import { KeyObject } from 'node:crypto';
import express from 'express';
import { DidString } from '@atproto/lex';
import { VerifySignatureWithKeyFn } from '@atproto/xrpc-server';
import { DataPlaneClient } from './data-plane/index.js';
type ReqCtx = {
    req: express.Request;
};
type StandardAuthOpts = {
    skipAudCheck?: boolean;
    lxmCheck?: (method?: string) => boolean;
};
export declare enum RoleStatus {
    Valid = 0,
    Invalid = 1,
    Missing = 2
}
type NullOutput = {
    credentials: {
        type: 'none';
        iss: null;
    };
};
type StandardOutput = {
    credentials: {
        type: 'standard';
        aud: string;
        iss: DidString | `${DidString}#${string}`;
    };
};
type RoleOutput = {
    credentials: {
        type: 'role';
        admin: boolean;
    };
};
type ModServiceOutput = {
    credentials: {
        type: 'mod_service';
        aud: string;
        iss: string;
    };
};
export type AuthVerifierOpts = {
    ownDid: string;
    alternateAudienceDids: string[];
    modServiceDid: string;
    adminPasses: string[];
    entrywayJwtPublicKey?: KeyObject;
};
export declare class AuthVerifier {
    dataplane: DataPlaneClient;
    ownDid: string;
    standardAudienceDids: Set<string>;
    modServiceDid: string;
    private adminPasses;
    private entrywayJwtPublicKey?;
    constructor(dataplane: DataPlaneClient, opts: AuthVerifierOpts);
    standardOptionalParameterized: (opts: StandardAuthOpts) => (ctx: ReqCtx) => Promise<StandardOutput | NullOutput>;
    standardOptional: (ctx: ReqCtx) => Promise<StandardOutput | NullOutput>;
    standard: (ctx: ReqCtx) => Promise<StandardOutput>;
    role: (ctx: ReqCtx) => RoleOutput;
    standardOrRole: (ctx: ReqCtx) => Promise<StandardOutput | RoleOutput>;
    optionalStandardOrRole: (ctx: ReqCtx) => Promise<StandardOutput | RoleOutput | NullOutput>;
    entrywaySession: (reqCtx: ReqCtx) => Promise<StandardOutput>;
    modService: (reqCtx: ReqCtx) => Promise<ModServiceOutput>;
    roleOrModService: (reqCtx: ReqCtx) => Promise<RoleOutput | ModServiceOutput>;
    parseRoleCreds(req: express.Request): {
        status: RoleStatus;
        admin: boolean;
        moderator: boolean;
        triage: boolean;
    } | {
        status: RoleStatus;
        admin: boolean;
        moderator?: undefined;
        triage?: undefined;
    };
    verifyServiceJwt(reqCtx: ReqCtx, opts: {
        iss: string[] | null;
        aud: string | null;
        lxmCheck?: (method?: string) => boolean;
    }): Promise<{
        iss: DidString | `${DidString}#${string}`;
        aud: string;
    }>;
    isModService(iss: string): boolean;
    nullCreds(): NullOutput;
    parseCreds(creds: StandardOutput | RoleOutput | ModServiceOutput | NullOutput): {
        viewer: `did:${string}:${string}` | null;
        includeTakedowns: boolean;
        include3pBlocks: boolean;
        canPerformTakedown: boolean;
        isModService: boolean;
        skipViewerBlocks: boolean;
    };
}
export declare const parseBasicAuth: (token: string) => {
    username: string;
    password: string;
} | null;
export declare const buildBasicAuth: (username: string, password: string) => string;
export declare const createPublicKeyObject: (publicKeyHex: string) => KeyObject;
export declare const verifySignatureWithKey: VerifySignatureWithKeyFn;
export {};
//# sourceMappingURL=auth-verifier.d.ts.map