/**
 * TOTP (authenticator) enrollment HTTP routes — Phase 2 of #1780 (#1794).
 *
 * Provides:
 * - GET    /api/console/totp/status        — enrollment state (no secrets)
 * - POST   /api/console/totp/enroll/begin  — generate secret, return QR + otpauth URI
 * - POST   /api/console/totp/enroll/confirm — verify code, persist, return backup codes (once)
 * - POST   /api/console/totp/disable       — verify code, clear enrollment
 *
 * Security model:
 * - All endpoints require a valid existing console token. The caller must
 *   prove they already hold the token before they can enroll a second
 *   factor — otherwise an attacker with local port access could pre-enroll
 *   their own authenticator and lock the legitimate user out.
 * - Enforcement happens via an always-on `createAuthMiddleware` instance
 *   mounted at the top of this router, independent of the global
 *   DOLLHOUSE_WEB_AUTH_ENABLED flag.
 * - Backup codes are returned in plaintext exactly once (confirm response)
 *   and only their sha256 hashes are retained by the store.
 * - A sliding-window rate limit throttles confirm/disable attempts on a
 *   per-IP basis so a bad actor with a live session can't brute-force a
 *   TOTP window by flooding requests.
 *
 * @since v2.1.0 — Issue #1794
 */
import { Router } from 'express';
import { type ConsoleTokenStore } from '../console/consoleToken.js';
/**
 * Options for the TOTP routes factory.
 */
export interface TotpRoutesOptions {
    store: ConsoleTokenStore;
    /** Maximum code-verification attempts per window. Default: 10. */
    rateLimitMax?: number;
    /** Rate limit window in milliseconds. Default: 60_000 (1 minute). */
    rateLimitWindowMs?: number;
}
/**
 * Build the Express router exposing TOTP endpoints. The returned router
 * should be mounted at `/api/console/totp`; the caller does not need to
 * add additional auth middleware — this router enforces its own auth
 * regardless of the global feature flag.
 */
export declare function createTotpRoutes(options: TotpRoutesOptions): Router;
//# sourceMappingURL=totpRoutes.d.ts.map