/** * Utilities for normalizing and validating domains and issuers in MCD mode. * * Note on validation strictness: This validator is stricter than other Auth0 SDKs * (spa-js, react, express-openid-connect do no hostname validation). The strictness * is intentional for MCD resolver mode where the domain originates from a user-supplied * function and SSRF prevention is critical. In static mode the same validation applies * for consistency, but IP addresses and .local domains are never valid Auth0 custom * domains regardless. * * @internal */ /** * Normalizes an issuer URL by ensuring it has a trailing slash. * * @param issuer - The issuer URL to normalize * @returns The normalized issuer URL with a trailing slash * @internal */ export declare function normalizeIssuer(issuer: string): string; /** * Options for domain validation. */ interface ValidateDomainHostnameOptions { /** * Allow insecure (HTTP) requests for testing purposes. * Default: false */ allowInsecureRequests?: boolean; } /** * Validates a domain hostname to ensure it's a valid Auth0 custom domain. * * Auth0 custom domains must be DNS hostnames — IP addresses, localhost, and mDNS * (.local) domains are never valid Auth0 custom domains and are rejected * unconditionally (or conditionally for localhost when allowInsecureRequests is set). * * This is stricter than other Auth0 SDKs (spa-js, react, express-openid-connect * perform no hostname validation). The strictness is intentional for MCD resolver * mode where SSRF prevention is critical, and applies uniformly in static mode * for consistency. * * Rejects: * - IPv4 addresses (never valid Auth0 custom domains) * - IPv6 addresses (implicitly rejected via port/colon check) * - localhost (unless allowInsecureRequests for dev scenarios) * - .local domains (mDNS, unconditionally rejected) * - Hostnames with paths * - Hostnames with ports (unless already parsed) * * @param domain - The domain hostname to validate * @param options - Validation options * @throws {DomainValidationError} If the domain fails validation * @internal */ export declare function validateDomainHostname(domain: string, options?: ValidateDomainHostnameOptions): void; /** * Options for domain normalization. */ interface NormalizeDomainOptions { /** * An issuer hint to use if the domain cannot be parsed as a URL. * Useful for converting bare hostnames to issuer URLs. */ issuerHint?: string; /** * Allow insecure (HTTP) requests for testing purposes. * Default: false */ allowInsecureRequests?: boolean; } /** * Normalizes a domain value (URL or hostname) and returns both the normalized domain and issuer. * * Accepts: * - Full issuer URLs: "https://example.auth0.com/" * - URLs without trailing slash: "https://example.auth0.com" * - Bare hostnames: "example.auth0.com" * * @param value - The domain value to normalize (URL or hostname) * @param options - Normalization options * @returns An object with normalized domain and issuer * @throws {DomainValidationError} If the domain fails validation * @throws {IssuerValidationError} If the issuer cannot be constructed * @internal */ export declare function normalizeDomain(value: string, options?: NormalizeDomainOptions): { domain: string; issuer: string; }; /** * Normalizes an array of domain strings, filtering out invalid entries. * * Each domain is passed through normalizeDomain(). Invalid domains are skipped * and logged via console.warn. * * @param domains - Array of domain strings to normalize * @returns Array of normalized domain hostnames * @internal */ export declare function normalizeDomainArray(domains: string[]): string[]; /** * Safely normalizes a domain, returning null instead of throwing on invalid input. * * @param domain - The domain to normalize * @returns Normalized domain hostname, or null if invalid * @internal */ export declare function tryNormalizeDomain(domain: string): string | null; export {};