import { JWK, JWT } from "@edgefirst-dev/jwt";
import { type Cookie, type unstable_MiddlewareFunction, unstable_RouterContextProvider } from "react-router";
export declare function unstable_createJWKAuthMiddleware({ jwksUri, realm, alg, invalidUserMessage, ...options }: unstable_createBearerAuthMiddleware.Options): unstable_createBearerAuthMiddleware.ReturnType;
export declare namespace unstable_createBearerAuthMiddleware {
    type Args = {
        request: Request;
        context: unstable_RouterContextProvider;
    };
    type MessageFunction = (args: Args) => string | object | Promise<string | object>;
    interface BaseOptions {
        /**
         * The URL of the JWKS endpoint.
         * @example
         * "https://auth.example.com/.well-known/jwks.json"
         */
        jwksUri: ConstructorParameters<typeof URL>[0];
        /**
         * The algorithm to use for verifying the JWT signature.
         * @default "ES256"
         */
        alg?: JWK.Algoritm;
        /**
         * The message to return when the user is invalid.
         *
         * If a function is provided, it will be called with the request and context
         * as arguments.
         *
         * If the function returns a string, it will be used as the message.
         *
         * If the function returns an object, it will be serialized as JSON and used
         * as the response body.
         *
         * @default "Unauthorized"
         * @example
         * "Invalid user"
         * (args) => `Invalid user: ${args.request.headers.get("X-User")}`
         * async (args) => {
         *  let user = await getUser(args.context);
         *  return `Invalid user: ${user}`;
         * }
         * { error: "Invalid user" }
         * (args) => ({
         *   error: `Invalid user: ${args.request.headers.get("X-User")}`
         * })
         * async (args) => {
         *  let user = await getUser(args.context);
         *  return { error: `Invalid user: ${user}` };
         * }
         */
        invalidUserMessage?: string | object | MessageFunction;
        /**
         * The domain name of the realm, as part of the returned WWW-Authenticate
         * challenge header.
         *
         * @default "Secure Area"
         */
        realm?: string;
        verifyOptions?: JWT.VerifyOptions;
    }
    interface HeaderOptions extends BaseOptions {
        /**
         * The name of the header to use for the bearer token.
         * @default "Authorization"
         */
        headerName?: string;
    }
    interface CookieOptions extends BaseOptions {
        /**
         * The cookie to use for the bearer token.
         *
         * If provided the cookie will be parsed to try to extract the JWT.
         */
        cookie: Cookie;
    }
    type Options = HeaderOptions | CookieOptions;
    type ReturnType = [
        unstable_MiddlewareFunction<Response>,
        (context: unstable_RouterContextProvider) => JWT
    ];
}
