/**
 * MastraCloudAuthProvider - Server integration for Mastra Cloud authentication.
 *
 * Extends MastraAuthProvider and implements ISSOProvider, ISessionProvider,
 * and IUserProvider interfaces to integrate with Mastra server middleware.
 *
 * @packageDocumentation
 */
import type { IUserProvider, ISSOProvider, ISessionProvider, Session, SSOCallbackResult, SSOLoginConfig } from './_types/@internal_auth/dist/index.d.ts';
import type { EEUser } from './_types/@internal_auth/dist/ee/index.d.ts';
import type { MastraAuthProviderOptions } from './_types/@internal_auth/dist/provider/index.d.ts';
import { MastraAuthProvider } from './_types/@internal_auth/dist/provider/index.d.ts';
import type { CloudUser } from './types.js';
type HonoRequestLike = {
    raw?: Request;
    headers?: Headers;
    header(name: string): string | undefined;
};
type MastraAuthRequest = Request | HonoRequestLike;
/**
 * Configuration options for MastraCloudAuthProvider.
 */
export interface MastraCloudAuthProviderOptions extends MastraAuthProviderOptions<CloudUser> {
    /** Mastra Cloud project ID */
    projectId: string;
    /** Base URL of Mastra Cloud API (e.g., https://cloud.mastra.ai) */
    cloudBaseUrl: string;
    /** OAuth callback URL for your application */
    callbackUrl: string;
    /** Whether running in production (adds Secure flag to cookies) */
    isProduction?: boolean;
}
/**
 * Mastra Cloud authentication provider for server integration.
 *
 * Wraps the MastraCloudAuth client and implements the required interfaces
 * for Mastra server middleware. Provides SSO login, session management,
 * and user awareness.
 *
 * @example
 * ```typescript
 * import { MastraCloudAuthProvider } from '@mastra/auth-cloud';
 *
 * const auth = new MastraCloudAuthProvider({
 *   cloudBaseUrl: 'https://cloud.mastra.ai',
 *   callbackUrl: 'https://myapp.com/auth/callback',
 * });
 *
 * const mastra = new Mastra({
 *   auth,
 *   // ...
 * });
 * ```
 */
export declare class MastraCloudAuthProvider extends MastraAuthProvider<CloudUser> implements IUserProvider<EEUser>, ISSOProvider<EEUser>, ISessionProvider<Session> {
    private client;
    /** Marker for EE license exemption - MastraCloudAuth is exempt */
    readonly isMastraCloudAuth = true;
    /**
     * Cookie header for handleCallback PKCE validation.
     * Set via setCallbackCookieHeader() before handleCallback() is called.
     * @internal
     */
    private _lastCallbackCookieHeader;
    constructor(options: MastraCloudAuthProviderOptions);
    /**
     * Set cookie header for handleCallback PKCE validation.
     * Must be called before handleCallback() to pass cookie header.
     *
     * @param cookieHeader - Cookie header from original request
     */
    setCallbackCookieHeader(cookieHeader: string | null): void;
    /**
     * Authenticate a bearer token or session cookie.
     *
     * Checks session cookie first, falls back to bearer token for API clients.
     *
     * @param token - Bearer token (from Authorization header)
     * @param request - Request used for cookie access
     * @returns Authenticated user with role, or null if invalid
     */
    authenticateToken(token: string, request: MastraAuthRequest): Promise<CloudUser | null>;
    /**
     * Authorize a user for access.
     *
     * Simple validation - detailed permission checking happens in server
     * middleware via checkRoutePermission(), not authorizeUser().
     *
     * @param user - Authenticated user
     * @returns True if user has valid id
     */
    authorizeUser(user: CloudUser): boolean;
    /**
     * Cached login result for getLoginCookies() to retrieve cookies.
     * @internal
     */
    private _lastLoginResult;
    /**
     * Get URL to redirect user to for SSO login.
     *
     * @param redirectUri - Callback URL after authentication
     * @param state - State parameter (format: uuid|encodedPostLoginRedirect)
     * @returns Full authorization URL
     */
    getLoginUrl(redirectUri: string, state: string): string;
    /**
     * Get cookies to set during login redirect (PKCE verifier).
     * Must be called after getLoginUrl() in same request.
     *
     * @returns Array of Set-Cookie header values
     */
    getLoginCookies(): string[] | undefined;
    /**
     * Handle OAuth callback, exchange code for tokens and user.
     *
     * @param code - Authorization code from callback
     * @param state - State parameter for CSRF validation
     * @returns User, tokens, and session cookies
     */
    handleCallback(code: string, state: string): Promise<SSOCallbackResult<EEUser>>;
    /**
     * Get configuration for rendering login button in UI.
     *
     * @returns Login button configuration
     */
    getLoginButtonConfig(): SSOLoginConfig;
    /**
     * Get logout URL for client-side redirect.
     * Requires the request to extract the session token for id_token_hint.
     *
     * @param redirectUri - URL to redirect to after logout
     * @param request - Request to extract session token from
     * @returns Logout URL with redirect and token parameters, or null if no session
     */
    getLogoutUrl(redirectUri: string, request?: Request): string | null;
    /**
     * Create a new session for a user.
     *
     * For Cloud auth, sessions are created via handleCallback.
     * This method builds a Session object for interface compatibility.
     *
     * @param userId - User to create session for
     * @param metadata - Optional metadata (accessToken can be passed here)
     * @returns Session object
     */
    createSession(userId: string, metadata?: Record<string, unknown>): Promise<Session>;
    /**
     * Validate a session and return it if valid.
     *
     * @param sessionId - Session token to validate
     * @returns Session object or null if invalid/expired
     */
    validateSession(sessionId: string): Promise<Session | null>;
    /**
     * Destroy a session (logout).
     *
     * @param sessionId - Session token to destroy
     */
    destroySession(sessionId: string): Promise<void>;
    /**
     * Refresh a session, extending its expiry.
     * Cloud handles refresh internally, so just validate.
     *
     * @param sessionId - Session token to refresh
     * @returns Session object or null if invalid
     */
    refreshSession(sessionId: string): Promise<Session | null>;
    /**
     * Extract session ID from an incoming request.
     *
     * @param request - Incoming HTTP request
     * @returns Session token or null if not present
     */
    getSessionIdFromRequest(request: Request): string | null;
    /**
     * Create response headers to set session cookie.
     *
     * @param session - Session to encode (id is the access token)
     * @returns Headers object with Set-Cookie
     */
    getSessionHeaders(session: Session): Record<string, string>;
    /**
     * Create response headers to clear session (for logout).
     *
     * @returns Headers object to clear session cookie
     */
    getClearSessionHeaders(): Record<string, string>;
    /**
     * Get current user from request (session cookie).
     *
     * @param request - Incoming HTTP request
     * @returns User with role or null if not authenticated
     */
    getCurrentUser(request: Request): Promise<CloudUser | null>;
    /**
     * Get user by ID.
     * Cloud API doesn't have a /users/:id endpoint.
     *
     * @returns Always null (not supported)
     */
    getUser(_userId: string): Promise<CloudUser | null>;
}
export {};
//# sourceMappingURL=auth-provider.d.ts.map