import type { Data } from '@strapi/types';
import { errors } from '@strapi/utils';
import type { Ability } from '@casl/ability';
import type { Update, ContentApiApiToken, ContentApiApiTokenBody } from '../../../shared/contracts/api-token';
import type { AdminApiToken, AdminTokenBody } from '../../../shared/contracts/admin-token';
import type { AdminUser, Permission } from '../../../shared/contracts/shared';
type AnyApiToken = ContentApiApiToken | AdminApiToken;
declare const UnauthorizedError: typeof errors.UnauthorizedError;
export type AdminTokenAuthenticationResult = {
    authenticated: false;
    error?: InstanceType<typeof UnauthorizedError>;
} | {
    authenticated: true;
    credentials: AdminApiToken;
    user: AdminUser;
    ability: Ability;
};
/** API/body shape: permission without ids/timestamps and without actionParameters (defaulted by domain when creating). */
type PermissionInput = Omit<Permission, 'id' | 'createdAt' | 'updatedAt' | 'actionParameters'>;
/**
 * Enforce that every requested admin permission stays within the calling
 * user's own permission ceiling, then return the clamped permissions.
 *
 * Super-admins bypass this (they hold every permission).
 * When admin permissions are requested, an authenticated user is required (no bypass when user is missing).
 *
 * For each requested permission:
 *  - action + subject must match at least one user permission
 *  - properties.fields must be ⊆ user's properties.fields
 *    (if the user's permission defines no fields, all fields are allowed)
 *  - conditions are inherited from the user's matching permission(s);
 *    the caller cannot configure conditions on their own tokens
 *
 * Returns the permissions with conditions enforced from the user's role.
 * Throws ValidationError if any permission exceeds the user's ceiling.
 *
 * Guaranteed postcondition: all returned permissions have conditions filtered to
 * registered conditions only, regardless of the user type.
 */
declare const enforceAdminPermissionsCeiling: (user: AdminUser | undefined | null, requestedPermissions?: PermissionInput[]) => Promise<PermissionInput[]>;
/**
 * Assign admin permissions to an API token (similar to role permission assignment).
 * ceilingUser is the user whose permissions act as the ceiling — always the token owner,
 * regardless of who is making the request.
 */
declare const assignAdminPermissionsToToken: (tokenId: Data.ID, permissions: PermissionInput[], ceilingUser: AdminUser) => Promise<Permission[]>;
/**
 * Reconcile a token's admin permissions against the owner's current effective ceiling.
 *
 * Pure / sync — no DB calls. Returns two buckets:
 *   toDelete  – permissions that are no longer within the user's scope (action/subject missing
 *               or requested fields exceed the allowed set)
 *   toUpdate  – permissions that are still in scope but whose conditions must be re-clamped
 *               to the current union of the matching user permissions' conditions
 */
declare const reconcileTokenPermissionsToUserCeiling: (userPermissions: Permission[], tokenPermissions: Permission[]) => {
    toDelete: Permission[];
    toUpdate: {
        id: Data.ID;
        conditions: string[];
    }[];
};
/**
 * Re-sync all admin token permissions for a given user against their current effective ceiling.
 *
 * Skips super-admins (no ceiling). For each admin token owned by the user:
 *   - Deletes permissions that are no longer within the user's scope
 *   - Updates conditions on permissions whose conditions have drifted from the role's current set
 */
declare const syncApiTokenPermissionsForUser: (userId: Data.ID) => Promise<void>;
/**
 * Re-sync admin token permissions for all admin users who hold a given role.
 * Called after role permissions are updated.
 */
declare const syncApiTokenPermissionsForRole: (roleId: Data.ID) => Promise<void>;
type WhereParams = {
    id?: string | number;
    name?: string;
    lastUsedAt?: number;
    description?: string;
    accessKey?: string;
    kind?: 'content-api' | 'admin';
};
type GetByOptions = {
    includeDecryptedKey?: boolean;
};
/**
 *  Get a token.
 *  By default the plaintext accessKey is NOT included.
 *  Pass { includeDecryptedKey: true } to decrypt and return it (owner-only paths).
 */
declare const getBy: (whereParams?: WhereParams, options?: GetByOptions) => Promise<AnyApiToken | null>;
/**
 * Check if token exists
 */
declare const exists: (whereParams?: WhereParams) => Promise<boolean>;
/**
 * Return a secure sha512 hash of an accessKey
 */
declare const hash: (accessKey: string) => string;
declare const authenticateAdminToken: (accessToken: string) => Promise<AdminTokenAuthenticationResult>;
/**
 * Create a token and its permissions
 */
declare const create: <K extends AnyApiToken["kind"]>(attributes: {
    kind: K;
} & (ContentApiApiTokenBody | AdminTokenBody), callingUser?: AdminUser) => Promise<K extends "content-api" ? ContentApiApiToken : K extends "admin" ? AdminApiToken : AnyApiToken>;
declare const regenerate: (id: string | number) => Promise<ContentApiApiToken | AdminApiToken>;
declare const checkSaltIsDefined: () => void;
/**
 * Return a list of tokens visible to the calling user.
 * Super-admins see all tokens; regular admins see only ownerless tokens and their own.
 */
declare const list: <K extends AnyApiToken["kind"]>(callingUser: AdminUser, { filter }?: {
    filter?: {
        kind?: K;
    };
}) => Promise<Array<K extends "content-api" ? ContentApiApiToken : K extends "admin" ? AdminApiToken : AnyApiToken>>;
/**
 * Revoke (delete) a token
 */
declare const revoke: (id: string | number) => Promise<AnyApiToken>;
/**
 * Retrieve a token by id
 */
declare const getById: (id: string | number, options?: GetByOptions) => Promise<AnyApiToken | null>;
/**
 * Retrieve a token by name
 */
declare const getByName: (name: string, options?: GetByOptions) => Promise<AnyApiToken | null>;
/**
 * Update a token and its permissions
 */
declare const update: (id: string | number, attributes: Update.Request["body"]) => Promise<AnyApiToken>;
declare const count: (where?: {}) => Promise<number>;
/**
 * Delete all admin API tokens owned by the given user, including their associated admin permissions.
 * Called when the owner user is deleted so tokens don't linger with a dangling owner FK.
 */
declare const deleteAdminTokensForUser: (userId: Data.ID) => Promise<void>;
interface SharedTokenMethods {
    hash(accessKey: string): string;
    checkSaltIsDefined(): void;
    /** Kind-agnostic lookup by hashed access key — used by the auth strategy. */
    getByAccessKey(accessKeyHash: string, options?: GetByOptions): Promise<AnyApiToken | null>;
    /** Total count across all kinds. */
    countAll(where?: object): Promise<number>;
    reconcileTokenPermissionsToUserCeiling(userPermissions: Permission[], tokenPermissions: Permission[]): {
        toDelete: Permission[];
        toUpdate: {
            id: Data.ID;
            conditions: string[];
        }[];
    };
}
export interface ContentApiTokenService extends SharedTokenMethods {
    create(attributes: ContentApiApiTokenBody, callingUser?: AdminUser): Promise<ContentApiApiToken>;
    list(callingUser: AdminUser): Promise<ContentApiApiToken[]>;
    getById(id: string | number, options?: GetByOptions): Promise<ContentApiApiToken | null>;
    getByName(name: string, options?: GetByOptions): Promise<ContentApiApiToken | null>;
    update(id: string | number, attributes: Partial<ContentApiApiTokenBody>): Promise<ContentApiApiToken>;
    revoke(id: string | number): Promise<ContentApiApiToken>;
    regenerate(id: string | number): Promise<ContentApiApiToken>;
    exists(where: WhereParams): Promise<boolean>;
    count(where?: object): Promise<number>;
}
export interface AdminTokenService extends SharedTokenMethods {
    authenticateAdminToken(accessToken: string): Promise<AdminTokenAuthenticationResult>;
    create(attributes: AdminTokenBody, callingUser: AdminUser): Promise<AdminApiToken>;
    list(callingUser: AdminUser): Promise<AdminApiToken[]>;
    getById(id: string | number, options?: GetByOptions): Promise<AdminApiToken | null>;
    getByName(name: string, options?: GetByOptions): Promise<AdminApiToken | null>;
    update(id: string | number, attributes: Partial<AdminTokenBody>): Promise<AdminApiToken>;
    revoke(id: string | number): Promise<AdminApiToken>;
    regenerate(id: string | number): Promise<AdminApiToken>;
    exists(where: WhereParams): Promise<boolean>;
    count(where?: object): Promise<number>;
    assignAdminPermissionsToToken(tokenId: Data.ID, permissions: PermissionInput[], ceilingUser: AdminUser): Promise<Permission[]>;
    syncPermissionsForUser(userId: Data.ID): Promise<void>;
    syncPermissionsForRole(roleId: Data.ID): Promise<void>;
    deleteTokensForUser(userId: Data.ID): Promise<void>;
}
declare function createTokenService(kind: 'content-api'): ContentApiTokenService;
declare function createTokenService(kind: 'admin'): AdminTokenService;
export type { GetByOptions };
export { createTokenService, create, count, regenerate, exists, checkSaltIsDefined, hash, list, revoke, getById, update, getByName, getBy, authenticateAdminToken, assignAdminPermissionsToToken, enforceAdminPermissionsCeiling, reconcileTokenPermissionsToUserCeiling, syncApiTokenPermissionsForUser, syncApiTokenPermissionsForRole, deleteAdminTokensForUser, };
//# sourceMappingURL=api-token.d.ts.map