/**
 * OAuth state parameter encoding/decoding.
 *
 * The state parameter carries:
 * - csrf: CSRF token for validation
 * - returnTo: URL to redirect after successful login
 *
 * @internal This module is not exported from the main package.
 */
/**
 * Data encoded in the OAuth state parameter.
 */
export interface StateData {
    /** CSRF token for state validation */
    csrf: string;
    /** URL to redirect to after login */
    returnTo: string;
}
/**
 * Encode state data into a base64url string for OAuth state parameter.
 *
 * @param csrf - CSRF token to include
 * @param returnTo - URL to redirect to after login
 * @returns Base64url encoded state string
 */
export declare function encodeState(csrf: string, returnTo: string): string;
/**
 * Decode state parameter back to StateData.
 *
 * @param state - Base64url encoded state string
 * @returns Decoded state data
 * @throws AuthError with code 'invalid_state' if decoding fails
 */
export declare function decodeState(state: string): StateData;
/**
 * Validate and sanitize returnTo URL to prevent open redirect attacks.
 *
 * Safe values:
 * - Relative paths starting with '/' (but not '//')
 * - Absolute URLs with same origin as request
 *
 * @param returnTo - URL from user input (may be undefined)
 * @param requestOrigin - Origin of the current request (e.g., 'https://example.com')
 * @returns Safe redirect URL, defaults to '/' if invalid
 */
export declare function validateReturnTo(returnTo: string | undefined, requestOrigin: string): string;
//# sourceMappingURL=state.d.ts.map