@prsm/auth 1.0.0

package/types/auth-context.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Create a requestless auth context for scripts, workers, cron jobs, and admin
+ * tasks. The same object doubles as the binding surface for the @prsm/devtools
+ * admin panel: it exposes read methods (listAccounts, getAccount, getStats,
+ * recent activity, roles) and control actions (role/status/force-logout/etc),
+ * all duck-typed so devtools needs no @prsm/auth dependency.
+ * @param {AuthConfig} config
+ */
+export function createAuthContext(config: AuthConfig): {
+    createUser: (credentials: any, userId: any, callback: any) => Promise<import("./types.js").AuthAccount>;
+    register: (email: any, password: any, userId: any, callback: any) => Promise<import("./types.js").AuthAccount>;
+    deleteUserBy: (identifier: any) => Promise<void>;
+    addRoleForUserBy: (identifier: any, role: any) => Promise<void>;
+    removeRoleForUserBy: (identifier: any, role: any) => Promise<void>;
+    hasRoleForUserBy: (identifier: any, role: any) => Promise<boolean>;
+    changePasswordForUserBy: (identifier: any, password: any) => Promise<void>;
+    setStatusForUserBy: (identifier: any, status: any) => Promise<void>;
+    initiatePasswordResetForUserBy: (identifier: any, expiresAfter: any, callback: any) => Promise<void>;
+    resetPassword: (email: any, expiresAfter: any, maxOpenRequests: any, callback: any) => Promise<void>;
+    confirmResetPassword: (token: any, password: any) => Promise<{
+        accountId: number;
+        email: string;
+    }>;
+    userExistsByEmail: (email: any) => Promise<boolean>;
+    forceLogoutForUserBy: (identifier: any) => Promise<{
+        accountId: number;
+    }>;
+    /**
+     * @param {{ limit?: number, offset?: number, search?: string }} [opts]
+     * @returns {Promise<{ accounts: AuthAccount[], total: number }>}
+     */
+    listAccounts(opts?: {
+        limit?: number;
+        offset?: number;
+        search?: string;
+    }): Promise<{
+        accounts: AuthAccount[];
+        total: number;
+    }>;
+    /**
+     * @param {UserIdentifier} identifier
+     * @returns {Promise<AuthAccount>}
+     */
+    getAccount(identifier: UserIdentifier): Promise<AuthAccount>;
+    /**
+     * @param {number} accountId
+     */
+    getProvidersForAccount: (accountId: number) => Promise<import("./types.js").AuthProvider[]>;
+    /**
+     * @param {number} accountId
+     */
+    getTwoFactorMethods: (accountId: number) => Promise<import("./types.js").TwoFactorMethod[]>;
+    /**
+     * The role name -> bit map devtools renders, defaulting to AuthRole.
+     * @returns {Record<string, number>}
+     */
+    getRoles: () => Record<string, number>;
+    /**
+     * The status code -> name map devtools renders for account status.
+     * @returns {Record<string, number>}
+     */
+    getStatuses: () => Record<string, number>;
+    /**
+     * The 2FA mechanism code -> name map devtools renders.
+     * @returns {Record<string, number>}
+     */
+    getMechanisms: () => Record<string, number>;
+    /**
+     * @returns {Promise<ReturnType<typeof import("./schema.js").getAuthTableStats>>}
+     */
+    getStats: () => Promise<ReturnType<typeof import("./schema.js").getAuthTableStats>>;
+    /**
+     * @param {number} [limit]
+     * @param {number} [accountId]
+     */
+    getRecentActivity: (limit?: number, accountId?: number) => Promise<import("./types.js").AuthActivity[]>;
+    getActivityStats: () => Promise<{
+        totalEntries: number;
+        uniqueUsers: number;
+        recentLogins: number;
+        failedAttempts: number;
+    }>;
+};
+export type AuthConfig = import("./types.js").AuthConfig;
+export type TokenCallback = import("./types.js").TokenCallback;
+export type AuthAccount = import("./types.js").AuthAccount;
+export type UserIdentifier = import("./types.js").UserIdentifier;
+export type AuthContext = ReturnType<typeof createAuthContext>;

package/types/auth-functions.d.ts

@@ -0,0 +1,151 @@
+/**
+ * Resolve the account for an incoming request via session or remember-me cookie.
+ * @param {AuthConfig} config
+ * @param {import("http").IncomingMessage} req
+ * @param {(req: any, res: any, next: () => void) => void} [sessionMiddleware]
+ * @returns {Promise<AuthenticateRequestResult>}
+ */
+export function authenticateRequest(config: AuthConfig, req: import("http").IncomingMessage, sessionMiddleware?: (req: any, res: any, next: () => void) => void): Promise<AuthenticateRequestResult>;
+/**
+ * Create a new local account. When a callback is provided the account starts
+ * unverified and a confirmation token is generated.
+ * @param {AuthConfig} config
+ * @param {{ email: string, password: string }} credentials
+ * @param {string | number} [userId]
+ * @param {TokenCallback} [callback]
+ * @returns {Promise<AuthAccount>}
+ * @throws {EmailTakenError}
+ */
+export function createUser(config: AuthConfig, credentials: {
+    email: string;
+    password: string;
+}, userId?: string | number, callback?: TokenCallback): Promise<AuthAccount>;
+/**
+ * Register a new local account. When a callback is provided the account starts
+ * unverified and a confirmation token is generated.
+ * @param {AuthConfig} config
+ * @param {string} email
+ * @param {string} password
+ * @param {string | number} [userId]
+ * @param {TokenCallback} [callback]
+ * @returns {Promise<AuthAccount>}
+ * @throws {EmailTakenError}
+ */
+export function register(config: AuthConfig, email: string, password: string, userId?: string | number, callback?: TokenCallback): Promise<AuthAccount>;
+/**
+ * Delete the account matched by the identifier.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @returns {Promise<void>}
+ * @throws {UserNotFoundError}
+ */
+export function deleteUserBy(config: AuthConfig, identifier: UserIdentifier): Promise<void>;
+/**
+ * Add a role bit to the account's rolemask.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @param {number} role
+ * @returns {Promise<void>}
+ * @throws {UserNotFoundError}
+ */
+export function addRoleForUserBy(config: AuthConfig, identifier: UserIdentifier, role: number): Promise<void>;
+/**
+ * Remove a role bit from the account's rolemask.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @param {number} role
+ * @returns {Promise<void>}
+ * @throws {UserNotFoundError}
+ */
+export function removeRoleForUserBy(config: AuthConfig, identifier: UserIdentifier, role: number): Promise<void>;
+/**
+ * Check whether the account has every bit in the given role mask.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @param {number} role
+ * @returns {Promise<boolean>}
+ * @throws {UserNotFoundError}
+ */
+export function hasRoleForUserBy(config: AuthConfig, identifier: UserIdentifier, role: number): Promise<boolean>;
+/**
+ * Change the password for the account matched by the identifier.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @param {string} password
+ * @returns {Promise<void>}
+ * @throws {UserNotFoundError}
+ * @throws {InvalidPasswordError}
+ */
+export function changePasswordForUserBy(config: AuthConfig, identifier: UserIdentifier, password: string): Promise<void>;
+/**
+ * Set the status code for the account matched by the identifier.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @param {number} status
+ * @returns {Promise<void>}
+ * @throws {UserNotFoundError}
+ */
+export function setStatusForUserBy(config: AuthConfig, identifier: UserIdentifier, status: number): Promise<void>;
+/**
+ * Create a password reset token for the account matched by the identifier.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @param {string | number | null} [expiresAfter]
+ * @param {TokenCallback} [callback]
+ * @returns {Promise<void>}
+ * @throws {UserNotFoundError}
+ * @throws {EmailNotVerifiedError}
+ */
+export function initiatePasswordResetForUserBy(config: AuthConfig, identifier: UserIdentifier, expiresAfter?: string | number | null, callback?: TokenCallback): Promise<void>;
+/**
+ * Request a password reset by email, subject to the open-request limit.
+ * @param {AuthConfig} config
+ * @param {string} email
+ * @param {string | number | null} [expiresAfter]
+ * @param {number | null} [maxOpenRequests]
+ * @param {TokenCallback} [callback]
+ * @returns {Promise<void>}
+ * @throws {EmailNotVerifiedError}
+ * @throws {ResetDisabledError}
+ * @throws {TooManyResetsError}
+ */
+export function resetPassword(config: AuthConfig, email: string, expiresAfter?: string | number | null, maxOpenRequests?: number | null, callback?: TokenCallback): Promise<void>;
+/**
+ * Confirm a password reset token and apply the new password.
+ * @param {AuthConfig} config
+ * @param {string} token
+ * @param {string} password
+ * @returns {Promise<{ accountId: number, email: string }>}
+ * @throws {ResetNotFoundError}
+ * @throws {ResetExpiredError}
+ * @throws {UserNotFoundError}
+ * @throws {ResetDisabledError}
+ * @throws {InvalidPasswordError}
+ * @throws {InvalidTokenError}
+ */
+export function confirmResetPassword(config: AuthConfig, token: string, password: string): Promise<{
+    accountId: number;
+    email: string;
+}>;
+/**
+ * Check whether an account exists for the given email.
+ * @param {AuthConfig} config
+ * @param {string} email
+ * @returns {Promise<boolean>}
+ */
+export function userExistsByEmail(config: AuthConfig, email: string): Promise<boolean>;
+/**
+ * Force logout of all sessions for the account matched by the identifier.
+ * @param {AuthConfig} config
+ * @param {UserIdentifier} identifier
+ * @returns {Promise<{ accountId: number }>}
+ * @throws {UserNotFoundError}
+ */
+export function forceLogoutForUserBy(config: AuthConfig, identifier: UserIdentifier): Promise<{
+    accountId: number;
+}>;
+export type AuthConfig = import("./types.js").AuthConfig;
+export type AuthAccount = import("./types.js").AuthAccount;
+export type TokenCallback = import("./types.js").TokenCallback;
+export type UserIdentifier = import("./types.js").UserIdentifier;
+export type AuthenticateRequestResult = import("./types.js").AuthenticateRequestResult;

package/types/auth-manager.d.ts

@@ -0,0 +1,365 @@
+/**
+ * @typedef {import("./types.js").AuthConfig} AuthConfig
+ * @typedef {import("./types.js").AuthAccount} AuthAccount
+ * @typedef {import("./types.js").AuthSession} AuthSession
+ * @typedef {import("./types.js").TokenCallback} TokenCallback
+ * @typedef {import("./types.js").OAuthProvider} OAuthProvider
+ * @typedef {import("./types.js").StartImpersonationOptions} StartImpersonationOptions
+ * @typedef {import("./types.js").ImpersonationInfo} ImpersonationInfo
+ * @typedef {import("./types.js").ImpersonationActor} ImpersonationActor
+ * @typedef {import("./types.js").UserIdentifier} UserIdentifier
+ */
+export class AuthManager {
+    /**
+     * @param {import("express").Request} req
+     * @param {import("express").Response} res
+     * @param {AuthConfig} config
+     */
+    constructor(req: import("express").Request, res: import("express").Response, config: AuthConfig);
+    req: import("express").Request<import("express-serve-static-core").ParamsDictionary, any, any, import("qs").ParsedQs, Record<string, any>>;
+    res: import("express").Response<any, Record<string, any>>;
+    config: import("./types.js").AuthConfig;
+    queries: AuthQueries;
+    activityLogger: ActivityLogger;
+    providers: {
+        github: GitHubProvider;
+        google: GoogleProvider;
+        azure: AzureProvider;
+    };
+    twoFactor: TwoFactorManager;
+    initializeProviders(): {
+        github: GitHubProvider;
+        google: GoogleProvider;
+        azure: AzureProvider;
+    };
+    generateAutoUserId(): `${string}-${string}-${string}-${string}-${string}`;
+    shouldRequire2FA(account: any): Promise<boolean>;
+    validatePassword(password: any): void;
+    getRoleMap(): Record<number, string>;
+    getStatusMap(): Record<number, string>;
+    getAuthAccount(): Promise<import("./types.js").AuthAccount>;
+    setRememberCookie(token: any, expires: any): void;
+    getRememberToken(): {
+        token: any;
+    };
+    regenerateSession(): Promise<any>;
+    /**
+     * Resync the current session against the persisted account state.
+     * @param {boolean} [force=false]
+     * @returns {Promise<void>}
+     */
+    resyncSession(force?: boolean): Promise<void>;
+    /**
+     * Restore a session from a valid remember token when not already logged in.
+     * @returns {Promise<void>}
+     */
+    processRememberDirective(): Promise<void>;
+    onLoginSuccessful(account: any, remember?: boolean): Promise<any>;
+    createRememberDirective(account: any): Promise<string>;
+    /**
+     * Check if the current user is logged in.
+     * @returns {boolean} true if user has an active authenticated session
+     */
+    isLoggedIn(): boolean;
+    /**
+     * Authenticate user with email and password, creating a session.
+     * @param {string} email
+     * @param {string} password
+     * @param {boolean} [remember=false]
+     * @returns {Promise<void>}
+     * @throws {UserNotFoundError} Account with this email doesn't exist
+     * @throws {InvalidPasswordError} Password is incorrect
+     * @throws {EmailNotVerifiedError} Account exists but email is not verified
+     * @throws {UserInactiveError} Account is banned, locked, or otherwise inactive
+     * @throws {SecondFactorRequiredError} Two-factor authentication is required
+     */
+    login(email: string, password: string, remember?: boolean): Promise<void>;
+    /**
+     * Complete two-factor authentication and log in the user.
+     * @returns {Promise<void>}
+     * @throws {TwoFactorExpiredError} No pending 2FA state or it has expired
+     * @throws {UserNotFoundError} Associated account no longer exists
+     */
+    completeTwoFactorLogin(): Promise<void>;
+    /**
+     * Log out the current user, clearing the session and remember tokens.
+     * @returns {Promise<void>}
+     */
+    logout(): Promise<void>;
+    /**
+     * Register a new account.
+     * @param {string} email
+     * @param {string} password
+     * @param {string|number} [userId] Optional user ID to link; a UUID is generated if omitted
+     * @param {TokenCallback} [callback] If provided, account is created unverified and callback receives the confirmation token
+     * @returns {Promise<AuthAccount>} The created account record
+     * @throws {EmailTakenError} Email is already registered
+     * @throws {InvalidPasswordError} Password doesn't meet length requirements
+     */
+    register(email: string, password: string, userId?: string | number, callback?: TokenCallback): Promise<AuthAccount>;
+    createConfirmationToken(account: any, email: any, callback: any): Promise<void>;
+    /**
+     * Get the current user's account ID.
+     * @returns {number|null} Account ID if logged in, null otherwise
+     */
+    getId(): number | null;
+    /**
+     * Get the current user's email address.
+     * @returns {string|null} Email if logged in, null otherwise
+     */
+    getEmail(): string | null;
+    /**
+     * Get the current user's account status.
+     * @returns {number|null} Status number if logged in, null otherwise
+     */
+    getStatus(): number | null;
+    /**
+     * Check if the current user's email is verified.
+     * @returns {boolean|null} true if verified, false if unverified, null if not logged in
+     */
+    getVerified(): boolean | null;
+    /**
+     * Check if the current user has a password set.
+     * @returns {boolean|null} true if user has a password, false if OAuth-only, null if not logged in
+     */
+    hasPassword(): boolean | null;
+    /**
+     * Get human-readable role names for the current user or a specific rolemask.
+     * @param {number} [rolemask] Optional rolemask; defaults to the current user's roles
+     * @returns {string[]} Array of role names
+     */
+    getRoleNames(rolemask?: number): string[];
+    /**
+     * Get the human-readable status name for the current user.
+     * @returns {string|null} Status name if logged in, null otherwise
+     */
+    getStatusName(): string | null;
+    /**
+     * Check if the current user has a specific role.
+     * @param {number} role Role bitmask to check
+     * @returns {Promise<boolean>} true if user has the role, false otherwise
+     */
+    hasRole(role: number): Promise<boolean>;
+    /**
+     * Check if the current user has admin privileges.
+     * @returns {Promise<boolean>} true if user has Admin role, false otherwise
+     */
+    isAdmin(): Promise<boolean>;
+    /**
+     * Check if the current user was automatically logged in via remember token.
+     * @returns {boolean} true if auto-logged in from a persistent cookie, false otherwise
+     */
+    isRemembered(): boolean;
+    /**
+     * Request an email change for the current user, sending a confirmation token.
+     * @param {string} newEmail
+     * @param {TokenCallback} callback Called with the confirmation token
+     * @returns {Promise<void>}
+     * @throws {UserNotLoggedInError} User is not logged in
+     * @throws {EmailTakenError} New email is already registered
+     * @throws {UserNotFoundError} Current user account not found
+     * @throws {EmailNotVerifiedError} Current account's email is not verified
+     */
+    changeEmail(newEmail: string, callback: TokenCallback): Promise<void>;
+    /**
+     * Confirm an email address using a token from registration or email change.
+     * @param {string} token
+     * @returns {Promise<string>} The confirmed email address
+     * @throws {ConfirmationNotFoundError} Token is invalid or doesn't exist
+     * @throws {ConfirmationExpiredError} Token has expired
+     * @throws {InvalidTokenError} Token format is invalid
+     */
+    confirmEmail(token: string): Promise<string>;
+    /**
+     * Confirm an email address and automatically log in the user.
+     * @param {string} token
+     * @param {boolean} [remember=false]
+     * @returns {Promise<void>}
+     * @throws {ConfirmationNotFoundError} Token is invalid or doesn't exist
+     * @throws {ConfirmationExpiredError} Token has expired
+     * @throws {InvalidTokenError} Token format is invalid
+     * @throws {UserNotFoundError} Associated account no longer exists
+     * @throws {SecondFactorRequiredError} Two-factor authentication is required
+     */
+    confirmEmailAndLogin(token: string, remember?: boolean): Promise<void>;
+    /**
+     * Initiate a password reset for a user, creating a reset token.
+     * @param {string} email
+     * @param {string|number|null} [expiresAfter=null] Token expiration (default 6h)
+     * @param {number|null} [maxOpenRequests=null] Maximum concurrent reset tokens (default 2)
+     * @param {TokenCallback} [callback] Called with the reset token
+     * @returns {Promise<void>}
+     * @throws {EmailNotVerifiedError} Account doesn't exist or email not verified
+     * @throws {ResetDisabledError} Account has password reset disabled
+     * @throws {TooManyResetsError} Too many active reset requests
+     */
+    resetPassword(email: string, expiresAfter?: string | number | null, maxOpenRequests?: number | null, callback?: TokenCallback): Promise<void>;
+    /**
+     * Complete a password reset using a reset token.
+     * @param {string} token
+     * @param {string} password New password (will be hashed)
+     * @param {boolean} [logout=true] Whether to force logout all sessions
+     * @returns {Promise<void>}
+     * @throws {ResetNotFoundError} Token is invalid or doesn't exist
+     * @throws {ResetExpiredError} Token has expired
+     * @throws {UserNotFoundError} Associated account no longer exists
+     * @throws {ResetDisabledError} Account has password reset disabled
+     * @throws {InvalidPasswordError} New password doesn't meet requirements
+     * @throws {InvalidTokenError} Token format is invalid
+     */
+    confirmResetPassword(token: string, password: string, logout?: boolean): Promise<void>;
+    /**
+     * Verify if a password matches the current user's password.
+     * @param {string} password
+     * @returns {Promise<boolean>} true if password matches, false otherwise
+     * @throws {UserNotLoggedInError} User is not logged in
+     * @throws {UserNotFoundError} Current user account not found
+     */
+    verifyPassword(password: string): Promise<boolean>;
+    forceLogoutForAccountById(accountId: any): Promise<void>;
+    /**
+     * Force logout all other sessions while keeping the current one active.
+     * @returns {Promise<void>}
+     */
+    logoutEverywhereElse(): Promise<void>;
+    /**
+     * Force logout all sessions including the current one.
+     * @returns {Promise<void>}
+     */
+    logoutEverywhere(): Promise<void>;
+    findAccountByIdentifier(identifier: any): Promise<import("./types.js").AuthAccount>;
+    /**
+     * Create a user account (admin function).
+     * @param {{ email: string, password: string }} credentials
+     * @param {string|number} [userId]
+     * @param {TokenCallback} [callback]
+     * @returns {Promise<AuthAccount>}
+     */
+    createUser(credentials: {
+        email: string;
+        password: string;
+    }, userId?: string | number, callback?: TokenCallback): Promise<AuthAccount>;
+    /**
+     * Delete a user account by identifier (admin function).
+     * @param {UserIdentifier} identifier
+     * @returns {Promise<void>}
+     */
+    deleteUserBy(identifier: UserIdentifier): Promise<void>;
+    /**
+     * Add a role for a user by identifier (admin function).
+     * @param {UserIdentifier} identifier
+     * @param {number} role
+     * @returns {Promise<void>}
+     */
+    addRoleForUserBy(identifier: UserIdentifier, role: number): Promise<void>;
+    /**
+     * Remove a role for a user by identifier (admin function).
+     * @param {UserIdentifier} identifier
+     * @param {number} role
+     * @returns {Promise<void>}
+     */
+    removeRoleForUserBy(identifier: UserIdentifier, role: number): Promise<void>;
+    /**
+     * Check whether a user has a role by identifier (admin function).
+     * @param {UserIdentifier} identifier
+     * @param {number} role
+     * @returns {Promise<boolean>}
+     */
+    hasRoleForUserBy(identifier: UserIdentifier, role: number): Promise<boolean>;
+    /**
+     * Change a user's password by identifier (admin function).
+     * @param {UserIdentifier} identifier
+     * @param {string} password
+     * @returns {Promise<void>}
+     */
+    changePasswordForUserBy(identifier: UserIdentifier, password: string): Promise<void>;
+    /**
+     * Set a user's status by identifier (admin function).
+     * @param {UserIdentifier} identifier
+     * @param {number} status
+     * @returns {Promise<void>}
+     */
+    setStatusForUserBy(identifier: UserIdentifier, status: number): Promise<void>;
+    /**
+     * Initiate a password reset for a user by identifier (admin function).
+     * @param {UserIdentifier} identifier
+     * @param {string|number|null} [expiresAfter]
+     * @param {TokenCallback} [callback]
+     * @returns {Promise<void>}
+     */
+    initiatePasswordResetForUserBy(identifier: UserIdentifier, expiresAfter?: string | number | null, callback?: TokenCallback): Promise<void>;
+    /**
+     * Check whether a user exists by email (admin function).
+     * @param {string} email
+     * @returns {Promise<boolean>}
+     */
+    userExistsByEmail(email: string): Promise<boolean>;
+    /**
+     * Force logout a user by identifier; flags the current session if it is owned by that user.
+     * @param {UserIdentifier} identifier
+     * @returns {Promise<void>}
+     */
+    forceLogoutForUserBy(identifier: UserIdentifier): Promise<void>;
+    /**
+     * Log in as another user (admin function), replacing the current session.
+     * @param {UserIdentifier} identifier
+     * @returns {Promise<void>}
+     * @throws {UserNotFoundError} No account matches the identifier
+     */
+    loginAsUserBy(identifier: UserIdentifier): Promise<void>;
+    /**
+     * Check whether the current session is impersonating another user.
+     * @returns {boolean}
+     */
+    isImpersonating(): boolean;
+    /**
+     * Get the account id of the original (actor) user when impersonating.
+     * @returns {number|null} Actor account id when impersonating, null otherwise
+     */
+    getActorId(): number | null;
+    /**
+     * Get the email of the original (actor) user when impersonating.
+     * @returns {string|null} Actor email when impersonating, null otherwise
+     */
+    getActorEmail(): string | null;
+    /**
+     * Get a structured summary of the current impersonation session.
+     * @returns {ImpersonationInfo|null} ImpersonationInfo when impersonating, null otherwise
+     */
+    getImpersonationInfo(): ImpersonationInfo | null;
+    /**
+     * Begin impersonating another user while preserving the actor identity.
+     * @param {UserIdentifier} identifier
+     * @param {StartImpersonationOptions} [options={}]
+     * @returns {Promise<void>}
+     * @throws {UserNotLoggedInError} No active session
+     * @throws {ImpersonationDisabledError} config.impersonation.enabled is false
+     * @throws {AlreadyImpersonatingError} Another impersonation session is already active
+     * @throws {UserNotFoundError} No account matches the identifier
+     * @throws {ImpersonationNotAllowedError} canImpersonate returned false, or target is the actor
+     */
+    startImpersonation(identifier: UserIdentifier, options?: StartImpersonationOptions): Promise<void>;
+    /**
+     * Stop the current impersonation session and revert to the actor's identity.
+     * @returns {Promise<void>}
+     * @throws {NotImpersonatingError} No active impersonation session
+     */
+    stopImpersonation(): Promise<void>;
+    stopImpersonationInternal(cause: any): Promise<void>;
+    regenerateSessionWith(newAuth: any): Promise<any>;
+}
+export type AuthConfig = import("./types.js").AuthConfig;
+export type AuthAccount = import("./types.js").AuthAccount;
+export type AuthSession = import("./types.js").AuthSession;
+export type TokenCallback = import("./types.js").TokenCallback;
+export type OAuthProvider = import("./types.js").OAuthProvider;
+export type StartImpersonationOptions = import("./types.js").StartImpersonationOptions;
+export type ImpersonationInfo = import("./types.js").ImpersonationInfo;
+export type ImpersonationActor = import("./types.js").ImpersonationActor;
+export type UserIdentifier = import("./types.js").UserIdentifier;
+import { AuthQueries } from "./queries.js";
+import { ActivityLogger } from "./activity-logger.js";
+import { GitHubProvider } from "./providers/index.js";
+import { GoogleProvider } from "./providers/index.js";
+import { AzureProvider } from "./providers/index.js";
+import { TwoFactorManager } from "./two-factor/index.js";