// Copyright © 2022-2026 Partium, Inc. DBA Partium
import { Observable } from 'rxjs';
import { OauthAuthenticationConfig } from '../../models/auth-config';
import { User } from '../../models/user';
import { BaseServiceClass } from '../../services/base.service';
import { OauthLoginConfig, OauthSessionService, OauthStatus } from '../../services/session/oauth-session.service';
import { LogoutConfig, SessionEventContext } from '../../services/session/session.service.interface';
import { ServiceProvider } from '../../services/service-provider';
/**
 * Oauth status for the web-cookie session implementation.
 * Extends the default oauth status with the authenticated user and feature flags
 * extracted from the access token.
 */
export declare class JSOauthWebCookieStatus extends OauthStatus {
    user?: User;
    featureFlags?: string[];
}
/**
 * Authentication configuration for the web-cookie oauth session service.
 * Extends the default oauth configuration with the Authentication API base URL
 * and an optional authorization code for completing a redirect callback.
 */
export declare class JSOauthWebCookieAuthenticationConfig extends OauthAuthenticationConfig {
    partiumApiBaseUrl?: string;
    authorizationCode?: string;
    oauthSessionService: BaseServiceClass<OauthSessionService>;
    constructor(init?: Partial<JSOauthWebCookieAuthenticationConfig>);
}
/**
 * Login configuration for the web-cookie oauth session service.
 * Allows overriding the redirect URL and passing additional event context for
 * session setup.
 */
export declare class JSOauthWebCookieLoginConfig extends OauthLoginConfig {
    redirectUrl?: string;
    loginEventContext?: SessionEventContext;
    constructor(init?: Partial<JSOauthWebCookieLoginConfig>);
}
/**
 * Web-cookie based implementation of the OauthSessionService for web
 * applications.
 * It uses the Authentication API to manage the refresh token in an HTTP-only
 * cookie while exposing the current oauth session state through the SDK.
 */
export declare class JSOauthWebCookieSessionService extends OauthSessionService {
    private status;
    private status$;
    private httpsClientService;
    constructor(serviceProvider: ServiceProvider);
    /**
     * Called when the service is initialized.
     */
    onCreate(): void;
    /**
     * Returns an observable that always emits the current web-cookie oauth status
     * every time it changes.
     *
     * @returns Observable<JSOauthWebCookieStatus> observable that resolves with the current oauth status whenever it changes
     */
    getStatus(): Observable<JSOauthWebCookieStatus>;
    /**
     * Login user and resolves on success.
     * Depending on the provided configuration, the login flow can reuse an api key,
     * complete an authorization-code callback, bootstrap from an existing cookie-backed session, or redirect to the oauth login page.
     *
     * @param config the oauth login configuration
     * @returns Observable<void> observable that resolves when login and session setup are finished successfully
     */
    login(config: OauthLoginConfig): Observable<void>;
    /**
     * Refresh session and access token with the cookie-backed refresh flow.
     *
     * @returns Observable<void> observable that resolves when the access token was refreshed successfully
     */
    refresh(): Observable<void>;
    /**
     * Logout the current user-session.
     *
     * @returns Observable<void> observable that resolves when the current session has ended
     */
    logout(config?: LogoutConfig): Observable<void>;
    /**
     * End the local session and hand browser logout over to the Authentication API.
     */
    private logoutThroughBrowser;
    /**
     * Revoke the current cookie-backed session, falling back to the access token if needed.
     */
    private revokeSession;
    /**
     * Exchange an OAuth authorization code through the backend so it can manage the refresh cookie.
     */
    private exchangeCodeForToken;
    /**
     * Bootstrap the same auth endpoint with an API key instead of a browser redirect.
     */
    private loginWithApiKey;
    /**
     * Ask the Authentication API to refresh the access token using the HTTP-only cookie.
     */
    private refreshWithCookie;
    /**
     * Redirect the browser into the OAuth login flow and stop the current observable chain.
     */
    private redirectToLoginPage;
    /**
     * Build the upstream authorization URL from SDK config and the current browser context.
     */
    private buildOauthAuthorizationUrl;
    /**
     * Resolve the redirect target from the per-call login config or the static auth config.
     */
    private getRedirectUrl;
    /**
     * Read the Authentication API base URL and fail fast when the SDK is misconfigured.
     */
    private getPartiumApiBaseUrl;
    /**
     * Safely read a query parameter from the current browser URL.
     */
    private getUrlQueryParam;
    private getHintFromUrlString;
    /**
     * Keep IdP-routing hints on the Keycloak authorize request, but remove them from redirect_uri
     * so the post-login callback URL no longer needs these one-time routing query params.
     */
    private stripIdentityProviderHintsFromRedirectUrl;
    private resolveAuthorizationHintParam;
    private getKcIdpHintForAuthorizationRequest;
    private getUseOrganizationIdpForAuthorizationRequest;
    /**
     * Collapse OAuth callback errors into a single message for public SDK error handling.
     */
    private getOauthErrorFromUrl;
    /**
     * Remove one-time OAuth/auth-routing parameters without reloading the page,
     * while preserving unrelated application query params.
     */
    private clearAuthCallbackParamsFromUrl;
    /**
     * Forward Authentication API responses into the shared access-token update path.
     */
    private updateTokenFromResponse;
    /**
     * Decode the latest access token and mirror its state into the SDK session status.
     */
    private updateToken;
    /**
     * Clear all in-memory auth state after logout, refresh expiry, or invalid token data.
     */
    private resetToken;
    /**
     * Normalize unrecoverable refresh failures into the session-expired error contract.
     */
    private handleRefreshError;
    /**
     * Classify refresh failures that should end the local session immediately.
     * We treat both refresh 401s and the backend's explicit "missing refresh token"
     * validation message as unrecoverable refresh expiry.
     */
    private isExpiredOrMissingRefreshError;
    /**
     * Extract validation messages from the different error detail shapes emitted by
     * the SDK HTTP clients so refresh error classification can stay transport-agnostic.
     */
    private getRefreshValidationMessages;
    /**
     * Preserve typed SDK errors and wrap unknown failures into a public OAuth error shape.
     */
    private handleError;
    /**
     * Create a fallback OAuth error when an upstream failure does not already use SdkError.
     */
    private createSdkError;
    private hasSessionToRevoke;
    private createPkceCodeVerifier;
    private createPkceCodeChallenge;
    private getBrowserCrypto;
    private storePkceCodeVerifier;
    private getPkceCodeVerifier;
    private clearPkceCodeVerifier;
    private markActiveCookieSession;
    private hasActiveCookieSession;
    private clearActiveCookieSession;
    private getBrowserSessionStorage;
    private base64UrlEncode;
    private getNumericClaim;
    private getStringArrayClaim;
    private asRefreshValidationErrorDetail;
    private getRefreshValidationMessage;
    private isObjectRecord;
}