0011\u001d\tI\"\fa\u0001\u00037\tQ\"\u0011)J\u0003V$\b.Q2uS>t\u0007c\u0001Bc_\ti\u0011\tU%BkRD\u0017i\u0019;j_:\u001cba\f'\u0003n\u000e=\u0001c\u0001Bco\t)\u0012IY:ue\u0006\u001cG/\u00119j\u0003V$\b.Q2uS>t7\u0003B\u001cM\u0005\u0017\faC\\8u\u0003V$\b.\u001a8uS\u000e\fG/\u001a3SKN,H\u000e^\u000b\u0002{\u0006\u0019\u0012N\u001c<bY&$7i\\8lS\u0016\u0014Vm];mi\u0006iQ\r\u001f9je\u0016$'+Z:vYR\f1C\\8u\u0003V$\bn\u001c:ju\u0016$'+Z:vYR$BAa@\u0004\u0004Q\u0019qo!\u0001\t\u000f\u0005\rq\b1\u0001\u0002\u0006!9\u0011\u0011D A\u0002\u0005m\u0011\u0001\u0007:fgB|gn]3XSRD7+_:uK6\u001cun\\6jKR)qo!\u0003\u0004\u000e!111\u0002!A\u0002]\f\u0001B]3ta>t7/\u001a\u0005\b\u0003g\u0003\u0005\u0019AA[!\r\u0011)-\r\u0002\u0014!2\f\u0017N\\#se>\u0014(+Z:q_:\u001cXm]\n\u0003c1+\"aa\u0006\u0011\t\re11\u0006\b\u0005\u00077\u00199C\u0004\u0003\u0004\u001e\r\u0015b\u0002BB\u0010\u0007GqA!!!\u0004\"%\t!.\u0003\u0002iS&\u0011amZ\u0005\u0004\u0007S)\u0017a\u0002*fgVdGo]\u0005\u0005\u0007[\u0019yC\u0001\u0004Ti\u0006$Xo]\u0005\u0004\u0007c)'a\u0002*fgVdGo\u001d\u000b\u0003\u0005O\u0004")
/* loaded from: input_file:com/gu/pandomainauth/action/AuthActions.class */
public interface AuthActions {

    /* compiled from: Actions.scala */
    /* loaded from: input_file:com/gu/pandomainauth/action/AuthActions$AbstractApiAuthAction.class */
    public interface AbstractApiAuthAction extends AuthenticationAction {
        default BodyParser<AnyContent> parser() {
            return com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().controllerComponents().parsers().default();
        }

        default ExecutionContext executionContext() {
            return com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().controllerComponents().executionContext();
        }

        /* renamed from: notAuthenticatedResult */
        Result mo4notAuthenticatedResult();

        /* renamed from: invalidCookieResult */
        Result mo3invalidCookieResult();

        /* renamed from: expiredResult */
        Result mo2expiredResult();

        /* renamed from: notAuthorizedResult */
        Result mo1notAuthorizedResult();

        @Override // com.gu.pandomainauth.action.AuthActions.AuthenticationAction
        default Future<Result> authenticateRequest(RequestHeader requestHeader, Function1<User, Future<Result>> function1) {
            InvalidCookie extractAuth = com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().extractAuth(requestHeader);
            if (NotAuthenticated$.MODULE$.equals(extractAuth)) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(36).append("user not authed against ").append(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$domain()).append(", return 401").toString());
                return Future$.MODULE$.apply(() -> {
                    return this.mo4notAuthenticatedResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            }
            if (extractAuth instanceof InvalidCookie) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().warn("error checking user's auth, clear cookie and return 401", extractAuth.exception());
                return Future$.MODULE$.apply(() -> {
                    return this.mo3invalidCookieResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec()).map(result -> {
                    return this.com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().flushCookie(result);
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            }
            if (extractAuth instanceof Expired) {
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(31).append("user ").append(((Expired) extractAuth).authedUser().user().email()).append(" login expired, return 419").toString());
                return Future$.MODULE$.apply(() -> {
                    return this.mo2expiredResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            }
            if (extractAuth instanceof GracePeriod) {
                AuthenticatedUser authedUser = ((GracePeriod) extractAuth).authedUser();
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(43).append("user ").append(authedUser.user().email()).append(" login expired but is in grace period.").toString());
                return responseWithSystemCookie((Future) function1.apply(authedUser.user()), authedUser);
            }
            if (extractAuth instanceof NotAuthorized) {
                AuthenticatedUser authedUser2 = ((NotAuthorized) extractAuth).authedUser();
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug("user not authorized, return 403");
                com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().invalidUserMessage(authedUser2));
                return Future$.MODULE$.apply(() -> {
                    return this.mo1notAuthorizedResult();
                }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
            }
            if (!(extractAuth instanceof Authenticated)) {
                throw new MatchError(extractAuth);
            }
            AuthenticatedUser authedUser3 = ((Authenticated) extractAuth).authedUser();
            return responseWithSystemCookie((Future) function1.apply(authedUser3.user()), authedUser3);
        }

        default Future<Result> responseWithSystemCookie(Future<Result> future, AuthenticatedUser authenticatedUser) {
            if (authenticatedUser.authenticatedIn().apply(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$system())) {
                return future;
            }
            com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$logger().debug(new StringBuilder(51).append("user ").append(authenticatedUser.user().email()).append(" from other system valid: adding validity in ").append(com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$system()).append(".").toString());
            return future.map(result -> {
                return this.com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().includeSystemInCookie(authenticatedUser, result);
            }, com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer().com$gu$pandomainauth$action$AuthActions$$ec());
        }

        /* synthetic */ AuthActions com$gu$pandomainauth$action$AuthActions$AbstractApiAuthAction$$$outer();

        static void $init$(AbstractApiAuthAction abstractApiAuthAction) {
        }
    }

    /* compiled from: Actions.scala */
    /* loaded from: input_file:com/gu/pandomainauth/action/AuthActions$AuthenticationAction.class */
    public interface AuthenticationAction extends ActionBuilder<UserRequest, AnyContent> {
        Future<Result> authenticateRequest(RequestHeader requestHeader, Function1<User, Future<Result>> function1);

        default <A> Future<Result> invokeBlock(Request<A> request, Function1<UserRequest<A>, Future<Result>> function1) {
            return authenticateRequest(request, user -> {
                return (Future) function1.apply(new UserRequest(user, request));
            });
        }

        /* synthetic */ AuthActions com$gu$pandomainauth$action$AuthActions$AuthenticationAction$$$outer();

        static void $init$(AuthenticationAction authenticationAction) {
        }
    }

    /* compiled from: Actions.scala */
    /* loaded from: input_file:com/gu/pandomainauth/action/AuthActions$PlainErrorResponses.class */
    public interface PlainErrorResponses {
        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthenticatedResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$invalidCookieResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$expiredResult_$eq(Results.Status status);

        void com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthorizedResult_$eq(Results.Status status);

        Results.Status notAuthenticatedResult();

        Results.Status invalidCookieResult();

        Results.Status expiredResult();

        Results.Status notAuthorizedResult();

        /* synthetic */ AuthActions com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$$$outer();

        static void $init$(PlainErrorResponses plainErrorResponses) {
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthenticatedResult_$eq(Results$.MODULE$.Unauthorized());
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$invalidCookieResult_$eq(Results$.MODULE$.Unauthorized());
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$expiredResult_$eq(new Results.Status(Results$.MODULE$, 419));
            plainErrorResponses.com$gu$pandomainauth$action$AuthActions$PlainErrorResponses$_setter_$notAuthorizedResult_$eq(Results$.MODULE$.Forbidden());
        }
    }

    AuthActions$AuthAction$ AuthAction();

    AuthActions$APIAuthAction$ APIAuthAction();

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$logger_$eq(Logger logger);

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$ec_$eq(ExecutionContext executionContext);

    void com$gu$pandomainauth$action$AuthActions$_setter_$OAuth_$eq(OAuth oAuth);

    void com$gu$pandomainauth$action$AuthActions$_setter_$applicationName_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$multifactorChecker_$eq(Option<Google2FAGroupChecker> option);

    void com$gu$pandomainauth$action$AuthActions$_setter_$LOGIN_ORIGIN_KEY_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$ANTI_FORGERY_KEY_$eq(String str);

    void com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY_$eq(String str);

    Logger com$gu$pandomainauth$action$AuthActions$$logger();

    WSClient wsClient();

    ControllerComponents controllerComponents();

    PanDomainAuthSettingsRefresher panDomainSettings();

    default String com$gu$pandomainauth$action$AuthActions$$system() {
        return panDomainSettings().system();
    }

    default String com$gu$pandomainauth$action$AuthActions$$domain() {
        return panDomainSettings().domain();
    }

    private default PanDomainAuthSettings settings() {
        return panDomainSettings().settings();
    }

    ExecutionContext com$gu$pandomainauth$action$AuthActions$$ec();

    boolean validateUser(AuthenticatedUser authenticatedUser);

    default boolean cacheValidation() {
        return false;
    }

    default long apiGracePeriod() {
        return 0L;
    }

    String authCallbackUrl();

    OAuth OAuth();

    String applicationName();

    Option<Google2FAGroupChecker> multifactorChecker();

    String LOGIN_ORIGIN_KEY();

    String ANTI_FORGERY_KEY();

    String com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY();

    private default Cookie cookie(String str, String str2) {
        return new Cookie(str, URLEncoder.encode(str2, "UTF-8"), Cookie$.MODULE$.apply$default$3(), Cookie$.MODULE$.apply$default$4(), Cookie$.MODULE$.apply$default$5(), true, true, new Some(Cookie$SameSite$None$.MODULE$));
    }

    default Seq<DiscardingCookie> com$gu$pandomainauth$action$AuthActions$$discardCookies() {
        return new $colon.colon(new DiscardingCookie(LOGIN_ORIGIN_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true), new $colon.colon(new DiscardingCookie(ANTI_FORGERY_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true), new $colon.colon(new DiscardingCookie(com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY(), DiscardingCookie$.MODULE$.apply$default$2(), DiscardingCookie$.MODULE$.apply$default$3(), true), Nil$.MODULE$)));
    }

    default Future<Result> sendForAuth(RequestHeader requestHeader, Option<String> option) {
        String generateAntiForgeryToken = OAuth().generateAntiForgeryToken();
        return OAuth().redirectToOAuthProvider(generateAntiForgeryToken, option, com$gu$pandomainauth$action$AuthActions$$ec()).map(result -> {
            return result.withCookies(ScalaRunTime$.MODULE$.wrapRefArray(new Cookie[]{this.cookie(this.ANTI_FORGERY_KEY(), generateAntiForgeryToken), this.cookie(this.LOGIN_ORIGIN_KEY(), requestHeader.uri())}));
        }, com$gu$pandomainauth$action$AuthActions$$ec());
    }

    default Option<String> sendForAuth$default$2() {
        return None$.MODULE$;
    }

    default boolean checkMultifactor(AuthenticatedUser authenticatedUser) {
        return multifactorChecker().exists(google2FAGroupChecker -> {
            return BoxesRunTime.boxToBoolean($anonfun$checkMultifactor$1(authenticatedUser, google2FAGroupChecker));
        });
    }

    default Result showUnauthedMessage(String str, RequestHeader requestHeader) {
        com$gu$pandomainauth$action$AuthActions$$logger().info(str);
        return Results$.MODULE$.Forbidden();
    }

    default String invalidUserMessage(AuthenticatedUser authenticatedUser) {
        return new StringBuilder(20).append("user ").append(authenticatedUser.user().email()).append(" not valid for ").append(com$gu$pandomainauth$action$AuthActions$$system()).toString();
    }

    private default Option<String> decodeCookie(String str, RequestHeader requestHeader) {
        return requestHeader.cookies().get(str).map(cookie -> {
            return URLDecoder.decode(cookie.value(), "UTF-8");
        });
    }

    default Future<Result> processOAuthCallback(RequestHeader requestHeader) {
        return (Future) decodeCookie(ANTI_FORGERY_KEY(), requestHeader).flatMap(str -> {
            return this.decodeCookie(this.LOGIN_ORIGIN_KEY(), requestHeader).map(str -> {
                return this.OAuth().validatedUserIdentity(str, requestHeader, this.com$gu$pandomainauth$action$AuthActions$$ec(), this.wsClient()).map(authenticatedUser -> {
                    AuthenticatedUser copy = authenticatedUser.copy(authenticatedUser.copy$default$1(), this.com$gu$pandomainauth$action$AuthActions$$system(), (Set) this.readAuthenticatedUser(requestHeader).map(authenticatedUser -> {
                        return authenticatedUser.authenticatedIn();
                    }).fold(() -> {
                        return (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{this.com$gu$pandomainauth$action$AuthActions$$system()}));
                    }, set -> {
                        return set.$plus(this.com$gu$pandomainauth$action$AuthActions$$system());
                    }), authenticatedUser.copy$default$4(), this.checkMultifactor(authenticatedUser));
                    if (!this.validateUser(copy)) {
                        return this.showUnauthedMessage(this.invalidUserMessage(authenticatedUser), requestHeader);
                    }
                    return Results$.MODULE$.Redirect(str, Results$.MODULE$.Redirect$default$2(), Results$.MODULE$.Redirect$default$3()).withCookies(ScalaRunTime$.MODULE$.wrapRefArray(new Cookie[]{this.generateCookie(copy)})).discardingCookies(this.com$gu$pandomainauth$action$AuthActions$$discardCookies());
                }, this.com$gu$pandomainauth$action$AuthActions$$ec());
            });
        }).getOrElse(() -> {
            return Future$.MODULE$.successful(Results$.MODULE$.BadRequest().apply("Missing cookies", Writeable$.MODULE$.wString(Codec$.MODULE$.utf_8())));
        });
    }

    default Result processLogout(RequestHeader requestHeader) {
        return flushCookie(showUnauthedMessage("logged out", requestHeader));
    }

    default Option<AuthenticatedUser> readAuthenticatedUser(RequestHeader requestHeader) {
        return readCookie(requestHeader).map(pandomainCookie -> {
            return CookieUtils$.MODULE$.parseCookieData(pandomainCookie.cookie().value(), this.settings().publicKey());
        });
    }

    default Option<PandomainCookie> readCookie(RequestHeader requestHeader) {
        return requestHeader.cookies().get(settings().cookieSettings().cookieName()).map(cookie -> {
            return new PandomainCookie(cookie, requestHeader.cookies().get(this.com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY()).exists(cookie -> {
                return BoxesRunTime.boxToBoolean($anonfun$readCookie$2(cookie));
            }));
        });
    }

    default Cookie generateCookie(AuthenticatedUser authenticatedUser) {
        return new Cookie(settings().cookieSettings().cookieName(), CookieUtils$.MODULE$.generateCookieData(authenticatedUser, settings().privateKey()), Cookie$.MODULE$.apply$default$3(), Cookie$.MODULE$.apply$default$4(), new Some(com$gu$pandomainauth$action$AuthActions$$domain()), true, true, Cookie$.MODULE$.apply$default$8());
    }

    default Result includeSystemInCookie(AuthenticatedUser authenticatedUser, Result result) {
        return result.withCookies(ScalaRunTime$.MODULE$.wrapRefArray(new Cookie[]{generateCookie(authenticatedUser.copy(authenticatedUser.copy$default$1(), authenticatedUser.copy$default$2(), authenticatedUser.authenticatedIn().$plus(com$gu$pandomainauth$action$AuthActions$$system()), authenticatedUser.copy$default$4(), authenticatedUser.copy$default$5()))}));
    }

    default Result flushCookie(Result result) {
        return result.discardingCookies(ScalaRunTime$.MODULE$.wrapRefArray(new DiscardingCookie[]{new DiscardingCookie(settings().cookieSettings().cookieName(), DiscardingCookie$.MODULE$.apply$default$2(), new Some(com$gu$pandomainauth$action$AuthActions$$domain()), true)}));
    }

    default AuthenticationStatus extractAuth(RequestHeader requestHeader) {
        return (AuthenticationStatus) readCookie(requestHeader).map(pandomainCookie -> {
            return PanDomain$.MODULE$.authStatus(pandomainCookie.cookie().value(), this.settings().publicKey(), authenticatedUser -> {
                return BoxesRunTime.boxToBoolean(this.validateUser(authenticatedUser));
            }, this.apiGracePeriod(), this.com$gu$pandomainauth$action$AuthActions$$system(), this.cacheValidation(), pandomainCookie.forceExpiry());
        }).getOrElse(() -> {
            return NotAuthenticated$.MODULE$;
        });
    }

    static /* synthetic */ boolean $anonfun$checkMultifactor$1(AuthenticatedUser authenticatedUser, Google2FAGroupChecker google2FAGroupChecker) {
        return google2FAGroupChecker.checkMultifactor(authenticatedUser);
    }

    static /* synthetic */ boolean $anonfun$readCookie$2(Cookie cookie) {
        String value = cookie.value();
        return value != null ? !value.equals("0") : "0" != 0;
    }

    static void $init$(AuthActions authActions) {
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$logger_$eq(LoggerFactory.getLogger(authActions.getClass()));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$ec_$eq(authActions.controllerComponents().executionContext());
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$OAuth_$eq(new OAuth(authActions.settings().oAuthSettings(), authActions.com$gu$pandomainauth$action$AuthActions$$system(), authActions.authCallbackUrl(), authActions.com$gu$pandomainauth$action$AuthActions$$ec(), authActions.wsClient()));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$applicationName_$eq(new StringBuilder(26).append("pan-domain-authentication-").append(authActions.com$gu$pandomainauth$action$AuthActions$$system()).toString());
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$multifactorChecker_$eq(authActions.settings().google2FAGroupSettings().map(google2FAGroupSettings -> {
            return new Google2FAGroupChecker(google2FAGroupSettings, authActions.panDomainSettings().bucketName(), authActions.panDomainSettings().s3Client(), authActions.applicationName());
        }));
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$LOGIN_ORIGIN_KEY_$eq("panda-loginOriginUrl");
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$ANTI_FORGERY_KEY_$eq("panda-antiForgeryToken");
        authActions.com$gu$pandomainauth$action$AuthActions$_setter_$com$gu$pandomainauth$action$AuthActions$$FORCE_EXPIRY_KEY_$eq("panda-forceExpiry");
    }
}
