import { AsyncStoreProperty, AuthLike } from "../common.js";
import { Customer } from "../customers/index.js";
import { AdminTeamPermission, TeamPermission } from "../permissions/index.js";
import { ApiKeyCreationOptions, UserApiKey, UserApiKeyFirstView } from "../api-keys/index.js";
import { DeprecatedOAuthConnection, OAuthConnection } from "../connected-accounts/index.js";
import { ContactChannel, ContactChannelCreateOptions, ServerContactChannel, ServerContactChannelCreateOptions } from "../contact-channels/index.js";
import { NotificationCategory } from "../notification-categories/index.js";
import { EditableTeamMemberProfile, ReceivedTeamInvitation, ServerTeam, ServerTeamCreateOptions, Team, TeamCreateOptions } from "../teams/index.js";
import { AdminOwnedProject, AdminProjectCreateOptions } from "../projects/index.js";
import { KnownErrors } from "@stackframe/stack-shared";
import { CurrentUserCrud } from "@stackframe/stack-shared/dist/interface/crud/current-user";
import { Result } from "@stackframe/stack-shared/dist/utils/results";
import { ProviderType } from "@stackframe/stack-shared/dist/utils/oauth";
import { RestrictedReason } from "@stackframe/stack-shared/dist/schema-fields";
import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
import { ReadonlyJson } from "@stackframe/stack-shared/dist/utils/json";
import { UsersCrud } from "@stackframe/stack-shared/dist/interface/crud/users";
import { GeoInfo } from "@stackframe/stack-shared/dist/utils/geo";

//#region src/lib/stack-app/users/index.d.ts
declare function withUserDestructureGuard<T extends object>(target: T): T;
type OAuthProvider = {
  readonly id: string;
  readonly type: string;
  readonly userId: string;
  readonly accountId?: string;
  readonly email?: string;
  readonly allowSignIn: boolean;
  readonly allowConnectedAccounts: boolean;
  update(data: {
    allowSignIn?: boolean;
    allowConnectedAccounts?: boolean;
  }): Promise<Result<void, InstanceType<typeof KnownErrors.OAuthProviderAccountIdAlreadyUsedForSignIn>>>;
  delete(): Promise<void>;
};
type ServerOAuthProvider = {
  readonly id: string;
  readonly type: string;
  readonly userId: string;
  readonly accountId: string;
  readonly email?: string;
  readonly allowSignIn: boolean;
  readonly allowConnectedAccounts: boolean;
  update(data: {
    accountId?: string;
    email?: string;
    allowSignIn?: boolean;
    allowConnectedAccounts?: boolean;
  }): Promise<Result<void, InstanceType<typeof KnownErrors.OAuthProviderAccountIdAlreadyUsedForSignIn>>>;
  delete(): Promise<void>;
};
/**
 * Contains everything related to the current user session.
 */
type Auth = AuthLike<{}> & {
  readonly _internalSession: InternalSession;
  readonly currentSession: {
    getTokens(): Promise<{
      accessToken: string | null;
      refreshToken: string | null;
    }>;
    useTokens(): {
      accessToken: string | null;
      refreshToken: string | null;
    };
  };
};
/**
 * ```
 * +----------+-------------+-------------------+
 * |    \     |   !Server   |      Server       |
 * +----------+-------------+-------------------+
 * | !Session | User        | ServerUser        |
 * | Session  | CurrentUser | CurrentServerUser |
 * +----------+-------------+-------------------+
 * ```
 *
 * The fields on each of these types are available iff:
 * BaseUser: true
 * Auth: Session
 * ServerBaseUser: Server
 * UserExtra: Session OR Server
 *
 * The types are defined as follows (in the typescript manner):
 * User = BaseUser
 * CurrentUser = BaseUser & Auth & UserExtra
 * ServerUser = BaseUser & ServerBaseUser & UserExtra
 * CurrentServerUser = BaseUser & ServerBaseUser & Auth & UserExtra
 **/
type BaseUser = {
  readonly id: string;
  readonly displayName: string | null;
  /**
   * The user's email address.
   *
   * Note: This might NOT be unique across multiple users, so always use `id` for unique identification.
   */
  readonly primaryEmail: string | null;
  readonly primaryEmailVerified: boolean;
  readonly profileImageUrl: string | null;
  readonly signedUpAt: Date;
  readonly clientMetadata: any;
  readonly clientReadOnlyMetadata: any;
  /**
   * Whether the user has a password set.
   */
  readonly hasPassword: boolean;
  readonly otpAuthEnabled: boolean;
  readonly passkeyAuthEnabled: boolean;
  readonly isMultiFactorRequired: boolean;
  readonly isAnonymous: boolean;
  /**
   * Whether the user is in restricted state (signed up but hasn't completed onboarding requirements).
   * For example, if email verification is required but the user hasn't verified their email yet.
   */
  readonly isRestricted: boolean;
  /**
   * The reason why the user is restricted, e.g., { type: "email_not_verified" }, { type: "anonymous" }, or { type: "restricted_by_administrator" }.
   * Null if the user is not restricted.
   */
  readonly restrictedReason: RestrictedReason | null;
  toClientJson(): CurrentUserCrud["Client"]["Read"];
  /**
   * @deprecated, use contact channel's usedForAuth instead
   */
  readonly emailAuthEnabled: boolean;
  /**
   * @deprecated
   */
  readonly oauthProviders: readonly {
    id: string;
  }[];
};
type UserExtra = {
  setDisplayName(displayName: string | null): Promise<void>; /** @deprecated Use contact channel's sendVerificationEmail instead */
  sendVerificationEmail(): Promise<KnownErrors["EmailAlreadyVerified"] | void>;
  setClientMetadata(metadata: any): Promise<void>;
  updatePassword(options: {
    oldPassword: string;
    newPassword: string;
  }): Promise<KnownErrors["PasswordConfirmationMismatch"] | KnownErrors["PasswordRequirementsNotMet"] | void>;
  setPassword(options: {
    password: string;
  }): Promise<KnownErrors["PasswordRequirementsNotMet"] | void>;
  /**
   * A shorthand method to update multiple fields of the user at once.
   */
  update(update: UserUpdateOptions): Promise<void>;
  useContactChannels(): ContactChannel[];
  listContactChannels(): Promise<ContactChannel[]>;
  createContactChannel(data: ContactChannelCreateOptions): Promise<ContactChannel>;
  useNotificationCategories(): NotificationCategory[];
  listNotificationCategories(): Promise<NotificationCategory[]>;
  delete(): Promise<void>; /** @deprecated Use `getOrLinkConnectedAccount` for redirect behavior, or `getConnectedAccount({ provider, providerAccountId })` for existence check. */
  getConnectedAccount(id: ProviderType, options: {
    or: 'redirect';
    scopes?: string[];
  }): Promise<DeprecatedOAuthConnection>; /** @deprecated Use `getConnectedAccount({ provider, providerAccountId })` for existence check, or `getOrLinkConnectedAccount` for redirect behavior. */
  getConnectedAccount(id: ProviderType, options?: {
    or?: 'redirect' | 'throw' | 'return-null';
    scopes?: string[];
  }): Promise<DeprecatedOAuthConnection | null>; /** Get a specific connected account by provider and providerAccountId. Returns null if not found. */
  getConnectedAccount(account: {
    provider: string;
    providerAccountId: string;
  }): Promise<OAuthConnection | null>; /** @deprecated Use `useOrLinkConnectedAccount` for redirect behavior, or `useConnectedAccount({ provider, providerAccountId })` for existence check. */
  useConnectedAccount(id: ProviderType, options: {
    or: 'redirect';
    scopes?: string[];
  }): DeprecatedOAuthConnection; /** @deprecated Use `useConnectedAccount({ provider, providerAccountId })` for existence check, or `useOrLinkConnectedAccount` for redirect behavior. */
  useConnectedAccount(id: ProviderType, options?: {
    or?: 'redirect' | 'throw' | 'return-null';
    scopes?: string[];
  }): DeprecatedOAuthConnection | null; /** Get a specific connected account by provider and providerAccountId. Returns null if not found. */
  useConnectedAccount(account: {
    provider: string;
    providerAccountId: string;
  }): OAuthConnection | null; /** List all connected accounts for this user (only those with allowConnectedAccounts enabled). */
  listConnectedAccounts(): Promise<OAuthConnection[]>; /** React hook to list all connected accounts. */
  useConnectedAccounts(): OAuthConnection[]; /** Redirect the user to the OAuth flow to link a new connected account. Always redirects, never returns. */
  linkConnectedAccount(provider: string, options?: {
    scopes?: string[];
  }): Promise<void>; /** Get a connected account for the given provider, or redirect to link one if none exists or the token/scopes are insufficient. */
  getOrLinkConnectedAccount(provider: string, options?: {
    scopes?: string[];
  }): Promise<OAuthConnection>; /** React hook: get a connected account for the given provider, or redirect to link one if none exists or the token/scopes are insufficient. */
  useOrLinkConnectedAccount(provider: string, options?: {
    scopes?: string[];
  }): OAuthConnection;
  hasPermission(scope: Team, permissionId: string): Promise<boolean>;
  hasPermission(permissionId: string): Promise<boolean>;
  getPermission(scope: Team, permissionId: string): Promise<TeamPermission | null>;
  getPermission(permissionId: string): Promise<TeamPermission | null>;
  listPermissions(scope: Team, options?: {
    recursive?: boolean;
  }): Promise<TeamPermission[]>;
  listPermissions(options?: {
    recursive?: boolean;
  }): Promise<TeamPermission[]>;
  usePermissions(scope: Team, options?: {
    recursive?: boolean;
  }): TeamPermission[];
  usePermissions(options?: {
    recursive?: boolean;
  }): TeamPermission[];
  usePermission(scope: Team, permissionId: string): TeamPermission | null;
  usePermission(permissionId: string): TeamPermission | null;
  readonly selectedTeam: Team | null;
  setSelectedTeam(teamOrId: string | Team | null): Promise<void>;
  createTeam(data: TeamCreateOptions): Promise<Team>;
  leaveTeam(team: Team): Promise<void>;
  /**
   * Lists all pending team invitations sent to any of the current user's verified email addresses.
   *
   * This allows the user to discover which teams have invited them, even if they haven't
   * joined those teams yet. Only invitations sent to verified email addresses are included.
   *
   * @returns An array of `ReceivedTeamInvitation` objects, each containing the team ID, team
   * display name, recipient email, and expiration date.
   *
   * @example
   * ```ts
   * const invitations = await user.listTeamInvitations();
   * for (const invitation of invitations) {
   *   console.log(`Invited to ${invitation.teamDisplayName} via ${invitation.recipientEmail}`);
   * }
   * ```
   */
  listTeamInvitations(): Promise<ReceivedTeamInvitation[]>;
  /**
   * Lists all pending team invitations sent to any of the current user's verified email addresses.
   *
   * React hook version of `listTeamInvitations()`. Automatically re-renders when invitations change.
   */
  useTeamInvitations(): ReceivedTeamInvitation[];
  getActiveSessions(): Promise<ActiveSession[]>;
  revokeSession(sessionId: string): Promise<void>;
  getTeamProfile(team: Team): Promise<EditableTeamMemberProfile>;
  useTeamProfile(team: Team): EditableTeamMemberProfile;
  createApiKey(options: ApiKeyCreationOptions<"user">): Promise<UserApiKeyFirstView>;
  useOAuthProviders(): OAuthProvider[];
  listOAuthProviders(): Promise<OAuthProvider[]>;
  useOAuthProvider(id: string): OAuthProvider | null;
  getOAuthProvider(id: string): Promise<OAuthProvider | null>;
  registerPasskey(options?: {
    hostname?: string;
  }): Promise<Result<undefined, KnownErrors["PasskeyRegistrationFailed"] | KnownErrors["PasskeyWebAuthnError"]>>;
} & AsyncStoreProperty<"apiKeys", [], UserApiKey[], true> & AsyncStoreProperty<"team", [id: string], Team | null, false> & AsyncStoreProperty<"teams", [], Team[], true> & AsyncStoreProperty<"teamInvitations", [], ReceivedTeamInvitation[], true> & AsyncStoreProperty<"permission", [scope: Team, permissionId: string, options?: {
  recursive?: boolean;
}], TeamPermission | null, false> & AsyncStoreProperty<"permissions", [scope: Team, options?: {
  recursive?: boolean;
}], TeamPermission[], true>;
type InternalUserExtra = {
  createProject(newProject: AdminProjectCreateOptions): Promise<AdminOwnedProject>;
  transferProject(projectIdToTransfer: string, newTeamId: string): Promise<void>;
} & AsyncStoreProperty<"ownedProjects", [], AdminOwnedProject[], true>;
type User = BaseUser;
type CurrentUser = BaseUser & Auth & UserExtra & Customer;
type CurrentInternalUser = CurrentUser & InternalUserExtra;
type ProjectCurrentUser<ProjectId> = ProjectId extends "internal" ? CurrentInternalUser : CurrentUser;
type TokenPartialUser = Pick<User, "id" | "displayName" | "primaryEmail" | "primaryEmailVerified" | "isAnonymous" | "isMultiFactorRequired" | "isRestricted" | "restrictedReason">;
type SyncedPartialUser = TokenPartialUser & Pick<User, "id" | "displayName" | "primaryEmail" | "primaryEmailVerified" | "profileImageUrl" | "signedUpAt" | "clientMetadata" | "clientReadOnlyMetadata" | "isAnonymous" | "hasPassword" | "isRestricted" | "restrictedReason">;
type ActiveSession = {
  id: string;
  userId: string;
  createdAt: Date;
  isImpersonation: boolean;
  lastUsedAt: Date | undefined;
  isCurrentSession: boolean;
  geoInfo?: GeoInfo;
};
type UserUpdateOptions = {
  displayName?: string | null;
  clientMetadata?: ReadonlyJson;
  selectedTeamId?: string | null;
  totpMultiFactorSecret?: Uint8Array | null;
  profileImageUrl?: string | null;
  otpAuthEnabled?: boolean;
  passkeyAuthEnabled?: boolean;
  primaryEmail?: string | null;
};
declare function userUpdateOptionsToCrud(options: UserUpdateOptions): CurrentUserCrud["Client"]["Update"];
type ServerBaseUser = {
  setPrimaryEmail(email: string | null, options?: {
    verified?: boolean | undefined;
  }): Promise<void>;
  readonly lastActiveAt: Date;
  readonly serverMetadata: any;
  setServerMetadata(metadata: any): Promise<void>;
  setClientReadOnlyMetadata(metadata: any): Promise<void>; /** Whether the user is restricted by an administrator. Can be set manually or by sign-up rules. */
  readonly restrictedByAdmin: boolean; /** Public reason shown to the user explaining why they are restricted. Optional. */
  readonly restrictedByAdminReason: string | null; /** Private details about the restriction (e.g., which sign-up rule triggered). Only visible to server access and above. */
  readonly restrictedByAdminPrivateDetails: string | null; /** Best-effort ISO country code captured at sign-up time from request geo headers. */
  readonly countryCode: string | null; /** Server-only risk scores used during sign-up risk evaluation. */
  readonly riskScores: {
    readonly signUp: {
      readonly bot: number;
      readonly freeTrialAbuse: number;
    };
  };
  createTeam(data: Omit<ServerTeamCreateOptions, "creatorUserId">): Promise<ServerTeam>;
  useContactChannels(): ServerContactChannel[];
  listContactChannels(): Promise<ServerContactChannel[]>;
  createContactChannel(data: ServerContactChannelCreateOptions): Promise<ServerContactChannel>;
  update(user: ServerUserUpdateOptions): Promise<void>;
  grantPermission(scope: Team, permissionId: string): Promise<void>;
  grantPermission(permissionId: string): Promise<void>;
  revokePermission(scope: Team, permissionId: string): Promise<void>;
  revokePermission(permissionId: string): Promise<void>;
  getPermission(scope: Team, permissionId: string): Promise<TeamPermission | null>;
  getPermission(permissionId: string): Promise<TeamPermission | null>;
  hasPermission(scope: Team, permissionId: string): Promise<boolean>;
  hasPermission(permissionId: string): Promise<boolean>;
  listPermissions(scope: Team, options?: {
    recursive?: boolean;
  }): Promise<TeamPermission[]>;
  listPermissions(options?: {
    recursive?: boolean;
  }): Promise<TeamPermission[]>;
  usePermissions(scope: Team, options?: {
    recursive?: boolean;
  }): TeamPermission[];
  usePermissions(options?: {
    recursive?: boolean;
  }): TeamPermission[];
  usePermission(scope: Team, permissionId: string): TeamPermission | null;
  usePermission(permissionId: string): TeamPermission | null;
  useOAuthProviders(): ServerOAuthProvider[];
  listOAuthProviders(): Promise<ServerOAuthProvider[]>;
  useOAuthProvider(id: string): ServerOAuthProvider | null;
  getOAuthProvider(id: string): Promise<ServerOAuthProvider | null>;
  /**
   * Creates a new session object with a refresh token for this user. Can be used to impersonate them.
   */
  createSession(options?: {
    expiresInMillis?: number;
    isImpersonation?: boolean;
  }): Promise<{
    getTokens(): Promise<{
      accessToken: string | null;
      refreshToken: string | null;
    }>;
  }>;
} & AsyncStoreProperty<"team", [id: string], ServerTeam | null, false> & AsyncStoreProperty<"teams", [], ServerTeam[], true> & AsyncStoreProperty<"permission", [scope: Team, permissionId: string, options?: {
  direct?: boolean;
}], AdminTeamPermission | null, false> & AsyncStoreProperty<"permissions", [scope: Team, options?: {
  direct?: boolean;
}], AdminTeamPermission[], true>;
/**
 * A user including sensitive fields that should only be used on the server, never sent to the client
 * (such as sensitive information and serverMetadata).
 */
type ServerUser = ServerBaseUser & BaseUser & UserExtra & Customer<true>;
type CurrentServerUser = Auth & ServerUser;
type CurrentInternalServerUser = CurrentServerUser & InternalUserExtra;
type ProjectCurrentServerUser<ProjectId> = ProjectId extends "internal" ? CurrentInternalServerUser : CurrentServerUser;
type SyncedPartialServerUser = SyncedPartialUser & Pick<ServerUser, "serverMetadata">;
type ServerUserUpdateOptions = {
  primaryEmail?: string | null;
  primaryEmailVerified?: boolean;
  primaryEmailAuthEnabled?: boolean;
  clientReadOnlyMetadata?: ReadonlyJson;
  serverMetadata?: ReadonlyJson;
  password?: string;
  restrictedByAdmin?: boolean;
  restrictedByAdminReason?: string | null;
  restrictedByAdminPrivateDetails?: string | null;
  countryCode?: string | null;
  riskScores?: {
    signUp: {
      bot: number;
      freeTrialAbuse: number;
    };
  };
} & UserUpdateOptions;
declare function serverUserUpdateOptionsToCrud(options: ServerUserUpdateOptions): CurrentUserCrud["Server"]["Update"];
type ServerUserCreateOptions = {
  primaryEmail?: string | null;
  primaryEmailAuthEnabled?: boolean;
  password?: string;
  otpAuthEnabled?: boolean;
  displayName?: string;
  primaryEmailVerified?: boolean;
  clientMetadata?: any;
  clientReadOnlyMetadata?: any;
  serverMetadata?: any;
  countryCode?: string | null;
  riskScores?: {
    signUp: {
      bot: number;
      freeTrialAbuse: number;
    };
  };
};
declare function serverUserCreateOptionsToCrud(options: ServerUserCreateOptions): UsersCrud["Server"]["Create"];
//#endregion
export { ActiveSession, Auth, BaseUser, CurrentInternalServerUser, CurrentInternalUser, CurrentServerUser, CurrentUser, InternalUserExtra, OAuthProvider, ProjectCurrentServerUser, ProjectCurrentUser, ServerBaseUser, ServerOAuthProvider, ServerUser, ServerUserCreateOptions, ServerUserUpdateOptions, SyncedPartialServerUser, SyncedPartialUser, TokenPartialUser, User, UserExtra, UserUpdateOptions, serverUserCreateOptionsToCrud, serverUserUpdateOptionsToCrud, userUpdateOptionsToCrud, withUserDestructureGuard };
//# sourceMappingURL=index.d.ts.map