/**
 * Copyright (c) 2025 Ofri Peretz
 * Licensed under the MIT License. Use of this source code is governed by the
 * MIT license that can be found in the LICENSE file.
 */
/**
 * ESLint Rule: no-weak-password-recovery
 * Detects weak password recovery mechanisms (CWE-640)
 *
 * Weak password recovery mechanisms can allow attackers to reset passwords
 * for other users, gain unauthorized access, or perform account takeover.
 * This rule detects obvious vulnerabilities in password recovery logic.
 *
 * False Positive Reduction:
 * This rule uses security utilities to reduce false positives by detecting:
 * - Proper recovery implementations
 * - Rate limiting mechanisms
 * - Secure token generation
 * - JSDoc annotations (@secure-recovery, @rate-limited)
 */
import type { TSESLint } from '@interlace/eslint-devkit';
import { type SecurityRuleOptions } from '@interlace/eslint-devkit';
type MessageIds = 'weakPasswordRecovery' | 'missingRateLimit' | 'predictableRecoveryToken' | 'unlimitedRecoveryAttempts' | 'insufficientTokenEntropy' | 'missingTokenExpiration' | 'recoveryLoggingSensitiveData' | 'weakRecoveryVerification' | 'tokenReuseVulnerability' | 'implementRateLimiting' | 'useCryptographicallySecureTokens' | 'implementTokenExpiration' | 'secureRecoveryFlow' | 'strategyMultiFactor' | 'strategyOutOfBandVerification' | 'strategyTimeBoundTokens';
export interface Options extends SecurityRuleOptions {
    /** Minimum token entropy bits */
    minTokenEntropy?: number;
    /** Maximum token lifetime in hours */
    maxTokenLifetimeHours?: number;
    /** Recovery-related keywords */
    recoveryKeywords?: string[];
    /** Secure token generation functions */
    secureTokenFunctions?: string[];
}
type RuleOptions = [Options?];
export declare const noWeakPasswordRecovery: TSESLint.RuleModule<MessageIds, RuleOptions, unknown, TSESLint.RuleListener> & {
    name: string;
};
export {};