/**
 * Shared authentication middleware for MAMA API routes.
 *
 * Extracted from graph-api.ts to allow reuse across all API endpoints.
 * Uses timing-safe comparison and supports localhost bypass when no token is configured.
 */
import type { IncomingMessage } from 'http';
import type { Request, Response, NextFunction } from 'express';
interface AuthOptions {
    allowQueryToken?: boolean;
}
interface SecurityLogContext {
    clientAddress: string;
    remoteAddress: string | null;
    forwardedFor: string | null;
    cfConnectingIp: string | null;
    cfRay: string | null;
    method: string | null;
    path: string | null;
    viaTunnel: boolean;
}
/**
 * Check if request originates from localhost
 */
export declare function isLocalRequest(req: IncomingMessage): boolean;
export declare function hasCloudflareAccessIdentity(req: IncomingMessage): boolean;
/**
 * Trust Cloudflare Access authenticated requests when:
 * 1. Peer is localhost (request came through local Cloudflare Tunnel), AND
 * 2. Request has CF Access identity headers (user passed Cloudflare Access login)
 *
 * No environment variable needed — if cf-ray + CF Access headers arrive
 * from localhost, it's a Cloudflare Tunnel by definition.
 * MAMA_TRUST_CLOUDFLARE_ACCESS=true is still supported as explicit opt-in
 * but is no longer required.
 */
export declare function isTrustedCloudflareAccessRequest(req: IncomingMessage): boolean;
export declare function getClientAddress(req: IncomingMessage): string;
export declare function getSecurityLogContext(req: IncomingMessage): SecurityLogContext;
export declare function logUnauthorizedAttempt(req: IncomingMessage, options?: AuthOptions): void;
/**
 * Check if request is authenticated.
 *
 * - If no token configured: allows direct localhost only
 * - If token configured + real localhost (no tunnel headers): allows without token
 * - If token configured + tunnel/remote: requires Bearer token
 */
export declare function isAuthenticated(req: IncomingMessage, options?: AuthOptions): boolean;
/**
 * Express middleware that rejects unauthenticated requests with 401.
 *
 * Usage:
 *   app.post('/api/sensitive', requireAuth, handler);
 *   app.use('/api/cron', requireAuth, cronRouter);
 */
export declare function requireAuth(req: Request, res: Response, next: NextFunction): void;
export declare function requireAdminAuth(req: Request, res: Response, next: NextFunction): void;
export {};
//# sourceMappingURL=auth-middleware.d.ts.map