/**
 * QA360 Authentication Module
 *
 * Comprehensive authentication support for test adapters.
 * Supports JWT, OAuth2, API Keys, Bearer tokens, Basic auth, Digest auth, TOTP,
 * UI Login, and cloud provider credentials (GCP, AWS, Azure).
 */
/**
 * Authentication result
 */
export interface AuthResult {
    success: boolean;
    credentials?: AuthCredentials;
    error?: string;
    expiresAt?: number;
}
/**
 * HTTP credentials for native browser authentication (Basic Auth popup)
 */
export interface HttpCredentials {
    username: string;
    password: string;
    origin?: string;
}
/**
 * Authentication credentials to be used in requests
 */
export interface AuthCredentials {
    type: AuthType;
    headers?: Record<string, string>;
    queryParams?: Record<string, string>;
    cookies?: Cookie[];
    body?: Record<string, unknown>;
    /** P0: HTTP credentials for native browser Basic Auth popup (WWW-Authenticate) */
    httpCredentials?: HttpCredentials;
    /** P0: OAuth2 refresh token for token renewal */
    refreshToken?: string;
    /** Token expiration timestamp */
    expiresAt?: number;
}
/**
 * Cookie for session management
 */
export interface Cookie {
    name: string;
    value: string;
    domain?: string;
    path?: string;
    expires?: Date;
    httpOnly?: boolean;
    secure?: boolean;
}
/**
 * Authentication types
 */
export type AuthType = 'none' | 'jwt' | 'oauth2' | 'api_key' | 'bearer' | 'basic' | 'digest' | 'otp' | 'totp' | 'backup_codes' | 'ui_login' | 'gcp_adc' | 'aws_iam' | 'azure_ad';
/**
 * Base configuration for all auth providers
 */
export interface BaseAuthConfig {
    type: AuthType;
    enabled?: boolean;
    cache?: {
        enabled?: boolean;
        ttl?: number;
    };
}
/**
 * JWT configuration
 */
export interface JWTAuthConfig extends BaseAuthConfig {
    type: 'jwt';
    issuer?: string;
    audience?: string;
    subject?: string;
    client_id?: string;
    client_secret?: string;
    token_endpoint?: string;
    scopes?: string[];
    auto_refresh?: boolean;
    token?: string;
}
/**
 * OAuth2 configuration
 */
export interface OAuth2AuthConfig extends BaseAuthConfig {
    type: 'oauth2';
    token_url: string;
    client_id: string;
    client_secret?: string;
    scopes?: string[];
    grant_type?: 'client_credentials' | 'authorization_code' | 'password' | 'refresh_token';
    username?: string;
    password?: string;
    /** P0: Pre-existing refresh token for token refresh flow */
    refresh_token?: string;
    /** P0: Auto-refresh token before expiration */
    auto_refresh?: boolean;
    /** P0: Refresh token URL (if different from token_url) */
    refresh_url?: string;
}
/**
 * API Key configuration
 */
export interface APIKeyAuthConfig extends BaseAuthConfig {
    type: 'api_key';
    key: string;
    header_name?: string;
    prefix?: string;
    location?: 'header' | 'query';
}
/**
 * Bearer token configuration
 */
export interface BearerAuthConfig extends BaseAuthConfig {
    type: 'bearer';
    token: string;
}
/**
 * Basic auth configuration
 */
export interface BasicAuthConfig extends BaseAuthConfig {
    type: 'basic';
    username: string;
    password: string;
    /** P0: Use native browser popup (WWW-Authenticate) instead of headers */
    useNativePopup?: boolean;
    /** Optional: only send to specific origin */
    origin?: string;
}
/**
 * Digest auth configuration (P1 - RFC 2617)
 */
export interface DigestAuthConfig extends BaseAuthConfig {
    type: 'digest';
    username: string;
    password: string;
    /** Protection space (optional, will use server value if not provided) */
    realm?: string;
}
/**
 * TOTP configuration
 */
export interface TOTPAuthConfig extends BaseAuthConfig {
    type: 'totp';
    secret: string;
    digits?: number;
    period?: number;
    algorithm?: 'sha1' | 'sha256' | 'sha512';
}
/**
 * OTP configuration (P1 - SMS/Email OTP and Magic Links)
 */
export interface OTPAuthConfig extends BaseAuthConfig {
    type: 'otp';
    /** Delivery method */
    method: 'sms' | 'email' | 'magic_link';
    /** Phone number (for SMS) or email address */
    destination: string;
    /** The OTP code received (if already available) */
    code?: string;
    /** Magic link URL (if received) */
    magicLinkUrl?: string;
    /** OTP verification endpoint */
    verifyEndpoint?: string;
    /** OTP request endpoint */
    requestEndpoint?: string;
    /** Additional headers for OTP requests */
    headers?: Record<string, string>;
}
/**
 * UI Login configuration
 */
export interface UILoginAuthConfig extends BaseAuthConfig {
    type: 'ui_login';
    url: string;
    username?: string;
    password?: string;
    username_selector?: string;
    password_selector?: string;
    submit_selector?: string;
    totp_secret?: string;
    totp_selector?: string;
    session_file?: string;
}
/**
 * Backup Codes configuration (P1 - 2FA recovery codes)
 */
export interface BackupCodesAuthConfig extends BaseAuthConfig {
    type: 'backup_codes';
    /** The backup code to verify */
    code: string;
    /** List of valid backup codes (for validation) */
    validCodes?: string[];
}
/**
 * GCP ADC configuration
 */
export interface GCPADCConfig extends BaseAuthConfig {
    type: 'gcp_adc';
    project_id?: string;
    scopes?: string[];
}
/**
 * AWS IAM configuration
 */
export interface AWSIamConfig extends BaseAuthConfig {
    type: 'aws_iam';
    region?: string;
    access_key_id?: string;
    secret_access_key?: string;
    session_token?: string;
    role_arn?: string;
    profile?: string;
}
/**
 * Azure AD configuration
 */
export interface AzureADConfig extends BaseAuthConfig {
    type: 'azure_ad';
    tenant_id: string;
    client_id: string;
    client_secret?: string;
    scope?: string;
    token_endpoint?: string;
}
/**
 * No-auth configuration (for unauthenticated requests)
 */
export interface NoneAuthConfig extends BaseAuthConfig {
    type: 'none';
}
/**
 * Union type for all auth configurations
 */
export type AuthConfig = JWTAuthConfig | OAuth2AuthConfig | APIKeyAuthConfig | BearerAuthConfig | BasicAuthConfig | DigestAuthConfig | OTPAuthConfig | TOTPAuthConfig | BackupCodesAuthConfig | UILoginAuthConfig | GCPADCConfig | AWSIamConfig | AzureADConfig | NoneAuthConfig;
/**
 * Base interface for all auth providers
 */
export interface AuthProvider<T extends AuthConfig = AuthConfig> {
    /**
     * Provider type identifier
     */
    readonly type: AuthType;
    /**
     * Authenticate and retrieve credentials
     */
    authenticate(config: T): Promise<AuthResult>;
    /**
     * Refresh credentials if applicable
     */
    refresh?(config: T): Promise<AuthResult>;
    /**
     * Clear cached credentials
     */
    clear?(config: T): Promise<void>;
    /**
     * Validate current credentials
     */
    validate?(config: T): Promise<boolean>;
}
/**
 * Simple in-memory cache for auth credentials
 */
export declare class AuthCache {
    private cache;
    private defaultTTL;
    set(key: string, credentials: AuthCredentials, ttl?: number): void;
    get(key: string): AuthCredentials | null;
    clear(key?: string): void;
    has(key: string): boolean;
}
/**
 * Global auth cache instance
 */
export declare const authCache: AuthCache;
/**
 * Create cache key from config
 */
export declare function createCacheKey(type: AuthType, identifier: string): string;
/**
 * Check if credentials are expired
 */
export declare function isExpired(expiresAt?: number): boolean;
/**
 * Parse token from string (extracts token without "Bearer " prefix)
 */
export declare function parseToken(token: string): string;
/**
 * Encode basic auth header
 */
export declare function encodeBasicAuth(username: string, password: string): string;
export { JWTProvider } from './jwt-provider.js';
export { OAuth2Provider } from './oauth2-provider.js';
export { APIKeyProvider } from './api-key-provider.js';
export { BearerProvider, BasicAuthProvider } from './basic-auth-provider.js';
export { DigestAuthProvider } from './digest-auth-provider.js';
export { OTPProvider } from './otp-provider.js';
export { TOTPProvider } from './totp-provider.js';
export { BackupCodesProvider } from './backup-codes-provider.js';
export { UILoginProvider } from './ui-login-provider.js';
export { GCPADCProvider } from './gcp-adc-provider.js';
export { AWSIamProvider } from './aws-iam-provider.js';
export { AzureADProvider } from './azure-ad-provider.js';
export { OAuthHandler, OAuthToken, OAuthError, ImplicitFlowResult, MockOAuthServer, createOAuthHandler, createMockOAuthServer, } from './oauth-handler.js';
export type { OAuthConfig, OIDCClaims, OIDCAddress, OIDCUserInfo, } from './oauth-handler.js';
export { RecaptchaHandler, createRecaptchaHandler, RECAPTCHA_V2_TEST_SITE_KEY, RECAPTCHA_V3_TEST_SITE_KEY, } from './recaptcha-handler.js';
export { HcaptchaHandler, createHcaptchaHandler, HCAPTCHA_TEST_SITE_KEY, } from './hcaptcha-handler.js';
export { SAMLHandler, createSAMLHandler } from './saml-handler.js';
export type { SAMLConfig, SAMLResponse, ParsedSAMLResponse, SAMLAssertion } from './saml-handler.js';
export { WebAuthnHandler, createWebAuthnHandler } from './webauthn-handler.js';
export type { WebAuthnConfig, WebAuthnUser, WebAuthnCredential, RegistrationResult, AuthenticationResult } from './webauthn-handler.js';
export { RememberMeHandler, createRememberMeHandler } from './remember-me-handler.js';
export type { RememberMeConfig, RememberMeToken, RememberMeResult } from './remember-me-handler.js';
export { AuthManager, authManager, authenticate, createAuthHeaders, applyAuthToRequest, AuthError } from './manager.js';