import type { UmbTokenEndpointResponse } from './umb-auth-client.js';
import type { UmbOpenApiConfiguration } from './models/openApiConfiguration.js';
import type { ManifestAuthProvider } from './auth-provider.extension.js';
import type { UmbControllerHost } from '../../../libs/controller-api/index.js';
import { UmbContextBase } from '../../../libs/class-api/index.js';
import type { Observable } from '../../../external/rxjs/index.js';
import type { UmbBackofficeExtensionRegistry } from '../extension-registry/index.js';
import type { umbHttpClient } from '../http-client/index.js';
export interface UmbAuthSession {
    /** When the access token expires (issuedAt + expiresIn). Used to decide when to refresh. */
    accessTokenExpiresAt: number;
    /** When the full session expires (issuedAt + expiresIn * MULTIPLIER). Used for timeout UI. */
    expiresAt: number;
}
export declare class UmbAuthContext extends UmbContextBase {
    #private;
    readonly session$: Observable<UmbAuthSession | undefined>;
    /**
     * Observable that emits true when the auth context is initialized.
     * @remark It will only emit once and then complete itself.
     */
    readonly isInitialized: Observable<void>;
    /**
     * Observable that emits true if the user is authorized, otherwise false.
     * @remark It will only emit when the authorization state changes.
     */
    readonly isAuthorized: Observable<boolean>;
    /**
     * Observable that acts as a signal and emits when the user has timed out, i.e. the token has expired.
     * This can be used to show a timeout message to the user.
     * @remark It will emit once per second, so it can be used to trigger UI updates or other actions when the user has timed out.
     */
    readonly timeoutSignal: Observable<void>;
    /**
     * Observable that acts as a signal for when the authorization state changes.
     * @deprecated Observe isAuthorized instead. Scheduled for removal in Umbraco 19.
     * @remark It will emit once per second, so it can be used to trigger UI updates or other actions when the authorization state changes.
     * @returns An observable that emits when the authorization state changes.
     */
    get authorizationSignal(): Observable<void>;
    /**
     * Whether the server is configured to keep users logged in by auto-refreshing before session expiry.
     * Provided by the backend via the `keep-user-logged-in` attribute on `<umb-app>`.
     */
    readonly keepUserLoggedIn: boolean;
    constructor(host: UmbControllerHost, serverUrl: string, backofficePath: string, isBypassed: boolean, keepUserLoggedIn?: boolean);
    destroy(): void;
    /**
     * Initiates the login flow.
     * @param identityProvider The provider to use for login. Default is 'Umbraco'.
     * @param redirect If true, the user will be redirected to the login page.
     * @param usernameHint The username hint to use for login.
     * @param manifest The manifest for the registered provider.
     */
    makeAuthorizationRequest(identityProvider?: string, redirect?: boolean, usernameHint?: string, manifest?: ManifestAuthProvider): Promise<void>;
    /**
     * Completes the login flow.
     * This is called on the oauth_complete page to exchange the authorization code for tokens.
     * @returns The token response timing, or null if no authorization was pending.
     */
    completeAuthorizationRequest(): Promise<UmbTokenEndpointResponse | null>;
    /**
     * Checks if the user is authorized. If Authorization is bypassed, the user is always authorized.
     * @returns True if the user is authorized, otherwise false.
     */
    getIsAuthorized(): boolean;
    /**
     * Sets the initial state of the auth flow.
     * First asks existing tabs for their session via BroadcastChannel.
     * If no peer responds, falls back to a server refresh.
     * @returns {Promise<void>}
     */
    setInitialState(): Promise<void>;
    /**
     * Gets the latest token from the Management API.
     * With cookie auth, this returns '[redacted]' — the real token is in the httpOnly cookie.
     * If the session has expired, it will attempt a refresh first.
     *
     * @example <caption>Using the latest token</caption>
     * ```js
     *   const token = await authContext.getLatestToken();
     *   const result = await fetch('https://my-api.com', { headers: { Authorization: `Bearer ${token}` } });
     * ```
     * @deprecated Use {@link configureClient} for `@hey-api/openapi-ts` clients or {@link getOpenApiConfiguration} for manual fetch calls. With cookie-based auth this always returns `'[redacted]'`. Scheduled for removal in Umbraco 19.
     * @see {@link configureClient} for automatic token handling with `@hey-api/openapi-ts` clients.
     * @see {@link getOpenApiConfiguration} for manual fetch calls with cookie-based auth.
     * @memberof UmbAuthContext
     * @returns The latest token from the Management API
     */
    getLatestToken(): Promise<string>;
    /**
     * Forces a token refresh against the server (calls `/token`) and returns true if successful.
     * Use this when you need to unconditionally refresh — e.g. session timeout keep-alive.
     * For per-request token handling, prefer {@link configureClient} which skips the network
     * call when the access token is still valid.
     * Uses Web Locks to deduplicate concurrent refresh requests across tabs.
     * @memberof UmbAuthContext
     * @returns True if the refresh succeeded, otherwise false
     */
    validateToken(): Promise<boolean>;
    /**
     * Attempts to refresh the token using Web Locks to prevent concurrent refresh requests.
     * @returns True if the refresh was successful, otherwise false.
     */
    makeRefreshTokenRequest(): Promise<boolean>;
    /**
     * Checks if the current session is still valid.
     * @returns True if the session has not expired.
     */
    isSessionValid(): boolean;
    /**
     * Clears the in-memory session state.
     * @memberof UmbAuthContext
     */
    clearTokenStorage(): void;
    /**
     * Handles the case where the user has timed out, i.e. the token has expired.
     * This will clear the token storage and set the user as unauthorized.
     * @memberof UmbAuthContext
     */
    timeOut(): void;
    /**
     * Signs the user out by revoking tokens and redirecting to the end session endpoint.
     * @memberof UmbAuthContext
     */
    signOut(): Promise<void>;
    /**
     * Get the server url to the Management API.
     * @memberof UmbAuthContext
     * @example <caption>Using the server url</caption>
     * ```js
     * 	const serverUrl = authContext.getServerUrl();
     * 	OpenAPI.BASE = serverUrl;
     * ```
     * @example <caption></caption>
     * ```js
     * 	const config = authContext.getOpenApiConfiguration();
     * 	const result = await fetch(`${config.base}/umbraco/management/api/v1/my-resource`, {
     * 		credentials: config.credentials,
     * 		headers: { Authorization: `Bearer ${await config.token()}` },
     * 	});
     * ```
     * @returns The server url to the Management API
     */
    getServerUrl(): string;
    /**
     * Get the default OpenAPI configuration, which is set up to communicate with the Management API.
     * @remark This is useful if you want to communicate with your own resources generated by the [@hey-api/openapi-ts](https://github.com/hey-api/openapi-ts) library.
     * @memberof UmbAuthContext
     * @example <caption>Using the default OpenAPI configuration</caption>
     * ```js
     * const defaultOpenApi = authContext.getOpenApiConfiguration();
     * client.setConfig({
     *   base: defaultOpenApi.base,
     *   auth: defaultOpenApi.token,
     * });
     * ```
     * @returns {UmbOpenApiConfiguration} The default OpenAPI configuration
     */
    getOpenApiConfiguration(): UmbOpenApiConfiguration;
    /**
     * Configures a `@hey-api/openapi-ts` client for authenticated API calls.
     * Sets baseUrl, credentials, auth header, and binds the default response
     * interceptors (401 retry, error handling, notifications).
     * @example
     * ```js
     * const authContext = await this.getContext(UMB_AUTH_CONTEXT);
     * authContext.configureClient(myClient);
     * // Now myClient automatically includes auth headers and interceptors
     * ```
     * @param client A `@hey-api/openapi-ts` client instance.
     */
    configureClient(client: typeof umbHttpClient): void;
    /**
     * Sets the auth context as initialized, which means that the auth context is ready to be used.
     * @remark This is used to let the app context know that the core module is ready, which means that the core auth providers are available.
     */
    setInitialized(): void;
    /**
     * Gets all registered auth providers.
     * @param extensionsRegistry
     */
    getAuthProviders(extensionsRegistry: UmbBackofficeExtensionRegistry): Observable<ManifestAuthProvider[]>;
    /**
     * Gets the authorized redirect url.
     * @returns The redirect url, which is the backoffice path.
     */
    getRedirectUrl(): string;
    /**
     * Gets the post logout redirect url.
     * @returns The post logout redirect url, which is the backoffice path with the logout path appended.
     */
    getPostLogoutRedirectUrl(): string;
    /**
     * Links the current user to the specified provider by redirecting to the link endpoint.
     * @param provider The provider to link to.
     */
    linkLogin(provider: string): Promise<void>;
    /**
     * Unlinks the current user from the specified provider.
     * @param loginProvider
     * @param providerKey
     */
    unlinkLogin(loginProvider: string, providerKey: string): Promise<boolean>;
}