import { type AuthRole, type AuthRoleSet } from './auth.role';
import { type ArrayOrValue } from '../array/array';
import { type SetIncludesMode } from '../set';
import { type Maybe } from '../value/maybe.type';
/**
 * Key in the claims.
 */
export type AuthClaimKey = string;
/**
 * Value in claims.
 */
export type ClearAuthClaimValue = null;
/**
 * Value in claims.
 */
export type SimpleAuthClaimValue = string | number | boolean;
/**
 * Value in claims.
 */
export type AuthClaimValue = SimpleAuthClaimValue | object;
/**
 * The template claims object. Only string values are allowed, as JSON values may only be keyed by string.
 */
export type AuthClaimsObject = {
    [key: string]: AuthClaimValue;
    [key: number | symbol]: never;
};
/**
 * An object that contains "claims" in the context of a JSON Web Token (JWT).
 *
 * It is keyed by the claims key.
 */
export type AuthClaims<T extends AuthClaimsObject = AuthClaimsObject> = {
    [K in keyof T]: T[K];
};
/**
 * A claims update. All values can be null.
 */
export type AuthClaimsUpdate<T extends AuthClaimsObject = AuthClaimsObject> = Partial<{
    [K in keyof T]: T[K] | ClearAuthClaimValue;
}>;
/**
 * Configuration for a claims key.
 */
export type AuthRoleClaimsFactoryConfigEntry<V extends AuthClaimValue = AuthClaimValue> = V extends SimpleAuthClaimValue ? AuthRoleClaimsFactoryConfigEntryEncodeOptions<V> | AuthRoleClaimsFactoryConfigEntrySimpleOptions<V> : AuthRoleClaimsFactoryConfigEntryEncodeOptions<V>;
/**
 * Simple configuration for a claims key that maps a claim value directly to one or more roles.
 */
export interface AuthRoleClaimsFactoryConfigEntrySimpleOptions<V extends SimpleAuthClaimValue = SimpleAuthClaimValue> {
    /**
     * The roles to add when this claims is encountered.
     */
    roles: ArrayOrValue<AuthRole>;
    /**
     * Describes when to add the value when encoding the roles.
     *
     * During encoding back to roles, the value will be set in the claims if ["any"/"all"] roles are not present.
     *
     * For "all", set the inverse if "all of the roles are present"/"any of the roles are NOT present"
     * For "any", set the inverse if "any of the roles are present"/"all of the roles are NOT present"
     *
     * True defaults to "any".
     *
     * For example, if there is a role that disables/disallowed the "uploads" role, and "uploads" is present during encoding,
     * then the value will not be set on the inverse claim.
     */
    inverse?: true | SetIncludesMode;
    /**
     * (Optional) claim value. Overrides the default claim value.
     */
    value?: V;
}
/**
 * A more configurable configuration for a single claims value.
 */
export interface AuthRoleClaimsFactoryConfigEntryEncodeOptions<V extends AuthClaimValue = AuthClaimValue> {
    /**
     * (Optional) function of retrieving the value associated with this entry given the input claims.
     *
     * If not defined, will defer to role for finding matches and pull from value.
     */
    encodeValueFromRoles: (roles: AuthRoleSet) => V | undefined;
    /**
     * (Optional) Auth roles associated with this claims. If not defined, the claims key is used.
     */
    decodeRolesFromValue: (value: Maybe<V>) => AuthRole[] | undefined;
}
export type IgnoreAuthRoleClaimsEntry = null;
export type AuthRoleClaimsFactoryConfig<T extends AuthClaimsObject = AuthClaimsObject> = {
    [K in keyof T]: AuthRoleClaimsFactoryConfigEntry<T[K]> | IgnoreAuthRoleClaimsEntry;
};
export interface AuthRoleClaimsFactoryDefaults {
    /**
     * Default value to use for claims that have no value present.
     *
     * If undefined, defaults to AUTH_ROLE_CLAIMS_DEFAULT_CLAIM_VALUE.
     */
    claimValue?: AuthClaimValue;
    /**
     * Default value for claims that are not defined.
     *
     * If undefined, defaults to AUTH_ROLE_CLAIMS_DEFAULT_EMPTY_VALUE.
     */
    emptyValue?: AuthClaimValue | ClearAuthClaimValue;
}
export type AuthRoleClaimsToRolesFunction<T extends AuthClaimsObject = AuthClaimsObject> = (roles: AuthRoleSet) => AuthClaimsUpdate<T>;
export type AuthRoleRolesToClaimsFunction<T extends AuthClaimsObject = AuthClaimsObject> = (claims: AuthClaims<T> | AuthClaimsUpdate<T>) => AuthRoleSet;
/**
 * Service used for converting claims to/from a roles set.
 */
export interface AuthRoleClaimsService<T extends AuthClaimsObject> {
    readonly toClaims: AuthRoleClaimsToRolesFunction<T>;
    readonly toRoles: AuthRoleRolesToClaimsFunction<T>;
    readonly defaultClaimValue: unknown;
    readonly defaultEmptyValue: unknown;
}
export declare const AUTH_ROLE_CLAIMS_DEFAULT_CLAIM_VALUE = 1;
export declare const AUTH_ROLE_CLAIMS_DEFAULT_EMPTY_VALUE: null;
/**
 * Creates an {@link AuthRoleClaimsService} that converts between {@link AuthRoleSet} and JWT-style claims objects.
 *
 * Each key in the config maps a claim key to role(s). Simple entries map a claim value to one or more roles,
 * while encode/decode entries allow custom bidirectional conversion logic.
 *
 * @param config - Mapping of claim keys to their role configuration entries (or null to ignore)
 * @param defaults - Optional default values for claim presence and absence
 * @returns A service with `toClaims` and `toRoles` conversion functions
 */
export declare function authRoleClaimsService<T extends AuthClaimsObject>(config: AuthRoleClaimsFactoryConfig<T>, defaults?: AuthRoleClaimsFactoryDefaults): AuthRoleClaimsService<T>;
/**
 * Converts an {@link AuthClaimsUpdate} to {@link AuthClaims} by stripping all null-valued keys.
 *
 * Useful for cleaning up a claims update before persisting or comparing, since update objects
 * use `null` to indicate claim removal.
 *
 * @param authClaimsUpdate - The claims update object potentially containing null values
 * @returns A clean claims object with all null entries removed
 */
export declare function authClaims<T extends AuthClaimsObject = AuthClaimsObject>(authClaimsUpdate: AuthClaimsUpdate<T>): AuthClaims<T>;