/**
 * OAuth 2.1 Authorization Server HTTP handlers.
 *
 * Pure functions (no HTTP framework coupling): each handler takes an
 * `AuthRequest` describing the inbound HTTP request, plus a `Deps` object
 * with the stores it needs, and returns an `AuthResponse` `{status, headers, body}`.
 *
 * The HTTP-framework adapter (Express/Fetch/Cloudflare Worker) is responsible
 * for parsing the request, authenticating the user session (if any), and
 * translating the response back to its native HTTP primitive.
 *
 * Implements:
 * - `/authorize`                  — RFC 6749 §4.1 authorization code grant (PKCE required)
 * - `/token`                      — RFC 6749 §4.1.3 / §6 / §4.4 (code, refresh, client_credentials)
 * - `/register`                   — RFC 7591 dynamic client registration
 * - `/consent`                    — HTML consent screen + POST approve/deny
 *
 * CIMD (HTTPS client_id) is resolved via `resolveClientMetadata` from
 * `./well-known.js`. Both CIMD and DCR clients are accepted at `/authorize`
 * and `/token`; `/register` writes DCR-only.
 */
import type { Tenant } from '../types/index.js';
import type { AuthCodeStore, RefreshTokenStore, ClientRegistry, ConsentStore, PendingAuthorizationStore } from './auth-store.js';
import { JwtService } from './jwt.js';
import { CimdCache } from './well-known.js';
export interface AuthRequest {
    method: string;
    url: string;
    headers: Record<string, string | string[] | undefined>;
    /** Raw body for POST — form-urlencoded or JSON depending on endpoint. */
    body?: string;
    /**
     * Resolved authenticated user id. The HTTP adapter fills this in from
     * its session middleware before invoking the handler. `undefined` means
     * no valid session; `/authorize` will redirect to login.
     */
    userId?: string;
}
export interface AuthResponse {
    status: number;
    headers: Record<string, string>;
    body: string;
}
export interface EndpointConfig {
    /** Absolute base URL of this AS; used for `iss` claim + building login redirect. */
    issuer: string;
    /** Absolute URL of this AS's `/authorize` endpoint; used for login return_to. */
    authorizeUrl: string;
    /** Absolute URL of this AS's `/consent` endpoint. */
    consentUrl: string;
    /** Absolute URL of the login/federated-auth entry point. */
    loginUrl: string;
    /** First-party clients that bypass the consent screen. */
    firstPartyClientIds: Set<string>;
    /** Default scopes granted if client omits scope parameter. */
    defaultScopes: string[];
    /** Consent-record TTL. Default 30 days. */
    consentTtlDays: number;
    /** Authorization code TTL in seconds. Default 60 per RFC 6749. */
    codeTtlSeconds: number;
    /** Access-token TTL in seconds. Default 15 min. */
    accessTokenTtlSeconds: number;
    /** Refresh-token TTL in seconds. Default 30 days. */
    refreshTokenTtlSeconds: number;
    /** Pending-authorization TTL in seconds. Default 10 min. */
    pendingTtlSeconds: number;
    /** DCR client idle-TTL in milliseconds. Default 30 days. */
    clientIdleTtlMs: number;
    /** PHOTON_SINGLE_USER self-host mode: always treat caller as this user id. */
    singleUserId?: string;
}
export declare const DEFAULT_ENDPOINT_CONFIG: Omit<EndpointConfig, 'issuer' | 'authorizeUrl' | 'consentUrl' | 'loginUrl'>;
export interface EndpointDeps {
    tenant: Tenant;
    config: EndpointConfig;
    codeStore: AuthCodeStore;
    refreshTokenStore: RefreshTokenStore;
    clientRegistry: ClientRegistry;
    consentStore: ConsentStore;
    pendingStore: PendingAuthorizationStore;
    jwtService: JwtService;
    cimdCache: CimdCache;
    /** Optional override for testing. */
    now?: () => Date;
    /** Optional logger hook. */
    log?: (level: 'info' | 'warn' | 'error', msg: string, meta?: Record<string, unknown>) => void;
}
export declare function handleAuthorize(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
export declare function handleConsent(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
export declare function handleToken(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
export declare function handleRegister(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
/**
 * Token revocation endpoint per RFC 7009.
 *
 * Accepts `token` + `token_type_hint` (access_token|refresh_token).
 * Always returns 200 even if the token didn't exist (spec §2.2 — prevents
 * token scanning). Access tokens are JWTs so we can't actively revoke them
 * without a denylist; we revoke the refresh token and rely on the 15-min
 * access-token TTL for cleanup.
 */
export declare function handleRevoke(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
/**
 * Token introspection endpoint per RFC 7662.
 *
 * Accepts `token` and returns metadata: active (boolean), scope, client_id,
 * sub, exp, iat. Returns `{active: false}` for unknown/expired/revoked
 * tokens without leaking why.
 *
 * Caller must be an authenticated confidential client (§2.1 — "protected
 * resource"); this prevents arbitrary callers from probing token validity.
 */
export declare function handleIntrospect(req: AuthRequest, deps: EndpointDeps): Promise<AuthResponse>;
//# sourceMappingURL=endpoints.d.ts.map