import { type Request, type RequestHandler, type Response } from "express";
import { type ServerApi_Middleware } from "./HttpServer.js";
import { ApiResponse } from "./server-api.js";
/**
 * The auth logic itself (session/JWT validation + scope checks) lives in the
 * CONSUMER (e.g. `AccountModule.validateSession` / `KasperoProxy.validateRequest`),
 * so the framework ships only this factory. A validator resolves the request to
 * an account (or rejects → the rejection flows to the terminal error handler).
 *
 * The legacy validators take an `ApiResponse`-shaped 3rd arg to refresh the JWT
 * response header; the consumer adapts the raw `res` to that shape when
 * instantiating (a tiny header sink) — see the migration recipe.
 */
export type AuthValidator = (req: Request, scopes: string[], res: Response) => Promise<Express.AuthAccount>;
/**
 * Build a `requireAuth(...scopes)` middleware from a consumer auth validator.
 *
 *   export const requireAuth = makeRequireAuth((req, scopes, res) =>
 *       AccountModule.validateSession(req, scopes, headerSink(res)));
 *
 * The returned middleware populates `req.account` and works both per-route
 * (`router.post("/x", requireAuth("admin"), handler(fn))`) and at router-group
 * level (`router.use(requireAuth())`).
 */
export declare function makeRequireAuth(validator: AuthValidator): (...scopes: string[]) => RequestHandler;
/**
 * Adapt a raw Express `res` to the `ApiResponse` a legacy `ServerApi_Middleware`
 * expects. ApiResponse is now a thin res-backed helper, so this hands the gate a
 * real, fully-functional one (setHeader/setHeaders for JWT refresh, redirect for
 * SAML, json/text/… all delegate to `res`).
 */
export declare const headerSink: (res: Response) => ApiResponse;
/**
 * Wrap a legacy `ServerApi_Middleware` `(request, data, response, scopes) => ctx`
 * as Express middleware — so existing authz/proxy gates run at the route site
 * without rewriting their logic (no fresh security review). Any returned context
 * object is merged onto `req` (e.g. `req.account`); rejections flow to the
 * app-level terminal error handler via `next(err)`.
 *
 *   router.post("/x", useMiddleware(RemoteProxy.Middleware), handler(fn));
 */
export declare const useMiddleware: (mw: ServerApi_Middleware, ...scopes: string[]) => RequestHandler;
//# sourceMappingURL=requireAuth.d.ts.map