import { Principal } from '../core/index.cjs';
import { Session } from '../session/types.cjs';
import { AuthService, AuthConfig, LoggedHandler, AuthorizedHandler } from './types.cjs';
import '../oauth2/types.cjs';
import '../utils/http.cjs';
import 'cookie';

declare const PATH: {
    readonly CSRF: "/csrf";
    readonly LOGOUT: "/logout";
    readonly LOGGED: "/logged";
    readonly OAUTH2_STATE: "/oauth2/state/:registrationId";
    readonly OAUTH2_NONCE: "/oauth2/nonce/:registrationId";
    readonly OAUTH2_AUTHORIZATION: "/oauth2/authorization/:registrationId";
    readonly LOGIN_OAUTH2_CODE: "/login/oauth2/code/:registrationId";
    readonly LOGIN_OAUTH2_NATIVE: "/login/oauth2/native/:registrationId";
    readonly LOGIN_OAUTH2_ONETAP: "/login/oauth2/onetap/google";
    readonly LOGIN_EMAIL: "/login/email";
    readonly LOGIN_PHONE: "/login/phone";
    readonly SEND_EMAIL_VERIFICATION_CODE: "/auth/sendEmailVerificationCode";
    readonly SEND_PHONE_VERIFICATION_CODE: "/auth/sendPhoneVerificationCode";
    readonly DESKTOP_AUTHORIZE: "/auth/desktop/authorize";
    readonly DESKTOP_EXCHANGE: "/auth/desktop/exchange";
    readonly CLEANUP_EXPIRED_SESSIONS: "/sessions/expired/cleanup";
};
declare class Auth implements AuthService {
    private readonly timing;
    private readonly cookieName;
    private readonly cookieOptions;
    private readonly kv;
    private readonly repository;
    private readonly turnstileSecretKey?;
    private readonly oauth2Client;
    private readonly ATTR_OAUTH2_AUTHORIZATION_REQUEST;
    constructor({ sessionRepository, kvRepository, turnstileSecretKey, oauth2, cookie, timing, }: AuthConfig);
    private getSessionId;
    csrf: (_request: Request) => Promise<Response>;
    logout: (request: Request) => Promise<Response>;
    logged: (request: Request, onLogged?: LoggedHandler) => Promise<Response>;
    private createPkceParameters;
    private getOauth2StateKey;
    private getOauth2NonceKey;
    private getEmailVerificationCodeKey;
    private getPhoneVerificationCodeKey;
    private getDesktopCodeKey;
    oauth2State: (request: Request) => Promise<Response>;
    oauth2Nonce: (request: Request) => Promise<Response>;
    oauth2Authorization: (request: Request) => Promise<Response>;
    private redirect;
    loginOAuth2Code: (request: Request, handler: AuthorizedHandler) => Promise<Response>;
    loginOAuth2Native: (request: Request, handler: AuthorizedHandler) => Promise<Response>;
    loginOAuth2Onetap: (request: Request, handler: AuthorizedHandler, registrationId?: string) => Promise<Response>;
    sendEmailVerificationCode: (request: Request, sender: (data: {
        email: string;
        verificationCode: string;
    }) => Promise<void>) => Promise<Response>;
    loginEmail: (request: Request, handler: AuthorizedHandler) => Promise<Response>;
    /**
     * Step 1 of the desktop / native app sign-in handshake. The caller already
     * completed normal sign-in on the web (so a cookie session exists); this
     * issues a 5-minute single-use code that the web page hands off to the
     * desktop client via a loopback redirect.
     *
     * PKCE (RFC 7636, S256 only): the desktop generates a random `code_verifier`
     * before opening the browser, derives `code_challenge = base64url(sha256(verifier))`,
     * and threads the challenge through the URL → web page → here. We pin
     * the challenge to the code in KV; `desktopExchange` enforces that the
     * caller knows the matching verifier. This blocks an attacker who only
     * intercepts the auth code (browser history, malicious extension, packet
     * capture on loopback) from exchanging it.
     *
     * Requires an authenticated cookie session — anonymous callers get 401.
     * Throttling / abuse protection on this endpoint is the API layer's job
     * (rate-limit per principal); the SDK doesn't gate it because the
     * upstream sign-in flow already passed CAPTCHA / OAuth / verification.
     */
    desktopAuthorize: (request: Request) => Promise<Response>;
    /**
     * Step 2 of the desktop / native app sign-in handshake. The desktop
     * client hands back the auth code it received via the loopback callback,
     * and we mint a fresh session for it — independent of the web cookie
     * session that originally `authorize`'d the code, so logging out on
     * either side doesn't cascade to the other.
     *
     * Cookie attributes: defaults to `SameSite=None; Secure` so the cookie
     * survives cross-site fetches from the desktop renderer's `file://` /
     * `app://` origin. The configured base `cookieOptions` provide
     * everything else (`domain`, `path`, `httpOnly`, `maxAge`); the override
     * is targeted at the SameSite/Secure pair only. In a non-HTTPS dev
     * backend this combination is rejected by Chromium — see the desktop
     * sign-in PRD for workarounds.
     *
     * No CSRF check needed — the request carries no cookie, the auth code
     * itself is the credential, and KV's single-use removal blocks replay.
     */
    desktopExchange: (request: Request) => Promise<Response>;
    sendPhoneVerificationCode: (_request: Request, _sender: (data: {
        phone: string;
        verificationCode: string;
    }) => Promise<void>) => Promise<Response>;
    loginPhone: (_request: Request, _handler: AuthorizedHandler) => Promise<Response>;
    kick: (principal: Principal) => Promise<void>;
    isAuthenticated: (request: Request) => Promise<boolean>;
    getSession: <T extends boolean>(request: Request, create: T) => Promise<T extends true ? Session : Session | null>;
    deleteSession: (sessionId: string) => Promise<void>;
    getPrincipal: (request: Request) => Promise<Principal | null>;
    listSessions: (principal: Principal) => Promise<Session[]>;
    cleanupExpiredSessions: (cleanupCount?: number) => Promise<Response>;
}

export { Auth, PATH };