import { type AnyObject, type JsonCompatibleObject, type MaybePromise, type PartialWithUndefined } from '@augment-vir/common';
import { type AnyDuration } from 'date-vir';
import { type IncomingHttpHeaders, type OutgoingHttpHeaders } from 'node:http';
import { type EmptyObject, type RequireExactlyOne, type RequireOneOrNone } from 'type-fest';
import { type UserIdResult } from '../auth.js';
import { type CookieParams } from '../cookie.js';
import { type CsrfHeaderNameOption } from '../csrf-token.js';
import { type JwtKeys, type RawJwtKeys } from '../jwt/jwt-keys.js';
import { type CreateJwtParams, type ParseJwtParams } from '../jwt/jwt.js';
/**
 * Output from `BackendAuthClient.getSecureUser()`.
 *
 * @category Internal
 */
export type GetUserResult<DatabaseUser extends AnyObject> = {
    /** The retrieved user. */
    user: DatabaseUser;
    /**
     * When `true`, indicates that the current `user` result is as assumed user. This can only be
     * `true` if you've configured user assuming in `BackendAuthClient`.
     */
    isAssumed: boolean;
    /**
     * This should be merged into your own response headers. It usually contains auth cookie
     * duration refresh headers.
     */
    responseHeaders: OutgoingHttpHeaders;
};
/**
 * Config for {@link BackendAuthClient}.
 *
 * @category Internal
 */
export type BackendAuthClientConfig<DatabaseUser extends AnyObject, UserId extends string | number, AssumedUserParams extends JsonCompatibleObject = EmptyObject> = Readonly<{
    csrf: Readonly<CsrfHeaderNameOption>;
    /** The origin of your backend that is offering auth cookies. */
    serviceOrigin: string;
    /** Finds the relevant user from your own database. */
    getUserFromDatabase: (userParams: {
        /** The user id extracted from the request cookie. */
        userId: UserId;
        /** Indicates that we're loading the user from a sign up cookie. */
        isSignUpCookie: boolean;
        /**
         * If this is set, we're attempting to load a database user for the purpose of assuming
         * their user identity. Otherwise, this is `undefined`.
         */
        assumingUser: AssumedUserParams | undefined;
        requestHeaders: Readonly<IncomingHttpHeaders>;
    }) => MaybePromise<DatabaseUser | undefined | null>;
    /**
     * Get JWT keys produced by {@link generateNewJwtKeys}. Make sure that each time this is
     * called, the same JWT keys are returned (do not call {@link generateNewJwtKeys} each time
     * this is called). Any time the JWT keys change, all current sessions will terminate.
     */
    getJwtKeys: () => MaybePromise<Readonly<RawJwtKeys>>;
    /**
     * When `isDev` is set, cookies do not require HTTPS (so they can be used with
     * http://localhost).
     */
    isDev: boolean;
} & PartialWithUndefined<{
    /** If this returns true, logging will be enabled while handling the relevant session. */
    enableLogging(params: {
        user: DatabaseUser | undefined;
        userId: UserId | undefined;
        assumedUserParams: AssumedUserParams | undefined;
    }): boolean;
    /**
     * Overwrite the header name used for tracking is an admin is assuming the identity of
     * another user.
     */
    assumedUserHeaderName: string;
    /**
     * Optionally generate a service origin from request headers. The generated origin is used
     * for set-cookie headers.
     */
    generateServiceOrigin(params: {
        requestHeaders: Readonly<IncomingHttpHeaders>;
    }): MaybePromise<undefined | string>;
    /** If provided, logs will be sent to this method. */
    log?: (message: string, extraData: AnyObject) => void;
    /**
     * Set this to allow specific users (determined by `canAssumeUser`) to assume the identity
     * of other users. This should only be used for admins so that they can troubleshoot user
     * issues.
     *
     * @see {@link AuthHeaderName}
     */
    assumeUser: {
        /**
         * Parse the assumed user header value.
         *
         * @see {@link AuthHeaderName}
         */
        parseAssumedUserHeaderValue: (
        /**
         * The assumed user header value.
         *
         * @see {@link AuthHeaderName}
         */
        data: string) => MaybePromise<{
            assumedUserParams: AssumedUserParams;
            userId: UserId;
        } | undefined>;
        /**
         * Return `true` to allow the current/original user to assume identities of other users.
         * Return `false` to block it. It is recommended to only return `true` for admin users.
         *
         * @see {@link AuthHeaderName}
         */
        canAssumeUser: (originalUser: DatabaseUser) => MaybePromise<boolean>;
    };
    /**
     * This determines how long a cookie will be valid until it needs to be refreshed.
     *
     * @default {minutes: 20}
     */
    userSessionIdleTimeout: Readonly<AnyDuration>;
    /**
     * How long into a user's session when we should start trying to refresh their session.
     *
     * @default {minutes: 2}
     */
    sessionRefreshStartTime: Readonly<AnyDuration>;
    /**
     * The maximum duration a session can last, regardless of activity. After this time, the
     * user will be logged out even if they are actively using the application.
     *
     * @default {days: 1.5}
     */
    maxSessionDuration: Readonly<AnyDuration>;
    /**
     * Allowed clock skew tolerance for JWT and CSRF token expiration checks. Accounts for
     * differences between server and client clocks.
     *
     * @default {minutes: 5}
     */
    allowedClockSkew: Readonly<AnyDuration>;
    /**
     * Optional separate origin for the CSRF cookie's `Domain` attribute. When set, the
     * non-`HttpOnly` CSRF cookie will use this origin's hostname instead of `serviceOrigin`.
     *
     * This is useful when the backend and frontend live on different subdomains that don't
     * share a common parent narrower than the top-level domain. The `HttpOnly` auth cookie
     * stays scoped to `serviceOrigin` (protecting it from unrelated subdomains), while the CSRF
     * cookie uses the broader domain so frontend JavaScript can read it via `document.cookie`.
     *
     * The CSRF token alone is not a security risk — it is only meaningful when paired with the
     * JWT embedded in the `HttpOnly` auth cookie.
     */
    csrfCookieOrigin: string;
    /**
     * Optional suffix appended to cookie names (e.g., `'staging'` produces `auth-staging`,
     * `auth-vir-csrf-staging`). When `undefined`, cookie names are unchanged. Useful for
     * running multiple environments on the same domain without cookie collisions.
     */
    cookieNameSuffix: string;
}>>;
/**
 * An auth client for creating and validating JWTs embedded in cookies. This should only be used in
 * a backend environment as it accesses native Node packages.
 *
 * @category Auth : Host
 * @category Clients
 */
export declare class BackendAuthClient<DatabaseUser extends AnyObject, UserId extends string | number, AssumedUserParams extends AnyObject = EmptyObject> {
    protected readonly config: BackendAuthClientConfig<DatabaseUser, UserId, AssumedUserParams>;
    protected cachedParsedJwtKeys: Record<string, Readonly<JwtKeys>>;
    constructor(config: BackendAuthClientConfig<DatabaseUser, UserId, AssumedUserParams>);
    /**
     * Resolves the origin to use for CSRF cookie generation. Returns `csrfCookieOrigin` if
     * configured, otherwise falls back to the auth cookie origin.
     */
    protected resolveCsrfCookieOrigin(authCookieOrigin: string): string;
    /** Conditionally logs a message if logging is enabled for the given user context. */
    protected logForUser(params: {
        user: DatabaseUser | undefined;
        userId: UserId | undefined;
        assumedUserParams: AssumedUserParams | undefined;
    }, message: string, extra?: Record<string, unknown>): void;
    /** Get all the parameters used for cookie generation. */
    protected getCookieParams({ isSignUpCookie, requestHeaders, }: {
        /**
         * Set this to `true` when we are setting the initial cookie right after a user signs up.
         * This allows them to auto-authorize when they verify their email address.
         *
         * This should only be set to `true` when a new user is signing up.
         */
        isSignUpCookie: boolean;
        requestHeaders: Readonly<IncomingHttpHeaders> | undefined;
    }): Promise<Readonly<CookieParams>>;
    /** Calls the provided `getUserFromDatabase` config. */
    protected getDatabaseUser({ isSignUpCookie, userId, assumingUser, requestHeaders, }: {
        userId: UserId | undefined;
        assumingUser: AssumedUserParams | undefined;
        isSignUpCookie: boolean;
        requestHeaders: IncomingHttpHeaders;
    }): Promise<undefined | DatabaseUser>;
    /** Creates a `'cookie-set'` header to refresh the user's session cookie. */
    protected createCookieRefreshHeaders({ userIdResult, requestHeaders, }: {
        userIdResult: Readonly<UserIdResult<UserId>>;
        requestHeaders: IncomingHttpHeaders;
    }): Promise<OutgoingHttpHeaders | undefined>;
    /** Reads the user's assumed user headers and, if configured, gets the assumed user. */
    protected getAssumedUser({ requestHeaders, user, }: {
        user: DatabaseUser;
        requestHeaders: IncomingHttpHeaders;
    }): Promise<DatabaseUser | undefined>;
    /** Securely extract a user from their request headers. */
    getSecureUser({ requestHeaders, isSignUpCookie, allowUserAuthRefresh, }: {
        requestHeaders: IncomingHttpHeaders;
        isSignUpCookie: boolean;
        /**
         * If true, this method will generate headers to refresh the user's auth session. This
         * should likely only be done with a specific endpoint, like whatever endpoint you trigger
         * with the frontend auth client's `checkUser.performCheck` callback.
         */
        allowUserAuthRefresh: boolean;
    }): Promise<GetUserResult<DatabaseUser> | undefined>;
    /**
     * Get all the JWT params used when creating the auth cookie, in case you need them for
     * something else too.
     */
    getJwtParams(): Promise<Readonly<CreateJwtParams> & ParseJwtParams>;
    /** Use these headers to log out the user. */
    createLogoutHeaders(params: Readonly<RequireExactlyOne<{
        allCookies: true;
        isSignUpCookie: boolean;
    }> & {
        /** Overrides the client's already established `serviceOrigin`. */
        serviceOrigin?: string | undefined;
    }>): Promise<Record<string, string | string[]> & {
        'set-cookie': string[];
    }>;
    /**
     * Refreshes a login session by reissuing the auth cookie with the same CSRF token instead of
     * generating a new one.
     */
    protected refreshLoginHeaders({ userId, cookieParams, existingUserIdResult, }: {
        userId: UserId;
        cookieParams: Readonly<CookieParams>;
        existingUserIdResult: Readonly<UserIdResult<UserId>>;
    }): Promise<Record<string, string | string[]>>;
    /** Generates login headers for a brand-new session (no existing JWT to reuse). */
    protected generateFreshLoginHeaders(userId: UserId, cookieParams: Readonly<CookieParams>): Promise<Record<string, string[]>>;
    /** Use these headers to log a user in. */
    createLoginHeaders({ userId, requestHeaders, isSignUpCookie, }: {
        userId: UserId;
        requestHeaders: IncomingHttpHeaders;
        isSignUpCookie: boolean;
    }): Promise<OutgoingHttpHeaders>;
    /** Combines `.getInsecureUser()` and `.getSecureUser()` into one method. */
    getInsecureOrSecureUser(params: {
        requestHeaders: IncomingHttpHeaders;
        isSignUpCookie: boolean;
        /**
         * If true, this method will generate headers to refresh the user's auth session. This
         * should likely only be done with a specific endpoint, like whatever endpoint you trigger
         * with the frontend auth client's `checkUser.performCheck` callback.
         */
        allowUserAuthRefresh: boolean;
        /** Overrides the client's already established `serviceOrigin`. */
        serviceOrigin?: string | undefined;
    }): Promise<RequireOneOrNone<{
        secureUser: GetUserResult<DatabaseUser>;
        /**
         * @deprecated This only half authenticates the user. It should only be used in
         *   circumstances where JavaScript cannot be used to attach the CSRF token header to
         *   the request (like when opening a PDF file). Use `.getSecureUser()` instead,
         *   whenever possible.
         */
        insecureUser: GetUserResult<DatabaseUser>;
    }>>;
    /**
     * @deprecated This only half authenticates the user. It should only be used in circumstances
     *   where JavaScript cannot be used to attach the CSRF token header to the request (like when
     *   opening a PDF file). Use `.getSecureUser()` instead, whenever possible.
     */
    getInsecureUser({ requestHeaders, allowUserAuthRefresh, }: {
        requestHeaders: IncomingHttpHeaders;
        /**
         * If true, this method will generate headers to refresh the user's auth session. This
         * should likely only be done with a specific endpoint, like whatever endpoint you trigger
         * with the frontend auth client's `checkUser.performCheck` callback.
         */
        allowUserAuthRefresh: boolean;
    }): Promise<GetUserResult<DatabaseUser> | undefined>;
}