import { MfaGrantTypes } from './constants';
/**
 * Represents an MFA authenticator enrolled by a user
 */
export interface Authenticator {
    /** Unique identifier for the authenticator */
    id: string;
    /** Type of authenticator */
    authenticatorType: AuthenticatorType;
    /** Whether the authenticator is active */
    active: boolean;
    /** Optional friendly name */
    name?: string;
    /** ISO 8601 timestamp when created */
    createdAt?: string;
    /** ISO 8601 timestamp of last authentication */
    lastAuth?: string;
    /** Types of MFA challenges*/
    type?: string;
}
/**
 * Supported authenticator types.
 * Note: Email authenticators use 'oob' type with oobChannel: 'email'
 */
export type AuthenticatorType = 'otp' | 'oob' | 'recovery-code';
/**
 * Types of MFA challenges
 */
export type ChallengeType = 'otp' | 'phone' | 'recovery-code' | 'email' | 'push-notification' | 'totp';
/**
 * Out-of-band delivery channels.
 * Includes 'email' which is also delivered out-of-band.
 */
export type OobChannel = 'sms' | 'voice' | 'auth0' | 'email';
/**
 * Supported MFA factors for enrollment
 */
export type MfaFactorType = 'otp' | 'sms' | 'email' | 'push' | 'voice';
/**
 * Base parameters for all enrollment types
 */
export interface EnrollBaseParams {
    /** MFA token from mfa_required error */
    mfaToken: string;
}
/**
 * OTP (Time-based One-Time Password) enrollment parameters
 */
export interface EnrollOtpParams extends EnrollBaseParams {
    /** The factor type for enrollment */
    factorType: 'otp';
}
/**
 * SMS enrollment parameters
 */
export interface EnrollSmsParams extends EnrollBaseParams {
    /** The factor type for enrollment */
    factorType: 'sms';
    /** Phone number in E.164 format (required for SMS) */
    phoneNumber: string;
}
/**
 * Voice enrollment parameters
 */
export interface EnrollVoiceParams extends EnrollBaseParams {
    /** The factor type for enrollment */
    factorType: 'voice';
    /** Phone number in E.164 format (required for voice) */
    phoneNumber: string;
}
/**
 * Email enrollment parameters
 */
export interface EnrollEmailParams extends EnrollBaseParams {
    /** The factor type for enrollment */
    factorType: 'email';
    /** Email address (optional, uses user's email if not provided) */
    email?: string;
}
/**
 * Push notification enrollment parameters
 */
export interface EnrollPushParams extends EnrollBaseParams {
    /** The factor type for enrollment */
    factorType: 'push';
}
/**
 * Union type for all enrollment parameter types
 */
export type EnrollParams = EnrollOtpParams | EnrollSmsParams | EnrollVoiceParams | EnrollEmailParams | EnrollPushParams;
/**
 * Response when enrolling an OTP authenticator
 */
export interface OtpEnrollmentResponse {
    /** Authenticator type */
    authenticatorType: 'otp';
    /** Base32-encoded secret for TOTP generation */
    secret: string;
    /** URI for generating QR code (otpauth://...) */
    barcodeUri: string;
    /** Recovery codes for account recovery */
    recoveryCodes?: string[];
    /** Authenticator ID */
    id?: string;
}
/**
 * Response when enrolling an OOB authenticator
 */
export interface OobEnrollmentResponse {
    /** Authenticator type */
    authenticatorType: 'oob';
    /** Delivery channel used */
    oobChannel: OobChannel;
    /** Out-of-band code for verification */
    oobCode?: string;
    /** Binding method (e.g., 'prompt' for user code entry) */
    bindingMethod?: string;
    /** Recovery codes (generated when enrolling first MFA factor) */
    recoveryCodes?: string[];
    /** Authenticator ID */
    id?: string;
    /** URI for QR code (for Push/Guardian enrollment) */
    barcodeUri?: string;
}
/**
 * Union type for all enrollment response types
 */
export type EnrollmentResponse = OtpEnrollmentResponse | OobEnrollmentResponse;
/**
 * Parameters for initiating an MFA challenge
 */
export interface ChallengeAuthenticatorParams {
    /** MFA token from mfa_required error or MFA-scoped access token */
    mfaToken: string;
    /** Type of challenge to initiate */
    challengeType: 'otp' | 'oob';
    /** Specific authenticator to challenge (optional) */
    authenticatorId?: string;
}
/**
 * Response from initiating an MFA challenge
 */
export interface ChallengeResponse {
    /** Type of challenge created */
    challengeType: 'otp' | 'oob';
    /** Out-of-band code (for OOB challenges) */
    oobCode?: string;
    /** Binding method for OOB (e.g., 'prompt') */
    bindingMethod?: string;
}
/**
 * Grant types for MFA verification (derived from MfaGrantTypes constants)
 */
export type MfaGrantType = (typeof MfaGrantTypes)[keyof typeof MfaGrantTypes];
/**
 * Parameters for verifying an MFA challenge.
 *
 * The grant_type is automatically inferred from which verification field is provided:
 * - `otp` field → MFA-OTP grant type
 * - `oobCode` field → MFA-OOB grant type
 * - `recoveryCode` field → MFA-RECOVERY-CODE grant type
 */
export interface VerifyParams {
    /** MFA token from challenge flow */
    mfaToken: string;
    /** One-time password (for OTP challenges) */
    otp?: string;
    /** Out-of-band code (for OOB challenges) */
    oobCode?: string;
    /** Binding code (for OOB challenges with binding) */
    bindingCode?: string;
    /** Recovery code (for recovery code verification) */
    recoveryCode?: string;
}
/**
 * Enrollment factor returned by getEnrollmentFactors
 */
export interface EnrollmentFactor {
    /** Type of enrollment factor available */
    type: string;
}