import * as http from 'http';
import express = require('express');
import { MaybePromise } from '../../common';
import { BackendApplicationContribution, EarlyExpressMiddleware } from '../backend-application';
import { WsRequestValidatorContribution } from '../ws-request-validators';
export declare const BrowserConnectionToken: unique symbol;
export declare const BROWSER_TOKEN_COOKIE_NAME = "theia-connection-token";
export interface BrowserConnectionToken {
    value: string;
}
/**
 * Validates WebSocket and HTTP requests using a cookie-based connection token.
 *
 * In browser deployments, the server generates a random token at startup and sets it
 * as a `SameSite=Strict; HttpOnly` cookie on the first page load. Cross-origin pages
 * cannot obtain or send this cookie, so their requests are rejected.
 *
 * This complements the origin validator: non-browser callers that omit the Origin
 * header (e.g. Node.js scripts) still cannot reach the backend without the cookie.
 *
 * Skipped in Electron deployments (which use their own `ElectronSecurityToken`).
 */
export declare class BrowserConnectionTokenBackendContribution implements BackendApplicationContribution, WsRequestValidatorContribution {
    protected readonly browserConnectionToken: BrowserConnectionToken;
    protected readonly earlyMiddleware: EarlyExpressMiddleware;
    /**
     * Register the cookie middleware during `initialize()` via `EarlyExpressMiddleware`
     * so it runs before `express.static()` (which is registered later during `configure()`).
     * This ensures the browser receives the token cookie on the initial page load.
     */
    initialize(): void;
    /**
     * Validate the connection token cookie on WebSocket upgrade requests.
     * Non-browser callers that omit the Origin header (e.g. Node.js scripts)
     * cannot provide the `SameSite=Strict` cookie either, so they are rejected.
     */
    allowWsUpgrade(request: http.IncomingMessage): MaybePromise<boolean>;
    protected expressMiddleware(req: express.Request, res: express.Response, next: express.NextFunction): void;
    protected getTokenFromCookie(req: http.IncomingMessage): string | undefined;
    protected isTokenValid(token: string): boolean;
}
/**
 * Creates a new browser connection token.
 */
export declare function createBrowserConnectionToken(): BrowserConnectionToken;
//# sourceMappingURL=browser-connection-token.d.ts.map