import { BaseClient } from '../base-client'; import { Routes } from '../../types/routes.types'; export type AuthCredentials = { apiKey?: string; username?: string; password?: string; ssoIdToken?: string; ssoProvider?: string; }; export declare class AuthService extends BaseClient { private refreshToken; private originalCredentials?; private refreshPromise; private credentials?; /** * Creates a new AuthService instance. * * @param apiUrl - The base URL for the Galileo API * @param token - (Optional) Initial access token. If not provided, will be fetched via getToken() */ constructor(apiUrl: string, token?: string); getApiUrl(): string; setCredentials(credentials: AuthCredentials): void; /** * Retrieves an access token using available credentials from environment variables. * * Credentials are checked in the following priority order: * 1. API Key (GALILEO_API_KEY) * 2. Username/Password (GALILEO_USERNAME and GALILEO_PASSWORD) * 3. SSO (GALILEO_SSO_ID_TOKEN and GALILEO_SSO_PROVIDER) * * The method automatically stores refresh tokens from Set-Cookie headers when available. * * @returns Promise resolving to an access token string * @throws {Error} If no valid credentials are found in environment variables * @throws {Error} If SSO provider is invalid (not in supported list) */ getToken(): Promise; private validateSSOToken; /** * Fetches a new access token using stored original credentials. * * Dispatches to the appropriate login method based on credential type. * * @throws {Error} If no credentials are found in environment variables */ private fetchNewToken; /** * Attempts to extract and store refresh token from Set-Cookie header in response. * * @param response - Axios response object containing headers */ private attemptRefreshTokenUpdate; /** * Authenticates using API key and retrieves access token. * * @param api_key - The API key for authentication * @returns Promise resolving to an access token string */ private apiKeyLogin; /** * Authenticates using username and password and retrieves access token. * * @param username - The username for authentication * @param password - The password for authentication * @returns Promise resolving to an access token string */ private usernameLogin; /** * Authenticates using SSO ID token and retrieves access token. * * @param idToken - The SSO ID token for authentication * @param provider - The SSO provider (okta, google, github, azure-ad, or custom) * @returns Promise resolving to an access token string */ private ssoLogin; /** * Get the stored refresh token. * * @returns The stored refresh token, or undefined if no refresh token is available */ getRefreshToken(): string | undefined | null; /** * Ensures the current access token is valid, refreshing it if expired or soon to expire. * * @param endpoint - The API route being called; used to skip refresh for auth endpoints (e.g. login, refresh) * @returns Promise resolving to a valid access token string */ ensureValidToken(endpoint: Routes): Promise; /** * Refresh the access token using the stored refresh token. * * @returns Promise resolving to a new access token string * @throws {Error} If refresh token is not available or refresh fails */ private refreshAccessToken; /** * Refresh token with fallback to original credentials. * * Attempts to refresh using stored refresh token. If refresh fails or no refresh token * is available, falls back to fetching a new token using original credentials. * * @returns Promise resolving to a new access token string * @throws {Error} If both refresh and credential-based token fetch fail */ private refreshTokenWithFallback; /** * Override base class method to implement refresh token logic. * * Automatically refreshes the access token if it's expired or will expire within 5 minutes. * Falls back to original credentials if refresh token is unavailable or refresh fails. * Auth endpoints (login, apiKeyLogin, socialLogin, refreshToken) are excluded from refresh checks. * * @param endpoint - The API endpoint being called * @throws {Error} If token validation fails and refresh also fails */ protected refreshTokenIfNeeded(endpoint: Routes): Promise; private isTokenInvalid; }