override fun isSafe()

in azure-active-directory-server/src/main/kotlin/org/jetbrains/teamcity/aad/AADCSRFCheck.kt [18:45]

• 24 lines of code
• 8 McCabe index (conditional complexity)

    override fun isSafe(request: HttpServletRequest): CsrfCheck.CheckResult {
        if (!ACTION_METHODS.contains(request.method)) {
            return CsrfCheck.UNKNOWN
        }

        if (URL(request.requestURL.toString()).path?.endsWith(callbackPathProvider.path, ignoreCase = true) != true) {
            return CsrfCheck.UNKNOWN
        }

        var nonce = request.getParameter(NONCE_PARAMETER)
        if (nonce == null) {
            val idToken = request.getParameter(ID_TOKEN)
            if (idToken == null) {
                return CsrfCheck.UNKNOWN
            }

            val token =  JWT.parse(idToken)
            if (token == null) {
                return CsrfCheck.UNKNOWN
            }
            nonce = token.getClaim(AADConstants.NONCE_CLAIM)
        }
        if (nonce != null) {
            return if (accessTokenValidator.validate(nonce)) safe() else unsafe("NONCE parameter is incorrect")
        }

        return CsrfCheck.UNKNOWN
    }