/**
 * @fileoverview Base AuthService for BrightDB-backed applications.
 *
 * Handles core user authentication: register, login, JWT signing/verification,
 * password change, and mnemonic recovery. Uses MemberStore + EnergyAccountStore
 * from brightchain-lib, bcrypt for password hashing, and jsonwebtoken for JWTs.
 *
 * Domain-specific extensions (e.g. BrightHub profile creation, additional
 * controllers) are added by subclasses in consuming libraries.
 *
 * @module services/auth
 */
import { EnergyAccountStore, IRecoveryResponse, MemberStore } from '@brightchain/brightchain-lib';
import { MemberType, SecureString } from '@digitaldefiance/ecies-lib';
import { Member, PlatformID } from '@digitaldefiance/node-ecies-lib';
import type { IAuthCredentials } from '../interfaces/auth-credentials';
import type { IAuthToken } from '../interfaces/auth-token';
import type { IBrightDbApplication } from '../interfaces/bright-db-application';
import type { ITokenPayload } from '../interfaces/token-payload';
import type { BrightDbAuthenticationProvider } from './bright-db-authentication-provider';
/**
 * Base authentication service for BrightDB-backed applications.
 *
 * Provides register, login, JWT sign/verify, password change, and
 * mnemonic recovery. Subclasses can override methods to add domain-specific
 * behavior (e.g. creating social profiles on registration).
 */
export declare class BrightDbAuthService<TID extends PlatformID = Buffer> {
    protected memberStore: MemberStore;
    protected energyStore: EnergyAccountStore;
    protected jwtSecret: string;
    protected authProvider?: BrightDbAuthenticationProvider<TID>;
    protected readonly application: IBrightDbApplication<TID>;
    constructor(application: IBrightDbApplication<TID>, memberStore: MemberStore, energyStore: EnergyAccountStore, jwtSecret: string, authProvider?: BrightDbAuthenticationProvider<TID>);
    register(username: string, email: string, password: SecureString, mnemonic?: SecureString, displayName?: string): Promise<IAuthToken>;
    login(credentials: IAuthCredentials): Promise<IAuthToken>;
    signToken(memberId: string, username: string, type: MemberType, roles?: string[]): string;
    /**
     * Sign a short-lived pending TOTP token.
     * Contains only `userId` and `pendingTotp: true` — no roles or privilege claims.
     * Expires in 600 seconds (10 minutes).
     */
    signPendingTotpToken(userId: string): string;
    verifyToken(token: string): Promise<ITokenPayload>;
    storePasswordHash(memberId: TID, hash: string): Promise<void>;
    getPasswordHash(memberId: TID): Promise<string>;
    changePassword(memberId: TID, currentPassword: string, newPassword: string): Promise<void>;
    recoverWithMnemonic(email: string, mnemonic: SecureString, newPassword?: string): Promise<IRecoveryResponse<string>>;
    /**
     * Verify a direct-login challenge: validate the server signature, look up
     * the user by username/email, verify the user's signature, and return the
     * member + JWT-ready data.
     *
     * This is the base implementation that works with MemberStore alone.
     * Subclasses in brightchain-api-lib add replay prevention and richer
     * user DTO building.
     */
    verifyDirectLoginChallenge(serverSignedRequest: string, signature: string, username?: string, email?: string): Promise<{
        member: Member<TID>;
        memberId: string;
        userDTO: import('@digitaldefiance/suite-core-lib').IRequestUserDTO | null;
    }>;
    /**
     * Generate a cryptographically random email verification token, store it
     * in the email_tokens collection, and return the token string.
     */
    generateEmailVerificationToken(memberId: string, email: string): Promise<string>;
    /**
     * Resend the verification email for a user who hasn't verified yet.
     * Generates a new token and calls sendWelcomeEmail.
     */
    resendVerificationEmail(memberId: string, email: string, username: string): Promise<void>;
    /**
     * Verify an email verification token: validate it exists, is not expired,
     * then flip emailVerified → true and accountStatus → Active.
     *
     * @returns The user ID associated with the verified token.
     * @throws Error('Invalid or expired verification token') on bad/expired tokens.
     */
    verifyEmailToken(token: string): Promise<string>;
    /**
     * Override in subclasses to send a welcome/verification email via your
     * preferred service. Default implementation logs to console.
     *
     * @param email    - Recipient email address
     * @param username - Display name / username
     * @param memberId - The new user's member ID (used to generate verification token)
     */
    protected sendWelcomeEmail(email: string, username: string, _memberId?: string): Promise<void>;
}
//# sourceMappingURL=auth.d.ts.map