import type { Request, Response } from 'express';
import jsonwebtoken from 'jsonwebtoken';
import { sbvrUtils } from '@balena/pinejs';
import type { SignOptions } from './jwt-passport.js';
import type { User } from '../../balena-model.js';
export declare const checkSudoValidity: (user: TokenUserPayload) => boolean;
export declare const generateNewJwtSecret: () => Promise<string>;
export declare const tokenFields: ("id" | "jwt_secret")[];
export interface TokenUserPayload extends Pick<User['Read'], (typeof tokenFields)[number]> {
    twoFactorRequired?: boolean;
    authTime?: number;
}
export interface ExtraParams {
    existingToken?: Partial<TokenUserPayload>;
    jwtOptions?: SignOptions;
    tx: Tx;
}
export type GetUserTokenDataFn = (userId: number, existingToken: Partial<TokenUserPayload> | undefined, tx: Tx) => PromiseLike<AnyObject>;
export declare function setUserTokenDataCallback(fn: GetUserTokenDataFn): void;
export declare const createSessionToken: (userId: number, { existingToken, jwtOptions, tx }: ExtraParams) => Promise<string>;
export declare const loginUserXHR: (res: Response, userId: number, extraParams: ExtraParams & {
    statusCode?: number;
}) => Promise<void>;
export declare const updateUserXHR: (res: Response, req: Request, { tx }: {
    tx: Tx;
}) => Promise<void>;
export interface ScopedAccessToken {
    access: ScopedToken;
}
export interface ScopedAccessTokenOptions {
    actor: number;
    permissions: string[];
    expiresIn: number;
}
export interface ScopedToken extends sbvrUtils.Actor {
    actor: number;
    permissions: string[];
}
export declare function createScopedAccessToken(options: ScopedAccessTokenOptions): string;
export declare const createJwt: (payload: AnyObject, jwtOptions?: jsonwebtoken.SignOptions) => string;