npm - @element-hq/element-web-playwright-common - Versions diffs - 1.4.4 → 1.4.6 - Mend

@element-hq/element-web-playwright-common 1.4.4 → 1.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/lib/testcontainers/index.d.ts +1 -0
package/lib/testcontainers/index.d.ts.map +1 -1
package/lib/testcontainers/index.js +1 -0
package/lib/testcontainers/mas-config.d.ts +1328 -0
package/lib/testcontainers/mas-config.d.ts.map +1 -0
package/lib/testcontainers/mas-config.js +7 -0
package/lib/testcontainers/mas.d.ts +4 -129
package/lib/testcontainers/mas.d.ts.map +1 -1
package/lib/testcontainers/mas.js +16 -60
package/package.json +2 -1
package/src/testcontainers/index.ts +1 -0
package/src/testcontainers/mas-config.ts +1383 -0
package/src/testcontainers/mas.ts +29 -67

package/lib/testcontainers/mas-config.d.ts ADDED Viewed

@@ -0,0 +1,1328 @@
+/**
+ * This file was automatically generated by json-schema-to-typescript.
+ * DO NOT MODIFY IT BY HAND. Instead, modify the source JSONSchema file,
+ * and run json-schema-to-typescript to regenerate this file.
+ */
+/**
+ * Authentication method used by clients
+ */
+export type ClientAuthMethodConfig = "none" | "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt";
+export type JsonWebKeyFor_JsonWebKeyPublicParameters = {
+    "use"?: JsonWebKeyUse;
+    "key_ops"?: JsonWebKeyOperation[];
+    "alg"?: JsonWebSignatureAlg;
+    "kid"?: string;
+    "x5u"?: string;
+    "x5c"?: string[];
+    "x5t"?: string;
+    "x5t#S256"?: string;
+    [k: string]: unknown;
+} & JsonWebKeyFor_JsonWebKeyPublicParameters1;
+/**
+ * JSON Web Key Use
+ */
+export type JsonWebKeyUse = "sig" | "enc";
+/**
+ * JSON Web Key Operation
+ */
+export type JsonWebKeyOperation = "sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits";
+/**
+ * JSON Web Signature "alg" parameter
+ */
+export type JsonWebSignatureAlg = "HS256" | "HS384" | "HS512" | "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "none" | "EdDSA" | "ES256K" | "Ed25519" | "Ed448";
+export type JsonWebKeyFor_JsonWebKeyPublicParameters1 = {
+    kty: "RSA";
+    n: string;
+    e: string;
+    [k: string]: unknown;
+} | {
+    kty: "EC";
+    crv: JsonWebKeyEcEllipticCurve;
+    x: string;
+    y: string;
+    [k: string]: unknown;
+} | {
+    kty: "OKP";
+    crv: JsonWebKeyOkpEllipticCurve;
+    x: string;
+    [k: string]: unknown;
+};
+/**
+ * JSON Web Key EC Elliptic Curve
+ */
+export type JsonWebKeyEcEllipticCurve = "P-256" | "P-384" | "P-521" | "secp256k1";
+/**
+ * JSON Web Key OKP Elliptic Curve
+ */
+export type JsonWebKeyOkpEllipticCurve = "Ed25519" | "Ed448" | "X25519" | "X448";
+/**
+ * HTTP resources to mount
+ */
+export type Resource = {
+    name: "health";
+    [k: string]: unknown;
+} | {
+    name: "prometheus";
+    [k: string]: unknown;
+} | {
+    name: "discovery";
+    [k: string]: unknown;
+} | {
+    name: "human";
+    [k: string]: unknown;
+} | {
+    name: "graphql";
+    /**
+     * Enabled the GraphQL playground
+     */
+    playground?: boolean;
+    /**
+     * Allow access for OAuth 2.0 clients (undocumented)
+     */
+    undocumented_oauth2_access?: boolean;
+    [k: string]: unknown;
+} | {
+    name: "oauth";
+    [k: string]: unknown;
+} | {
+    name: "compat";
+    [k: string]: unknown;
+} | {
+    name: "assets";
+    /**
+     * Path to the directory to serve.
+     */
+    path?: string;
+    [k: string]: unknown;
+} | {
+    name: "adminapi";
+    [k: string]: unknown;
+} | {
+    name: "connection-info";
+    [k: string]: unknown;
+};
+/**
+ * Configuration of a single listener
+ */
+export type BindConfig = {
+    /**
+     * Host on which to listen.
+     *
+     * Defaults to listening on all addresses
+     */
+    host?: string;
+    /**
+     * Port on which to listen.
+     */
+    port: number;
+    [k: string]: unknown;
+} | {
+    /**
+     * Host and port on which to listen
+     */
+    address: string;
+    [k: string]: unknown;
+} | {
+    /**
+     * Path to the socket
+     */
+    socket: string;
+    [k: string]: unknown;
+} | {
+    /**
+     * Index of the file descriptor. Note that this is offseted by 3 because of the standard input/output sockets, so setting here a value of `0` will grab the file descriptor `3`
+     */
+    fd?: number;
+    /**
+     * Whether the socket is a TCP socket or a UNIX domain socket. Defaults to TCP.
+     */
+    kind?: UnixOrTcp & string;
+    [k: string]: unknown;
+};
+/**
+ * Kind of socket
+ */
+export type UnixOrTcp = "unix" | "tcp";
+export type IpNetwork = V4 | V6;
+export type V4 = Ipv4Network;
+export type Ipv4Network = string;
+export type V6 = Ipv6Network;
+export type Ipv6Network = string;
+export type Hostname = string;
+/**
+ * Options for controlling the level of protection provided for PostgreSQL SSL connections.
+ */
+export type PgSslMode = "disable" | "allow" | "prefer" | "require" | "verify-ca" | "verify-full";
+/**
+ * Exporter to use when exporting traces
+ */
+export type TracingExporterKind = "none" | "stdout" | "otlp";
+/**
+ * Propagation format for incoming and outgoing requests
+ */
+export type Propagator = "tracecontext" | "baggage" | "jaeger";
+/**
+ * Exporter to use when exporting metrics
+ */
+export type MetricsExporterKind = "none" | "stdout" | "otlp" | "prometheus";
+/**
+ * What backend should be used when sending emails
+ */
+export type EmailTransportKind = "blackhole" | "smtp" | "sendmail";
+/**
+ * Encryption mode to use
+ */
+export type EmailSmtpMode = "plain" | "starttls" | "tls";
+/**
+ * A hashing algorithm
+ */
+export type Algorithm = "bcrypt" | "argon2id" | "pbkdf2";
+/**
+ * The kind of homeserver it is.
+ */
+export type HomeserverKind = "synapse" | "synapse_read_only" | "synapse_legacy" | "synapse_modern";
+/**
+ * Authentication methods used against the OAuth 2.0 provider
+ */
+export type TokenAuthMethod = "none" | "client_secret_basic" | "client_secret_post" | "client_secret_jwt" | "private_key_jwt" | "sign_in_with_apple";
+/**
+ * How to discover the provider's configuration
+ */
+export type DiscoveryMode = "oidc" | "insecure" | "disabled";
+/**
+ * Whether to use proof key for code exchange (PKCE) when requesting and exchanging the token.
+ */
+export type PkceMethod = "auto" | "always" | "never";
+/**
+ * The response mode we ask the provider to use for the callback
+ */
+export type ResponseMode = "query" | "form_post";
+/**
+ * How to handle a claim
+ */
+export type ImportAction = "ignore" | "suggest" | "force" | "require";
+/**
+ * How to handle an existing localpart claim
+ */
+export type OnConflict = "fail" | "add";
+/**
+ * What to do when receiving an OIDC Backchannel logout request.
+ */
+export type OnBackchannelLogout = "do_nothing" | "logout_browser_only" | "logout_all";
+/**
+ * Which service should be used for CAPTCHA protection
+ */
+export type CaptchaServiceKind = "recaptcha_v2" | "cloudflare_turnstile" | "hcaptcha";
+/**
+ * Application configuration root
+ */
+export interface RootConfig {
+    /**
+     * List of OAuth 2.0/OIDC clients config
+     */
+    clients?: ClientConfig[];
+    /**
+     * Configuration of the HTTP server
+     */
+    http?: HttpConfig;
+    /**
+     * Database connection configuration
+     */
+    database?: DatabaseConfig;
+    /**
+     * Configuration related to sending monitoring data
+     */
+    telemetry?: TelemetryConfig;
+    /**
+     * Configuration related to templates
+     */
+    templates?: TemplatesConfig;
+    /**
+     * Configuration related to sending emails
+     */
+    email?: EmailConfig;
+    /**
+     * Application secrets
+     */
+    secrets: SecretsConfig;
+    /**
+     * Configuration related to user passwords
+     */
+    passwords?: PasswordsConfig;
+    /**
+     * Configuration related to the homeserver
+     */
+    matrix: MatrixConfig;
+    /**
+     * Configuration related to the OPA policies
+     */
+    policy?: PolicyConfig;
+    /**
+     * Configuration related to limiting the rate of user actions to prevent abuse
+     */
+    rate_limiting?: RateLimitingConfig;
+    /**
+     * Configuration related to upstream OAuth providers
+     */
+    upstream_oauth2?: UpstreamOAuth2Config;
+    /**
+     * Configuration section for tweaking the branding of the service
+     */
+    branding?: BrandingConfig;
+    /**
+     * Configuration section to setup CAPTCHA protection on a few operations
+     */
+    captcha?: CaptchaConfig;
+    /**
+     * Configuration section to configure features related to account management
+     */
+    account?: AccountConfig;
+    /**
+     * Experimental configuration options
+     */
+    experimental?: ExperimentalConfig;
+    [k: string]: unknown;
+}
+/**
+ * An OAuth 2.0 client configuration
+ */
+export interface ClientConfig {
+    /**
+     * A ULID as per https://github.com/ulid/spec
+     */
+    client_id: string;
+    /**
+     * Authentication method used for this client
+     */
+    client_auth_method: ClientAuthMethodConfig;
+    /**
+     * Name of the `OAuth2` client
+     */
+    client_name?: string;
+    /**
+     * The client secret, used by the `client_secret_basic`, `client_secret_post` and `client_secret_jwt` authentication methods
+     */
+    client_secret?: string;
+    /**
+     * The JSON Web Key Set (JWKS) used by the `private_key_jwt` authentication method. Mutually exclusive with `jwks_uri`
+     */
+    jwks?: JsonWebKeySetFor_JsonWebKeyPublicParameters;
+    /**
+     * The URL of the JSON Web Key Set (JWKS) used by the `private_key_jwt` authentication method. Mutually exclusive with `jwks`
+     */
+    jwks_uri?: string;
+    /**
+     * List of allowed redirect URIs
+     */
+    redirect_uris?: string[];
+    [k: string]: unknown;
+}
+export interface JsonWebKeySetFor_JsonWebKeyPublicParameters {
+    keys: JsonWebKeyFor_JsonWebKeyPublicParameters[];
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to the web server
+ */
+export interface HttpConfig {
+    /**
+     * List of listeners to run
+     */
+    listeners?: ListenerConfig[];
+    /**
+     * List of trusted reverse proxies that can set the `X-Forwarded-For` header
+     */
+    trusted_proxies?: IpNetwork[];
+    /**
+     * Public URL base from where the authentication service is reachable
+     */
+    public_base: string;
+    /**
+     * OIDC issuer URL. Defaults to `public_base` if not set.
+     */
+    issuer?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration of a listener
+ */
+export interface ListenerConfig {
+    /**
+     * A unique name for this listener which will be shown in traces and in metrics labels
+     */
+    name?: string;
+    /**
+     * List of resources to mount
+     */
+    resources: Resource[];
+    /**
+     * HTTP prefix to mount the resources on
+     */
+    prefix?: string;
+    /**
+     * List of sockets to bind
+     */
+    binds: BindConfig[];
+    /**
+     * Accept `HAProxy`'s Proxy Protocol V1
+     */
+    proxy_protocol?: boolean;
+    /**
+     * If set, makes the listener use TLS with the provided certificate and key
+     */
+    tls?: TlsConfig;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to TLS on a listener
+ */
+export interface TlsConfig {
+    /**
+     * PEM-encoded X509 certificate chain
+     *
+     * Exactly one of `certificate` or `certificate_file` must be set.
+     */
+    certificate?: string;
+    /**
+     * File containing the PEM-encoded X509 certificate chain
+     *
+     * Exactly one of `certificate` or `certificate_file` must be set.
+     */
+    certificate_file?: string;
+    /**
+     * PEM-encoded private key
+     *
+     * Exactly one of `key` or `key_file` must be set.
+     */
+    key?: string;
+    /**
+     * File containing a PEM or DER-encoded private key
+     *
+     * Exactly one of `key` or `key_file` must be set.
+     */
+    key_file?: string;
+    /**
+     * Password used to decode the private key
+     *
+     * One of `password` or `password_file` must be set if the key is encrypted.
+     */
+    password?: string;
+    /**
+     * Password file used to decode the private key
+     *
+     * One of `password` or `password_file` must be set if the key is encrypted.
+     */
+    password_file?: string;
+    [k: string]: unknown;
+}
+/**
+ * Database connection configuration
+ */
+export interface DatabaseConfig {
+    /**
+     * Connection URI
+     *
+     * This must not be specified if `host`, `port`, `socket`, `username`, `password`, or `database` are specified.
+     */
+    uri?: string;
+    /**
+     * Name of host to connect to
+     *
+     * This must not be specified if `uri` is specified.
+     */
+    host?: Hostname;
+    /**
+     * Port number to connect at the server host
+     *
+     * This must not be specified if `uri` is specified.
+     */
+    port?: number;
+    /**
+     * Directory containing the UNIX socket to connect to
+     *
+     * This must not be specified if `uri` is specified.
+     */
+    socket?: string;
+    /**
+     * PostgreSQL user name to connect as
+     *
+     * This must not be specified if `uri` is specified.
+     */
+    username?: string;
+    /**
+     * Password to be used if the server demands password authentication
+     *
+     * This must not be specified if `uri` is specified.
+     */
+    password?: string;
+    /**
+     * The database name
+     *
+     * This must not be specified if `uri` is specified.
+     */
+    database?: string;
+    /**
+     * How to handle SSL connections
+     */
+    ssl_mode?: PgSslMode;
+    /**
+     * The PEM-encoded root certificate for SSL connections
+     *
+     * This must not be specified if the `ssl_ca_file` option is specified.
+     */
+    ssl_ca?: string;
+    /**
+     * Path to the root certificate for SSL connections
+     *
+     * This must not be specified if the `ssl_ca` option is specified.
+     */
+    ssl_ca_file?: string;
+    /**
+     * The PEM-encoded client certificate for SSL connections
+     *
+     * This must not be specified if the `ssl_certificate_file` option is specified.
+     */
+    ssl_certificate?: string;
+    /**
+     * Path to the client certificate for SSL connections
+     *
+     * This must not be specified if the `ssl_certificate` option is specified.
+     */
+    ssl_certificate_file?: string;
+    /**
+     * The PEM-encoded client key for SSL connections
+     *
+     * This must not be specified if the `ssl_key_file` option is specified.
+     */
+    ssl_key?: string;
+    /**
+     * Path to the client key for SSL connections
+     *
+     * This must not be specified if the `ssl_key` option is specified.
+     */
+    ssl_key_file?: string;
+    /**
+     * Set the maximum number of connections the pool should maintain
+     */
+    max_connections?: number;
+    /**
+     * Set the minimum number of connections the pool should maintain
+     */
+    min_connections?: number;
+    /**
+     * Set the amount of time to attempt connecting to the database
+     */
+    connect_timeout?: number;
+    /**
+     * Set a maximum idle duration for individual connections
+     */
+    idle_timeout?: number;
+    /**
+     * Set the maximum lifetime of individual connections
+     */
+    max_lifetime?: number;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to sending monitoring data
+ */
+export interface TelemetryConfig {
+    /**
+     * Configuration related to exporting traces
+     */
+    tracing?: TracingConfig;
+    /**
+     * Configuration related to exporting metrics
+     */
+    metrics?: MetricsConfig;
+    /**
+     * Configuration related to the Sentry integration
+     */
+    sentry?: SentryConfig;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to exporting traces
+ */
+export interface TracingConfig {
+    /**
+     * Exporter to use when exporting traces
+     */
+    exporter?: TracingExporterKind & string;
+    /**
+     * OTLP exporter: OTLP over HTTP compatible endpoint
+     */
+    endpoint?: string;
+    /**
+     * List of propagation formats to use for incoming and outgoing requests
+     */
+    propagators?: Propagator[];
+    /**
+     * Sample rate for traces
+     *
+     * Defaults to `1.0` if not set.
+     */
+    sample_rate?: number;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to exporting metrics
+ */
+export interface MetricsConfig {
+    /**
+     * Exporter to use when exporting metrics
+     */
+    exporter?: MetricsExporterKind & string;
+    /**
+     * OTLP exporter: OTLP over HTTP compatible endpoint
+     */
+    endpoint?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to the Sentry integration
+ */
+export interface SentryConfig {
+    /**
+     * Sentry DSN
+     */
+    dsn?: string;
+    /**
+     * Environment to use when sending events to Sentry
+     *
+     * Defaults to `production` if not set.
+     */
+    environment?: string;
+    /**
+     * Sample rate for event submissions
+     *
+     * Defaults to `1.0` if not set.
+     */
+    sample_rate?: number;
+    /**
+     * Sample rate for tracing transactions
+     *
+     * Defaults to `0.0` if not set.
+     */
+    traces_sample_rate?: number;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to templates
+ */
+export interface TemplatesConfig {
+    /**
+     * Path to the folder which holds the templates
+     */
+    path?: string;
+    /**
+     * Path to the assets manifest
+     */
+    assets_manifest?: string;
+    /**
+     * Path to the translations
+     */
+    translations_path?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to sending emails
+ */
+export interface EmailConfig {
+    /**
+     * Email address to use as From when sending emails
+     */
+    from?: string;
+    /**
+     * Email address to use as Reply-To when sending emails
+     */
+    reply_to?: string;
+    /**
+     * What backend should be used when sending emails
+     */
+    transport: EmailTransportKind;
+    /**
+     * SMTP transport: Connection mode to the relay
+     */
+    mode?: EmailSmtpMode;
+    /**
+     * SMTP transport: Hostname to connect to
+     */
+    hostname?: Hostname;
+    /**
+     * SMTP transport: Port to connect to. Default is 25 for plain, 465 for TLS and 587 for `StartTLS`
+     */
+    port?: number;
+    /**
+     * SMTP transport: Username for use to authenticate when connecting to the SMTP server
+     *
+     * Must be set if the `password` field is set
+     */
+    username?: string;
+    /**
+     * SMTP transport: Password for use to authenticate when connecting to the SMTP server
+     *
+     * Must be set if the `username` field is set
+     */
+    password?: string;
+    /**
+     * Sendmail transport: Command to use to send emails
+     */
+    command?: string;
+    [k: string]: unknown;
+}
+/**
+ * Application secrets
+ */
+export interface SecretsConfig {
+    /**
+     * List of private keys to use for signing and encrypting payloads
+     */
+    keys?: KeyConfig[];
+    /**
+     * File containing the encryption key for secure cookies.
+     */
+    encryption_file?: string;
+    /**
+     * Encryption key for secure cookies.
+     */
+    encryption?: string;
+    [k: string]: unknown;
+}
+/**
+ * A single key with its key ID and optional password.
+ */
+export interface KeyConfig {
+    kid: string;
+    password_file?: string;
+    password?: string;
+    key_file?: string;
+    key?: string;
+    [k: string]: unknown;
+}
+/**
+ * User password hashing config
+ */
+export interface PasswordsConfig {
+    /**
+     * Whether password-based authentication is enabled
+     */
+    enabled?: boolean;
+    /**
+     * The hashing schemes to use for hashing and validating passwords
+     *
+     * The hashing scheme with the highest version number will be used for hashing new passwords.
+     */
+    schemes?: HashingScheme[];
+    /**
+     * Score between 0 and 4 determining the minimum allowed password complexity. Scores are based on the ESTIMATED number of guesses needed to guess the password.
+     *
+     * - 0: less than 10^2 (100) - 1: less than 10^4 (10'000) - 2: less than 10^6 (1'000'000) - 3: less than 10^8 (100'000'000) - 4: any more than that
+     */
+    minimum_complexity?: number;
+    [k: string]: unknown;
+}
+/**
+ * Parameters for a password hashing scheme
+ */
+export interface HashingScheme {
+    /**
+     * The version of the hashing scheme. They must be unique, and the highest version will be used for hashing new passwords.
+     */
+    version: number;
+    /**
+     * The hashing algorithm to use
+     */
+    algorithm: Algorithm;
+    /**
+     * Whether to apply Unicode normalization to the password before hashing
+     *
+     * Defaults to `false`, and generally recommended to stay false. This is although recommended when importing password hashs from Synapse, as it applies an NFKC normalization to the password before hashing it.
+     */
+    unicode_normalization?: boolean;
+    /**
+     * Cost for the bcrypt algorithm
+     */
+    cost?: number;
+    /**
+     * An optional secret to use when hashing passwords. This makes it harder to brute-force the passwords in case of a database leak.
+     */
+    secret?: string;
+    /**
+     * Same as `secret`, but read from a file.
+     */
+    secret_file?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to the Matrix homeserver
+ */
+export interface MatrixConfig {
+    /**
+     * The kind of homeserver it is.
+     */
+    kind?: HomeserverKind & string;
+    /**
+     * The server name of the homeserver.
+     */
+    homeserver?: string;
+    /**
+     * Shared secret to use for calls to the admin API
+     */
+    secret: string;
+    /**
+     * The base URL of the homeserver's client API
+     */
+    endpoint?: string;
+    [k: string]: unknown;
+}
+/**
+ * Application secrets
+ */
+export interface PolicyConfig {
+    /**
+     * Path to the WASM module
+     */
+    wasm_module?: string;
+    /**
+     * Entrypoint to use when evaluating client registrations
+     */
+    client_registration_entrypoint?: string;
+    /**
+     * Entrypoint to use when evaluating user registrations
+     */
+    register_entrypoint?: string;
+    /**
+     * Entrypoint to use when evaluating authorization grants
+     */
+    authorization_grant_entrypoint?: string;
+    /**
+     * Entrypoint to use when changing password
+     */
+    password_entrypoint?: string;
+    /**
+     * Entrypoint to use when adding an email address
+     */
+    email_entrypoint?: string;
+    /**
+     * Arbitrary data to pass to the policy
+     */
+    data?: {
+        [k: string]: unknown;
+    };
+    [k: string]: unknown;
+}
+/**
+ * Configuration related to sending emails
+ */
+export interface RateLimitingConfig {
+    /**
+     * Account Recovery-specific rate limits
+     */
+    account_recovery?: AccountRecoveryRateLimitingConfig;
+    /**
+     * Login-specific rate limits
+     */
+    login?: LoginRateLimitingConfig;
+    /**
+     * Controls how many registrations attempts are permitted based on source address.
+     */
+    registration?: RateLimiterConfiguration;
+    /**
+     * Email authentication-specific rate limits
+     */
+    email_authentication?: EmailauthenticationRateLimitingConfig;
+    [k: string]: unknown;
+}
+export interface AccountRecoveryRateLimitingConfig {
+    /**
+     * Controls how many account recovery attempts are permitted based on source IP address. This can protect against causing e-mail spam to many targets.
+     *
+     * Note: this limit also applies to re-sends.
+     */
+    per_ip?: RateLimiterConfiguration;
+    /**
+     * Controls how many account recovery attempts are permitted based on the e-mail address entered into the recovery form. This can protect against causing e-mail spam to one target.
+     *
+     * Note: this limit also applies to re-sends.
+     */
+    per_address?: RateLimiterConfiguration;
+    [k: string]: unknown;
+}
+export interface RateLimiterConfiguration {
+    /**
+     * A one-off burst of actions that the user can perform in one go without waiting.
+     */
+    burst: number;
+    /**
+     * How quickly the allowance replenishes, in number of actions per second. Can be fractional to replenish slower.
+     */
+    per_second: number;
+    [k: string]: unknown;
+}
+export interface LoginRateLimitingConfig {
+    /**
+     * Controls how many login attempts are permitted based on source IP address. This can protect against brute force login attempts.
+     *
+     * Note: this limit also applies to password checks when a user attempts to change their own password.
+     */
+    per_ip?: RateLimiterConfiguration;
+    /**
+     * Controls how many login attempts are permitted based on the account that is being attempted to be logged into. This can protect against a distributed brute force attack but should be set high enough to prevent someone's account being casually locked out.
+     *
+     * Note: this limit also applies to password checks when a user attempts to change their own password.
+     */
+    per_account?: RateLimiterConfiguration;
+    [k: string]: unknown;
+}
+export interface EmailauthenticationRateLimitingConfig {
+    /**
+     * Controls how many email authentication attempts are permitted based on the source IP address. This can protect against causing e-mail spam to many targets.
+     */
+    per_ip?: RateLimiterConfiguration;
+    /**
+     * Controls how many email authentication attempts are permitted based on the e-mail address entered into the authentication form. This can protect against causing e-mail spam to one target.
+     *
+     * Note: this limit also applies to re-sends.
+     */
+    per_address?: RateLimiterConfiguration;
+    /**
+     * Controls how many authentication emails are permitted to be sent per authentication session. This ensures not too many authentication codes are created for the same authentication session.
+     */
+    emails_per_session?: RateLimiterConfiguration;
+    /**
+     * Controls how many code authentication attempts are permitted per authentication session. This can protect against brute-forcing the code.
+     */
+    attempt_per_session?: RateLimiterConfiguration;
+    [k: string]: unknown;
+}
+/**
+ * Upstream OAuth 2.0 providers configuration
+ */
+export interface UpstreamOAuth2Config {
+    /**
+     * List of OAuth 2.0 providers
+     */
+    providers: Provider[];
+    [k: string]: unknown;
+}
+/**
+ * Configuration for one upstream OAuth 2 provider.
+ */
+export interface Provider {
+    /**
+     * Whether this provider is enabled.
+     *
+     * Defaults to `true`
+     */
+    enabled?: boolean;
+    /**
+     * A ULID as per https://github.com/ulid/spec
+     */
+    id: string;
+    /**
+     * The ID of the provider that was used by Synapse. In order to perform a Synapse-to-MAS migration, this must be specified.
+     *
+     * ## For providers that used OAuth 2.0 or OpenID Connect in Synapse
+     *
+     * ### For `oidc_providers`: This should be specified as `oidc-` followed by the ID that was configured as `idp_id` in one of the `oidc_providers` in the Synapse configuration. For example, if Synapse's configuration contained `idp_id: wombat` for this provider, then specify `oidc-wombat` here.
+     *
+     * ### For `oidc_config` (legacy): Specify `oidc` here.
+     */
+    synapse_idp_id?: string;
+    /**
+     * The OIDC issuer URL
+     *
+     * This is required if OIDC discovery is enabled (which is the default)
+     */
+    issuer?: string;
+    /**
+     * A human-readable name for the provider, that will be shown to users
+     */
+    human_name?: string;
+    /**
+     * A brand identifier used to customise the UI, e.g. `apple`, `google`, `github`, etc.
+     *
+     * Values supported by the default template are:
+     *
+     * - `apple` - `google` - `facebook` - `github` - `gitlab` - `twitter` - `discord`
+     */
+    brand_name?: string;
+    /**
+     * The client ID to use when authenticating with the provider
+     */
+    client_id: string;
+    /**
+     * The client secret to use when authenticating with the provider
+     *
+     * Used by the `client_secret_basic`, `client_secret_post`, and `client_secret_jwt` methods
+     */
+    client_secret?: string;
+    /**
+     * The method to authenticate the client with the provider
+     */
+    token_endpoint_auth_method: TokenAuthMethod;
+    /**
+     * Additional parameters for the `sign_in_with_apple` method
+     */
+    sign_in_with_apple?: SignInWithApple;
+    /**
+     * The JWS algorithm to use when authenticating the client with the provider
+     *
+     * Used by the `client_secret_jwt` and `private_key_jwt` methods
+     */
+    token_endpoint_auth_signing_alg?: JsonWebSignatureAlg;
+    /**
+     * Expected signature for the JWT payload returned by the token authentication endpoint.
+     *
+     * Defaults to `RS256`.
+     */
+    id_token_signed_response_alg?: JsonWebSignatureAlg;
+    /**
+     * The scopes to request from the provider
+     *
+     * Defaults to `openid`.
+     */
+    scope?: string;
+    /**
+     * How to discover the provider's configuration
+     *
+     * Defaults to `oidc`, which uses OIDC discovery with strict metadata verification
+     */
+    discovery_mode?: DiscoveryMode;
+    /**
+     * Whether to use proof key for code exchange (PKCE) when requesting and exchanging the token.
+     *
+     * Defaults to `auto`, which uses PKCE if the provider supports it.
+     */
+    pkce_method?: PkceMethod;
+    /**
+     * Whether to fetch the user profile from the userinfo endpoint, or to rely on the data returned in the `id_token` from the `token_endpoint`.
+     *
+     * Defaults to `false`.
+     */
+    fetch_userinfo?: boolean;
+    /**
+     * Expected signature for the JWT payload returned by the userinfo endpoint.
+     *
+     * If not specified, the response is expected to be an unsigned JSON payload.
+     */
+    userinfo_signed_response_alg?: JsonWebSignatureAlg;
+    /**
+     * The URL to use for the provider's authorization endpoint
+     *
+     * Defaults to the `authorization_endpoint` provided through discovery
+     */
+    authorization_endpoint?: string;
+    /**
+     * The URL to use for the provider's userinfo endpoint
+     *
+     * Defaults to the `userinfo_endpoint` provided through discovery
+     */
+    userinfo_endpoint?: string;
+    /**
+     * The URL to use for the provider's token endpoint
+     *
+     * Defaults to the `token_endpoint` provided through discovery
+     */
+    token_endpoint?: string;
+    /**
+     * The URL to use for getting the provider's public keys
+     *
+     * Defaults to the `jwks_uri` provided through discovery
+     */
+    jwks_uri?: string;
+    /**
+     * The response mode we ask the provider to use for the callback
+     */
+    response_mode?: ResponseMode;
+    /**
+     * How claims should be imported from the `id_token` provided by the provider
+     */
+    claims_imports?: ClaimsImports;
+    /**
+     * Additional parameters to include in the authorization request
+     *
+     * Orders of the keys are not preserved.
+     */
+    additional_authorization_parameters?: {
+        [k: string]: string;
+    };
+    /**
+     * Whether the `login_hint` should be forwarded to the provider in the authorization request.
+     *
+     * Defaults to `false`.
+     */
+    forward_login_hint?: boolean;
+    /**
+     * What to do when receiving an OIDC Backchannel logout request.
+     *
+     * Defaults to "do_nothing".
+     */
+    on_backchannel_logout?: OnBackchannelLogout;
+    [k: string]: unknown;
+}
+export interface SignInWithApple {
+    /**
+     * The private key file used to sign the `id_token`
+     */
+    private_key_file?: string;
+    /**
+     * The private key used to sign the `id_token`
+     */
+    private_key?: string;
+    /**
+     * The Team ID of the Apple Developer Portal
+     */
+    team_id: string;
+    /**
+     * The key ID of the Apple Developer Portal
+     */
+    key_id: string;
+    [k: string]: unknown;
+}
+/**
+ * How claims should be imported
+ */
+export interface ClaimsImports {
+    /**
+     * How to determine the subject of the user
+     */
+    subject?: SubjectImportPreference;
+    /**
+     * Import the localpart of the MXID
+     */
+    localpart?: LocalpartImportPreference;
+    /**
+     * Import the displayname of the user.
+     */
+    displayname?: DisplaynameImportPreference;
+    /**
+     * Import the email address of the user based on the `email` and `email_verified` claims
+     */
+    email?: EmailImportPreference;
+    /**
+     * Set a human-readable name for the upstream account for display purposes
+     */
+    account_name?: AccountNameImportPreference;
+    [k: string]: unknown;
+}
+/**
+ * What should be done for the subject attribute
+ */
+export interface SubjectImportPreference {
+    /**
+     * The Jinja2 template to use for the subject attribute
+     *
+     * If not provided, the default template is `{{ user.sub }}`
+     */
+    template?: string;
+    [k: string]: unknown;
+}
+/**
+ * What should be done for the localpart attribute
+ */
+export interface LocalpartImportPreference {
+    /**
+     * How to handle the attribute
+     */
+    action?: ImportAction;
+    /**
+     * The Jinja2 template to use for the localpart attribute
+     *
+     * If not provided, the default template is `{{ user.preferred_username }}`
+     */
+    template?: string;
+    /**
+     * How to handle conflicts on the claim, default value is `Fail`
+     */
+    on_conflict?: OnConflict;
+    [k: string]: unknown;
+}
+/**
+ * What should be done for the displayname attribute
+ */
+export interface DisplaynameImportPreference {
+    /**
+     * How to handle the attribute
+     */
+    action?: ImportAction;
+    /**
+     * The Jinja2 template to use for the displayname attribute
+     *
+     * If not provided, the default template is `{{ user.name }}`
+     */
+    template?: string;
+    [k: string]: unknown;
+}
+/**
+ * What should be done with the email attribute
+ */
+export interface EmailImportPreference {
+    /**
+     * How to handle the claim
+     */
+    action?: ImportAction;
+    /**
+     * The Jinja2 template to use for the email address attribute
+     *
+     * If not provided, the default template is `{{ user.email }}`
+     */
+    template?: string;
+    [k: string]: unknown;
+}
+/**
+ * What should be done for the account name attribute
+ */
+export interface AccountNameImportPreference {
+    /**
+     * The Jinja2 template to use for the account name. This name is only used for display purposes.
+     *
+     * If not provided, it will be ignored.
+     */
+    template?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration section for tweaking the branding of the service
+ */
+export interface BrandingConfig {
+    /**
+     * A human-readable name. Defaults to the server's address.
+     */
+    service_name?: string;
+    /**
+     * Link to a privacy policy, displayed in the footer of web pages and emails. It is also advertised to clients through the `op_policy_uri` OIDC provider metadata.
+     */
+    policy_uri?: string;
+    /**
+     * Link to a terms of service document, displayed in the footer of web pages and emails. It is also advertised to clients through the `op_tos_uri` OIDC provider metadata.
+     */
+    tos_uri?: string;
+    /**
+     * Legal imprint, displayed in the footer in the footer of web pages and emails.
+     */
+    imprint?: string;
+    /**
+     * Logo displayed in some web pages.
+     */
+    logo_uri?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration section to setup CAPTCHA protection on a few operations
+ */
+export interface CaptchaConfig {
+    /**
+     * Which service should be used for CAPTCHA protection
+     */
+    service?: CaptchaServiceKind;
+    /**
+     * The site key to use
+     */
+    site_key?: string;
+    /**
+     * The secret key to use
+     */
+    secret_key?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration section to configure features related to account management
+ */
+export interface AccountConfig {
+    /**
+     * Whether users are allowed to change their email addresses. Defaults to `true`.
+     */
+    email_change_allowed?: boolean;
+    /**
+     * Whether users are allowed to change their display names. Defaults to `true`.
+     *
+     * This should be in sync with the policy in the homeserver configuration.
+     */
+    displayname_change_allowed?: boolean;
+    /**
+     * Whether to enable self-service password registration. Defaults to `false` if password authentication is enabled.
+     *
+     * This has no effect if password login is disabled.
+     */
+    password_registration_enabled?: boolean;
+    /**
+     * Whether users are allowed to change their passwords. Defaults to `true`.
+     *
+     * This has no effect if password login is disabled.
+     */
+    password_change_allowed?: boolean;
+    /**
+     * Whether email-based password recovery is enabled. Defaults to `false`.
+     *
+     * This has no effect if password login is disabled.
+     */
+    password_recovery_enabled?: boolean;
+    /**
+     * Whether users are allowed to delete their own account. Defaults to `true`.
+     */
+    account_deactivation_allowed?: boolean;
+    /**
+     * Whether users can log in with their email address. Defaults to `false`.
+     *
+     * This has no effect if password login is disabled.
+     */
+    login_with_email_allowed?: boolean;
+    /**
+     * Whether registration tokens are required for password registrations. Defaults to `false`.
+     *
+     * When enabled, users must provide a valid registration token during password registration. This has no effect if password registration is disabled.
+     */
+    registration_token_required?: boolean;
+    [k: string]: unknown;
+}
+/**
+ * Configuration sections for experimental options
+ *
+ * Do not change these options unless you know what you are doing.
+ */
+export interface ExperimentalConfig {
+    /**
+     * Time-to-live of access tokens in seconds. Defaults to 5 minutes.
+     */
+    access_token_ttl?: number;
+    /**
+     * Time-to-live of compatibility access tokens in seconds. Defaults to 5 minutes.
+     */
+    compat_token_ttl?: number;
+    /**
+     * Experimetal feature to automatically expire inactive sessions
+     *
+     * Disabled by default
+     */
+    inactive_session_expiration?: InactiveSessionExpirationConfig;
+    /**
+     * Experimental feature to show a plan management tab and iframe. This value is passed through "as is" to the client without any validation.
+     */
+    plan_management_iframe_uri?: string;
+    [k: string]: unknown;
+}
+/**
+ * Configuration options for the inactive session expiration feature
+ */
+export interface InactiveSessionExpirationConfig {
+    /**
+     * Time after which an inactive session is automatically finished
+     */
+    ttl: number;
+    /**
+     * Should compatibility sessions expire after inactivity
+     */
+    expire_compat_sessions?: boolean;
+    /**
+     * Should OAuth 2.0 sessions expire after inactivity
+     */
+    expire_oauth_sessions?: boolean;
+    /**
+     * Should user sessions expire after inactivity
+     */
+    expire_user_sessions?: boolean;
+    [k: string]: unknown;
+}
+//# sourceMappingURL=mas-config.d.ts.map