auth-vir 1.3.2 → 2.0.1

package/dist/auth-client/frontend-auth.client.js

@@ -0,0 +1,108 @@
+import { HttpStatus, } from '@augment-vir/common';
+import { CsrfTokenFailureReason, extractCsrfTokenHeader, getCurrentCsrfToken, storeCsrfToken, wipeCurrentCsrfToken, } from '../csrf-token.js';
+import { AuthHeaderName } from '../headers.js';
+/**
+ * An auth client for sending and validating client requests to a backend. This should only be used
+ * in a frontend environment as it accesses native browser APIs.
+ *
+ * @category Auth : Client
+ * @category Client
+ */
+export class FrontendAuthClient {
+    config;
+    constructor(config = {}) {
+        this.config = config;
+    }
+    /** Wraps {@link getCurrentCsrfToken} to automatically handle wiping an invalid CSRF token. */
+    async getCurrentCsrfToken() {
+        const csrfTokenResult = getCurrentCsrfToken(this.config.overrides);
+        if (csrfTokenResult.failure &&
+            csrfTokenResult.failure !== CsrfTokenFailureReason.DoesNotExist) {
+            await this.logout();
+            return undefined;
+        }
+        else {
+            return csrfTokenResult.csrfToken?.token;
+        }
+    }
+    /** @returns Whether the user assuming succeeded or not. */
+    async assumeUser(assumedUserParams) {
+        if (!(await this.config.canAssumeUser?.())) {
+            return false;
+        }
+        (this.config.overrides?.localStorage || globalThis.localStorage).setItem(this.config.overrides?.assumedUserHeaderName || AuthHeaderName.AssumedUser, JSON.stringify(assumedUserParams));
+        return true;
+    }
+    /** Gets the assumed user params stored in local storage, if any. */
+    getAssumedUser() {
+        const rawValue = (this.config.overrides?.localStorage || globalThis.localStorage).getItem(this.config.overrides?.assumedUserHeaderName || AuthHeaderName.AssumedUser);
+        if (!rawValue) {
+            return undefined;
+        }
+        try {
+            return JSON.parse(rawValue);
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Creates a `RequestInit` object for the `fetch` API. If you have other request init options,
+     * use [`mergeDeep` from
+     * `@augment-vir/common`](https://electrovir.github.io/augment-vir/functions/mergeDeep.html) to
+     * combine them with these.
+     */
+    async createAuthenticatedRequestInit() {
+        const csrfToken = await this.getCurrentCsrfToken();
+        const assumedUser = this.getAssumedUser();
+        const headers = {
+            ...(csrfToken
+                ? {
+                    [AuthHeaderName.CsrfToken]: csrfToken,
+                }
+                : {}),
+            ...(assumedUser
+                ? {
+                    [this.config.overrides?.assumedUserHeaderName || AuthHeaderName.AssumedUser]: JSON.stringify(assumedUser),
+                }
+                : {}),
+        };
+        return {
+            headers,
+            credentials: 'include',
+        };
+    }
+    /** Wipes the current user auth. */
+    async logout() {
+        await this.config.authClearedCallback?.();
+        wipeCurrentCsrfToken(this.config.overrides);
+    }
+    /**
+     * Use to handle a login response. Automatically stores the CSRF token.
+     *
+     * @throws Error if the login response failed.
+     * @throws Error if the login response has an invalid CSRF token.
+     */
+    async handleLoginResponse(response) {
+        if (!response.ok) {
+            await this.logout();
+            throw new Error('Login response failed.');
+        }
+        const { csrfToken } = extractCsrfTokenHeader(response, this.config.overrides);
+        if (!csrfToken) {
+            await this.logout();
+            throw new Error('Did not receive any CSRF token.');
+        }
+        storeCsrfToken(csrfToken, this.config.overrides);
+    }
+    /**
+     * Use to verify _all_ responses received from the backend. Immediately logs the user out once
+     * an unauthorized response is detected.
+     */
+    async verifyResponseAuth(response) {
+        if (response.status === HttpStatus.Unauthorized &&
+            !response.headers.get(AuthHeaderName.IsSignUpAuth)) {
+            await this.logout();
+        }
+    }
+}

package/dist/auth.d.ts

@@ -1,4 +1,7 @@
-import { clearAuthCookie, type CookieParams } from './cookie.js';
+import { type PartialWithUndefined } from '@augment-vir/common';
+import { type FullDate, type UtcTimezone } from 'date-vir';
+import { type CookieParams } from './cookie.js';
+import { AuthHeaderName } from './headers.js';
 import { type ParseJwtParams } from './jwt/jwt.js';
 /**
  * All possible headers container types supported by {@link extractUserIdFromRequestHeaders}.
@@ -6,6 +9,16 @@ import { type ParseJwtParams } from './jwt/jwt.js';
  * @category Internal
  */
 export type HeaderContainer = Record<string, string[] | undefined | string | number> | Headers;
+/**
+ * Output from {@link extractUserIdFromRequestHeaders}.
+ *
+ * @category Internal
+ */
+export type UserIdResult<UserId extends string | number> = {
+    userId: UserId;
+    jwtExpiration: FullDate<UtcTimezone>;
+    cookieName: string;
+};
 /**
  * Extract the user id from a request by checking both the request cookie and CSRF token. This is
  * used by host (backend) code to help verify a request. After extracting the user id using this,
@@ -14,36 +27,41 @@ export type HeaderContainer = Record<string, string[] | undefined | string | num
  * @category Auth : Host
  * @returns The extracted user id or `undefined` if no valid auth headers exist.
  */
-export declare function extractUserIdFromRequestHeaders(headers: HeaderContainer, jwtParams: Readonly<ParseJwtParams>, cookieName?: string | undefined): Promise<string | undefined>;
+export declare function extractUserIdFromRequestHeaders<UserId extends string | number>(headers: HeaderContainer, jwtParams: Readonly<ParseJwtParams>, cookieName?: string, overrides?: PartialWithUndefined<{
+    csrfHeaderName: string;
+}>): Promise<Readonly<UserIdResult<UserId>> | undefined>;
 /**
  * Extract a user id from just the cookie, without CSRF token validation. This is _less secure_ than
  * {@link extractUserIdFromRequestHeaders} as a result. This should only be used in rare
  * circumstances where you cannot rely on client-side JavaScript to insert the CSRF token.
  *
  * @deprecated Prefer {@link extractUserIdFromRequestHeaders} instead: it is more secure.
+ * @category Auth : Host
  */
-export declare function extractUserIdFromCookieAlone(headers: HeaderContainer, jwtParams: Readonly<ParseJwtParams>, cookieName?: string | undefined): Promise<string | undefined>;
+export declare function insecureExtractUserIdFromCookieAlone<UserId extends string | number>(headers: HeaderContainer, jwtParams: Readonly<ParseJwtParams>, cookieName?: string): Promise<Readonly<UserIdResult<UserId>> | undefined>;
 /**
  * Used by host (backend) code to set headers on a response object.
  *
  * @category Auth : Host
  */
-export declare function generateSuccessfulLoginHeaders(
+export declare function generateSuccessfulLoginHeaders<CsrfHeaderName extends string = AuthHeaderName.CsrfToken>(
 /** The id from your database of the user you're authenticating. */
-userId: string, cookieConfig: Readonly<CookieParams>): Promise<{
+userId: string | number, cookieConfig: Readonly<CookieParams>, overrides?: PartialWithUndefined<{
+    csrfHeaderName: CsrfHeaderName;
+}>): Promise<{
     'set-cookie': string;
-    "csrf-token": string;
-}>;
+} & Record<CsrfHeaderName, string>>;
 /**
  * Used by host (backend) code to set headers on a response object when the user has logged out or
  * failed to authorize.
  *
  * @category Auth : Host
  */
-export declare function generateLogoutHeaders(...params: Parameters<typeof clearAuthCookie>): {
+export declare function generateLogoutHeaders<CsrfHeaderName extends string = AuthHeaderName.CsrfToken>(cookieConfig: Readonly<Pick<CookieParams, 'cookieName' | 'hostOrigin' | 'isDev'>>, overrides?: PartialWithUndefined<{
+    csrfHeaderName: CsrfHeaderName;
+}>): {
     'set-cookie': string;
-    "csrf-token": string;
-};
+} & Record<CsrfHeaderName, string>;
 /**
  * Store auth data on a client (frontend) after receiving an auth response from the host (backend).
  * Specifically, this stores the CSRF token into local storage (which doesn't need to be a secret).
@@ -53,45 +71,13 @@ export declare function generateLogoutHeaders(...params: Parameters<typeof clear
  * @category Auth : Client
  * @throws Error if no CSRF token header is found.
  */
-export declare function handleAuthResponse(response: Readonly<Pick<Response, 'ok' | 'headers'>>, overrides?: {
-    /**
-     * Allows mocking or overriding the global `localStorage`.
-     *
-     * @default globalThis.localStorage
-     */
-    localStorage?: Pick<Storage, 'setItem' | 'removeItem'>;
-    /** Override the default CSRF token header name. */
-    csrfHeaderName?: string;
-}): void;
-/**
- * Used in client (frontend) code to retrieve the current CSRF token in order to send it with
- * requests to the host (backend).
- *
- * @category Auth : Client
- */
-export declare function getCurrentCsrfToken(overrides?: {
-    /**
-     * Allows mocking or overriding the global `localStorage`.
-     *
-     * @default globalThis.localStorage
-     */
-    localStorage?: Pick<Storage, 'getItem'>;
-    /** Override the default CSRF token header name. */
-    csrfHeaderName?: string;
-}): string | undefined;
-/**
- * Wipes the current stored CSRF token. This should be used by client (frontend) code to logout a
- * user or react to a session timeout.
- *
- * @category Auth : Client
- */
-export declare function wipeCurrentCsrfToken(overrides?: {
+export declare function handleAuthResponse(response: Readonly<Pick<Response, 'ok' | 'headers'>>, overrides?: PartialWithUndefined<{
     /**
      * Allows mocking or overriding the global `localStorage`.
      *
      * @default globalThis.localStorage
      */
-    localStorage?: Pick<Storage, 'removeItem'>;
+    localStorage: Pick<Storage, 'setItem' | 'removeItem'>;
     /** Override the default CSRF token header name. */
-    csrfHeaderName?: string;
-}): void;
+    csrfHeaderName: string;
+}>): void;

package/dist/auth.js

@@ -1,5 +1,6 @@
-import { clearAuthCookie, extractCookieJwt, generateAuthCookie, } from './cookie.js';
-import { csrfTokenHeaderName, generateCsrfToken } from './csrf-token.js';
+import { AuthCookieName, clearAuthCookie, extractCookieJwt, generateAuthCookie, } from './cookie.js';
+import { extractCsrfTokenHeader, generateCsrfToken, parseCsrfToken, storeCsrfToken, wipeCurrentCsrfToken, } from './csrf-token.js';
+import { AuthHeaderName } from './headers.js';
 function readHeader(headers, headerName) {
     if (headers instanceof Headers) {
         return headers.get(headerName) || undefined;
@@ -17,6 +18,13 @@ function readHeader(headers, headerName) {
         }
     }
 }
+function readCsrfTokenHeader(headers, overrides) {
+    const rawCsrfToken = readHeader(headers, overrides.csrfHeaderName || AuthHeaderName.CsrfToken);
+    if (!rawCsrfToken) {
+        return undefined;
+    }
+    return parseCsrfToken(rawCsrfToken).csrfToken?.token || rawCsrfToken;
+}
 /**
  * Extract the user id from a request by checking both the request cookie and CSRF token. This is
  * used by host (backend) code to help verify a request. After extracting the user id using this,
@@ -25,18 +33,22 @@ function readHeader(headers, headerName) {
  * @category Auth : Host
  * @returns The extracted user id or `undefined` if no valid auth headers exist.
  */
-export async function extractUserIdFromRequestHeaders(headers, jwtParams, cookieName) {
+export async function extractUserIdFromRequestHeaders(headers, jwtParams, cookieName = AuthCookieName.Auth, overrides = {}) {
     try {
-        const csrfToken = readHeader(headers, csrfTokenHeaderName);
+        const csrfToken = readCsrfTokenHeader(headers, overrides);
         const cookie = readHeader(headers, 'cookie');
         if (!cookie || !csrfToken) {
             return undefined;
         }
         const jwt = await extractCookieJwt(cookie, jwtParams, cookieName);
-        if (!jwt || jwt.csrfToken !== csrfToken) {
+        if (!jwt || jwt.data.csrfToken !== csrfToken) {
             return undefined;
         }
-        return jwt.userId;
+        return {
+            userId: jwt.data.userId,
+            jwtExpiration: jwt.jwtExpiration,
+            cookieName,
+        };
     }
     catch {
         return undefined;
@@ -48,8 +60,9 @@ export async function extractUserIdFromRequestHeaders(headers, jwtParams, cookie
  * circumstances where you cannot rely on client-side JavaScript to insert the CSRF token.
  *
  * @deprecated Prefer {@link extractUserIdFromRequestHeaders} instead: it is more secure.
+ * @category Auth : Host
  */
-export async function extractUserIdFromCookieAlone(headers, jwtParams, cookieName) {
+export async function insecureExtractUserIdFromCookieAlone(headers, jwtParams, cookieName = AuthCookieName.Auth) {
     try {
         const cookie = readHeader(headers, 'cookie');
         if (!cookie) {
@@ -59,7 +72,11 @@ export async function extractUserIdFromCookieAlone(headers, jwtParams, cookieNam
         if (!jwt) {
             return undefined;
         }
-        return jwt.userId;
+        return {
+            userId: jwt.data.userId,
+            jwtExpiration: jwt.jwtExpiration,
+            cookieName,
+        };
     }
     catch {
         return undefined;
@@ -72,14 +89,15 @@ export async function extractUserIdFromCookieAlone(headers, jwtParams, cookieNam
  */
 export async function generateSuccessfulLoginHeaders(
 /** The id from your database of the user you're authenticating. */
-userId, cookieConfig) {
-    const csrfToken = generateCsrfToken();
+userId, cookieConfig, overrides = {}) {
+    const csrfToken = generateCsrfToken(cookieConfig.cookieDuration);
+    const csrfHeaderName = (overrides.csrfHeaderName || AuthHeaderName.CsrfToken);
     return {
         'set-cookie': await generateAuthCookie({
-            csrfToken,
+            csrfToken: csrfToken.token,
             userId,
         }, cookieConfig),
-        [csrfTokenHeaderName]: csrfToken,
+        [csrfHeaderName]: JSON.stringify(csrfToken),
     };
 }
 /**
@@ -88,10 +106,11 @@ userId, cookieConfig) {
  *
  * @category Auth : Host
  */
-export function generateLogoutHeaders(...params) {
+export function generateLogoutHeaders(cookieConfig, overrides = {}) {
+    const csrfHeaderName = (overrides.csrfHeaderName || AuthHeaderName.CsrfToken);
     return {
-        'set-cookie': clearAuthCookie(...params),
-        [csrfTokenHeaderName]: 'redacted',
+        'set-cookie': clearAuthCookie(cookieConfig),
+        [csrfHeaderName]: 'redacted',
     };
 }
 /**
@@ -108,29 +127,10 @@ export function handleAuthResponse(response, overrides = {}) {
         wipeCurrentCsrfToken(overrides);
         return;
     }
-    const headerName = overrides.csrfHeaderName || csrfTokenHeaderName;
-    const csrfToken = response.headers.get(headerName);
+    const { csrfToken } = extractCsrfTokenHeader(response, overrides);
     if (!csrfToken) {
         wipeCurrentCsrfToken(overrides);
         throw new Error('Did not receive any CSRF token.');
     }
-    (overrides.localStorage || globalThis.localStorage).setItem(headerName, csrfToken);
-}
-/**
- * Used in client (frontend) code to retrieve the current CSRF token in order to send it with
- * requests to the host (backend).
- *
- * @category Auth : Client
- */
-export function getCurrentCsrfToken(overrides = {}) {
-    return ((overrides.localStorage || globalThis.localStorage).getItem(overrides.csrfHeaderName || csrfTokenHeaderName) || undefined);
-}
-/**
- * Wipes the current stored CSRF token. This should be used by client (frontend) code to logout a
- * user or react to a session timeout.
- *
- * @category Auth : Client
- */
-export function wipeCurrentCsrfToken(overrides = {}) {
-    return (overrides.localStorage || globalThis.localStorage).removeItem(overrides.csrfHeaderName || csrfTokenHeaderName);
+    storeCsrfToken(csrfToken, overrides);
 }

package/dist/cookie.d.ts

@@ -1,8 +1,19 @@
 import { type PartialWithUndefined } from '@augment-vir/common';
 import { type AnyDuration } from 'date-vir';
 import { type Primitive } from 'type-fest';
-import { type CreateJwtParams, type ParseJwtParams } from './jwt/jwt.js';
-import { type UserJwtData } from './jwt/user-jwt.js';
+import { type CreateJwtParams, type ParseJwtParams, type ParsedJwt } from './jwt/jwt.js';
+import { type JwtUserData } from './jwt/user-jwt.js';
+/**
+ * Cookie header names supported by default.
+ *
+ * @category Internal
+ */
+export declare enum AuthCookieName {
+    /** Used for a full user login auth. */
+    Auth = "auth",
+    /** Use for a temporary "just signed up" auth. */
+    SignUp = "sign-up"
+}
 /**
  * Parameters for {@link generateAuthCookie}.
  *
@@ -42,7 +53,7 @@ export type CookieParams = {
  *
  * @category Internal
  */
-export declare function generateAuthCookie(userJwtData: Readonly<UserJwtData>, cookieConfig: Readonly<CookieParams>): Promise<string>;
+export declare function generateAuthCookie(userJwtData: Readonly<JwtUserData>, cookieConfig: Readonly<CookieParams>): Promise<string>;
 /**
  * Generate a cookie value that will clear the previous auth cookie. Use this when signing out.
  *
@@ -61,4 +72,4 @@ export declare function generateCookie(params: Readonly<Record<string, Exclude<P
  * @category Internal
  * @returns The extracted auth Cookie JWT data or `undefined` if no valid auth JWT data was found.
  */
-export declare function extractCookieJwt(rawCookie: string, jwtParams: Readonly<ParseJwtParams>, cookieName?: string): Promise<undefined | UserJwtData>;
+export declare function extractCookieJwt(rawCookie: string, jwtParams: Readonly<ParseJwtParams>, cookieName?: string): Promise<undefined | ParsedJwt<JwtUserData>>;

package/dist/cookie.js

@@ -3,6 +3,18 @@ import { safeMatch } from '@augment-vir/common';
 import { convertDuration } from 'date-vir';
 import { parseUrl } from 'url-vir';
 import { createUserJwt, parseUserJwt } from './jwt/user-jwt.js';
+/**
+ * Cookie header names supported by default.
+ *
+ * @category Internal
+ */
+export var AuthCookieName;
+(function (AuthCookieName) {
+    /** Used for a full user login auth. */
+    AuthCookieName["Auth"] = "auth";
+    /** Use for a temporary "just signed up" auth. */
+    AuthCookieName["SignUp"] = "sign-up";
+})(AuthCookieName || (AuthCookieName = {}));
 /**
  * Generate a secure cookie that stores the user JWT data. Used in host (backend) code.
  *
@@ -65,13 +77,13 @@ export function generateCookie(params) {
  * @category Internal
  * @returns The extracted auth Cookie JWT data or `undefined` if no valid auth JWT data was found.
  */
-export async function extractCookieJwt(rawCookie, jwtParams, cookieName = 'auth') {
+export async function extractCookieJwt(rawCookie, jwtParams, cookieName = AuthCookieName.Auth) {
     const cookieRegExp = new RegExp(`${cookieName}=[^;]+(?:;|$)`);
-    const [auth] = safeMatch(rawCookie, cookieRegExp);
-    if (!auth) {
+    const [cookieValue] = safeMatch(rawCookie, cookieRegExp);
+    if (!cookieValue) {
         return undefined;
     }
-    const rawJwt = auth.replace(`${cookieName}=`, '').replace(';', '');
+    const rawJwt = cookieValue.replace(`${cookieName}=`, '').replace(';', '');
     const jwt = await parseUserJwt(rawJwt, jwtParams);
     return jwt;
 }

package/dist/csrf-token.d.ts

@@ -1,12 +1,122 @@
+import { type PartialWithUndefined, type SelectFrom } from '@augment-vir/common';
+import { type AnyDuration } from 'date-vir';
+import { type RequireExactlyOne } from 'type-fest';
 /**
- * Name of the header attached to responses that stores the CSRF token value.
+ * Shape definition for {@link CsrfToken}.
  *
  * @category Internal
  */
-export declare const csrfTokenHeaderName = "csrf-token";
+export declare const csrfTokenShape: import("object-shape-tester").Shape<{
+    token: string;
+    expiration: import("object-shape-tester").Shape<import("object-shape-tester").Shape<import("@sinclair/typebox").TUnsafe<{
+        hour: import("date-vir").Hour;
+        minute: import("date-vir").Minute;
+        second: import("date-vir").Minute;
+        millisecond: number;
+        timezone: "Africa/Abidjan" | "Africa/Accra" | "Africa/Addis_Ababa" | "Africa/Algiers" | "Africa/Asmara" | "Africa/Bamako" | "Africa/Bangui" | "Africa/Banjul" | "Africa/Bissau" | "Africa/Blantyre" | "Africa/Brazzaville" | "Africa/Bujumbura" | "Africa/Cairo" | "Africa/Casablanca" | "Africa/Ceuta" | "Africa/Conakry" | "Africa/Dakar" | "Africa/Dar_es_Salaam" | "Africa/Djibouti" | "Africa/Douala" | "Africa/El_Aaiun" | "Africa/Freetown" | "Africa/Gaborone" | "Africa/Harare" | "Africa/Johannesburg" | "Africa/Juba" | "Africa/Kampala" | "Africa/Khartoum" | "Africa/Kigali" | "Africa/Kinshasa" | "Africa/Lagos" | "Africa/Libreville" | "Africa/Lome" | "Africa/Luanda" | "Africa/Lubumbashi" | "Africa/Lusaka" | "Africa/Malabo" | "Africa/Maputo" | "Africa/Maseru" | "Africa/Mbabane" | "Africa/Mogadishu" | "Africa/Monrovia" | "Africa/Nairobi" | "Africa/Ndjamena" | "Africa/Niamey" | "Africa/Nouakchott" | "Africa/Ouagadougou" | "Africa/Porto-Novo" | "Africa/Sao_Tome" | "Africa/Timbuktu" | "Africa/Tripoli" | "Africa/Tunis" | "Africa/Windhoek" | "America/Adak" | "America/Anchorage" | "America/Anguilla" | "America/Antigua" | "America/Araguaina" | "America/Argentina/Buenos_Aires" | "America/Argentina/Catamarca" | "America/Argentina/ComodRivadavia" | "America/Argentina/Cordoba" | "America/Argentina/Jujuy" | "America/Argentina/La_Rioja" | "America/Argentina/Mendoza" | "America/Argentina/Rio_Gallegos" | "America/Argentina/Salta" | "America/Argentina/San_Juan" | "America/Argentina/San_Luis" | "America/Argentina/Tucuman" | "America/Argentina/Ushuaia" | "America/Aruba" | "America/Asuncion" | "America/Atikokan" | "America/Bahia" | "America/Bahia_Banderas" | "America/Barbados" | "America/Belem" | "America/Belize" | "America/Blanc-Sablon" | "America/Boa_Vista" | "America/Bogota" | "America/Boise" | "America/Cambridge_Bay" | "America/Campo_Grande" | "America/Cancun" | "America/Caracas" | "America/Cayenne" | "America/Cayman" | "America/Chicago" | "America/Chihuahua" | "America/Coral_Harbour" | "America/Costa_Rica" | "America/Creston" | "America/Cuiaba" | "America/Curacao" | "America/Danmarkshavn" | "America/Dawson" | "America/Dawson_Creek" | "America/Denver" | "America/Detroit" | "America/Dominica" | "America/Edmonton" | "America/Eirunepe" | "America/El_Salvador" | "America/Ensenada" | "America/Fort_Nelson" | "America/Fortaleza" | "America/Glace_Bay" | "America/Goose_Bay" | "America/Grand_Turk" | "America/Grenada" | "America/Guadeloupe" | "America/Guatemala" | "America/Guayaquil" | "America/Guyana" | "America/Halifax" | "America/Havana" | "America/Hermosillo" | "America/Indiana/Indianapolis" | "America/Indiana/Knox" | "America/Indiana/Marengo" | "America/Indiana/Petersburg" | "America/Indiana/Tell_City" | "America/Indiana/Vevay" | "America/Indiana/Vincennes" | "America/Indiana/Winamac" | "America/Inuvik" | "America/Iqaluit" | "America/Jamaica" | "America/Juneau" | "America/Kentucky/Louisville" | "America/Kentucky/Monticello" | "America/La_Paz" | "America/Lima" | "America/Los_Angeles" | "America/Maceio" | "America/Managua" | "America/Manaus" | "America/Martinique" | "America/Matamoros" | "America/Mazatlan" | "America/Menominee" | "America/Merida" | "America/Metlakatla" | "America/Mexico_City" | "America/Miquelon" | "America/Moncton" | "America/Monterrey" | "America/Montevideo" | "America/Montreal" | "America/Montserrat" | "America/Nassau" | "America/New_York" | "America/Nipigon" | "America/Nome" | "America/Noronha" | "America/North_Dakota/Beulah" | "America/North_Dakota/Center" | "America/North_Dakota/New_Salem" | "America/Nuuk" | "America/Ojinaga" | "America/Panama" | "America/Pangnirtung" | "America/Paramaribo" | "America/Phoenix" | "America/Port-au-Prince" | "America/Port_of_Spain" | "America/Porto_Velho" | "America/Puerto_Rico" | "America/Punta_Arenas" | "America/Rainy_River" | "America/Rankin_Inlet" | "America/Recife" | "America/Regina" | "America/Resolute" | "America/Rio_Branco" | "America/Rosario" | "America/Santarem" | "America/Santiago" | "America/Santo_Domingo" | "America/Sao_Paulo" | "America/Scoresbysund" | "America/Sitka" | "America/St_Johns" | "America/St_Kitts" | "America/St_Lucia" | "America/St_Thomas" | "America/St_Vincent" | "America/Swift_Current" | "America/Tegucigalpa" | "America/Thule" | "America/Thunder_Bay" | "America/Tijuana" | "America/Toronto" | "America/Tortola" | "America/Vancouver" | "America/Whitehorse" | "America/Winnipeg" | "America/Yakutat" | "America/Yellowknife" | "Antarctica/Casey" | "Antarctica/Davis" | "Antarctica/DumontDUrville" | "Antarctica/Macquarie" | "Antarctica/Mawson" | "Antarctica/McMurdo" | "Antarctica/Palmer" | "Antarctica/Rothera" | "Antarctica/Syowa" | "Antarctica/Troll" | "Antarctica/Vostok" | "Asia/Aden" | "Asia/Almaty" | "Asia/Amman" | "Asia/Anadyr" | "Asia/Aqtau" | "Asia/Aqtobe" | "Asia/Ashgabat" | "Asia/Atyrau" | "Asia/Baghdad" | "Asia/Bahrain" | "Asia/Baku" | "Asia/Bangkok" | "Asia/Barnaul" | "Asia/Beirut" | "Asia/Bishkek" | "Asia/Brunei" | "Asia/Chita" | "Asia/Choibalsan" | "Asia/Chongqing" | "Asia/Colombo" | "Asia/Damascus" | "Asia/Dhaka" | "Asia/Dili" | "Asia/Dubai" | "Asia/Dushanbe" | "Asia/Famagusta" | "Asia/Gaza" | "Asia/Harbin" | "Asia/Hebron" | "Asia/Ho_Chi_Minh" | "Asia/Hong_Kong" | "Asia/Hovd" | "Asia/Irkutsk" | "Asia/Jakarta" | "Asia/Jayapura" | "Asia/Jerusalem" | "Asia/Kabul" | "Asia/Kamchatka" | "Asia/Karachi" | "Asia/Kashgar" | "Asia/Kathmandu" | "Asia/Khandyga" | "Asia/Kolkata" | "Asia/Krasnoyarsk" | "Asia/Kuala_Lumpur" | "Asia/Kuching" | "Asia/Kuwait" | "Asia/Macau" | "Asia/Magadan" | "Asia/Makassar" | "Asia/Manila" | "Asia/Muscat" | "Asia/Nicosia" | "Asia/Novokuznetsk" | "Asia/Novosibirsk" | "Asia/Omsk" | "Asia/Oral" | "Asia/Phnom_Penh" | "Asia/Pontianak" | "Asia/Pyongyang" | "Asia/Qatar" | "Asia/Qostanay" | "Asia/Qyzylorda" | "Asia/Riyadh" | "Asia/Sakhalin" | "Asia/Samarkand" | "Asia/Seoul" | "Asia/Shanghai" | "Asia/Singapore" | "Asia/Srednekolymsk" | "Asia/Taipei" | "Asia/Tashkent" | "Asia/Tbilisi" | "Asia/Tehran" | "Asia/Tel_Aviv" | "Asia/Thimphu" | "Asia/Tokyo" | "Asia/Tomsk" | "Asia/Ulaanbaatar" | "Asia/Urumqi" | "Asia/Ust-Nera" | "Asia/Vientiane" | "Asia/Vladivostok" | "Asia/Yakutsk" | "Asia/Yangon" | "Asia/Yekaterinburg" | "Asia/Yerevan" | "Atlantic/Azores" | "Atlantic/Bermuda" | "Atlantic/Canary" | "Atlantic/Cape_Verde" | "Atlantic/Faroe" | "Atlantic/Jan_Mayen" | "Atlantic/Madeira" | "Atlantic/Reykjavik" | "Atlantic/South_Georgia" | "Atlantic/St_Helena" | "Atlantic/Stanley" | "Australia/Adelaide" | "Australia/Brisbane" | "Australia/Broken_Hill" | "Australia/Currie" | "Australia/Darwin" | "Australia/Eucla" | "Australia/Hobart" | "Australia/Lindeman" | "Australia/Lord_Howe" | "Australia/Melbourne" | "Australia/Perth" | "Australia/Sydney" | "CET" | "CST6CDT" | "EET" | "EST" | "EST5EDT" | "Etc/GMT+1" | "Etc/GMT+10" | "Etc/GMT+11" | "Etc/GMT+12" | "Etc/GMT+2" | "Etc/GMT+3" | "Etc/GMT+4" | "Etc/GMT+5" | "Etc/GMT+6" | "Etc/GMT+7" | "Etc/GMT+8" | "Etc/GMT+9" | "Etc/GMT-1" | "Etc/GMT-10" | "Etc/GMT-11" | "Etc/GMT-12" | "Etc/GMT-13" | "Etc/GMT-14" | "Etc/GMT-2" | "Etc/GMT-3" | "Etc/GMT-4" | "Etc/GMT-5" | "Etc/GMT-6" | "Etc/GMT-7" | "Etc/GMT-8" | "Etc/GMT-9" | "Europe/Amsterdam" | "Europe/Andorra" | "Europe/Astrakhan" | "Europe/Athens" | "Europe/Belfast" | "Europe/Belgrade" | "Europe/Berlin" | "Europe/Brussels" | "Europe/Bucharest" | "Europe/Budapest" | "Europe/Chisinau" | "Europe/Copenhagen" | "Europe/Dublin" | "Europe/Gibraltar" | "Europe/Guernsey" | "Europe/Helsinki" | "Europe/Isle_of_Man" | "Europe/Istanbul" | "Europe/Jersey" | "Europe/Kaliningrad" | "Europe/Kirov" | "Europe/Kyiv" | "Europe/Lisbon" | "Europe/Ljubljana" | "Europe/London" | "Europe/Luxembourg" | "Europe/Madrid" | "Europe/Malta" | "Europe/Minsk" | "Europe/Monaco" | "Europe/Moscow" | "Europe/Oslo" | "Europe/Paris" | "Europe/Prague" | "Europe/Riga" | "Europe/Rome" | "Europe/Samara" | "Europe/Sarajevo" | "Europe/Saratov" | "Europe/Simferopol" | "Europe/Skopje" | "Europe/Sofia" | "Europe/Stockholm" | "Europe/Tallinn" | "Europe/Tirane" | "Europe/Tiraspol" | "Europe/Ulyanovsk" | "Europe/Uzhgorod" | "Europe/Vaduz" | "Europe/Vienna" | "Europe/Vilnius" | "Europe/Volgograd" | "Europe/Warsaw" | "Europe/Zagreb" | "Europe/Zaporozhye" | "Europe/Zurich" | "HST" | "Indian/Antananarivo" | "Indian/Chagos" | "Indian/Christmas" | "Indian/Cocos" | "Indian/Comoro" | "Indian/Kerguelen" | "Indian/Mahe" | "Indian/Maldives" | "Indian/Mauritius" | "Indian/Mayotte" | "Indian/Reunion" | "MET" | "MST" | "MST7MDT" | "PST8PDT" | "Pacific/Apia" | "Pacific/Auckland" | "Pacific/Bougainville" | "Pacific/Chatham" | "Pacific/Chuuk" | "Pacific/Easter" | "Pacific/Efate" | "Pacific/Enderbury" | "Pacific/Fakaofo" | "Pacific/Fiji" | "Pacific/Funafuti" | "Pacific/Galapagos" | "Pacific/Gambier" | "Pacific/Guadalcanal" | "Pacific/Guam" | "Pacific/Honolulu" | "Pacific/Johnston" | "Pacific/Kanton" | "Pacific/Kiritimati" | "Pacific/Kosrae" | "Pacific/Kwajalein" | "Pacific/Majuro" | "Pacific/Marquesas" | "Pacific/Midway" | "Pacific/Nauru" | "Pacific/Niue" | "Pacific/Norfolk" | "Pacific/Noumea" | "Pacific/Pago_Pago" | "Pacific/Palau" | "Pacific/Pitcairn" | "Pacific/Pohnpei" | "Pacific/Port_Moresby" | "Pacific/Rarotonga" | "Pacific/Saipan" | "Pacific/Tahiti" | "Pacific/Tarawa" | "Pacific/Tongatapu" | "Pacific/Wake" | "Pacific/Wallis" | "UTC" | "WET";
+    } & {
+        year: number;
+        month: import("date-vir").MonthNumber;
+        day: import("date-vir").DayOfMonth;
+        timezone: "Africa/Abidjan" | "Africa/Accra" | "Africa/Addis_Ababa" | "Africa/Algiers" | "Africa/Asmara" | "Africa/Bamako" | "Africa/Bangui" | "Africa/Banjul" | "Africa/Bissau" | "Africa/Blantyre" | "Africa/Brazzaville" | "Africa/Bujumbura" | "Africa/Cairo" | "Africa/Casablanca" | "Africa/Ceuta" | "Africa/Conakry" | "Africa/Dakar" | "Africa/Dar_es_Salaam" | "Africa/Djibouti" | "Africa/Douala" | "Africa/El_Aaiun" | "Africa/Freetown" | "Africa/Gaborone" | "Africa/Harare" | "Africa/Johannesburg" | "Africa/Juba" | "Africa/Kampala" | "Africa/Khartoum" | "Africa/Kigali" | "Africa/Kinshasa" | "Africa/Lagos" | "Africa/Libreville" | "Africa/Lome" | "Africa/Luanda" | "Africa/Lubumbashi" | "Africa/Lusaka" | "Africa/Malabo" | "Africa/Maputo" | "Africa/Maseru" | "Africa/Mbabane" | "Africa/Mogadishu" | "Africa/Monrovia" | "Africa/Nairobi" | "Africa/Ndjamena" | "Africa/Niamey" | "Africa/Nouakchott" | "Africa/Ouagadougou" | "Africa/Porto-Novo" | "Africa/Sao_Tome" | "Africa/Timbuktu" | "Africa/Tripoli" | "Africa/Tunis" | "Africa/Windhoek" | "America/Adak" | "America/Anchorage" | "America/Anguilla" | "America/Antigua" | "America/Araguaina" | "America/Argentina/Buenos_Aires" | "America/Argentina/Catamarca" | "America/Argentina/ComodRivadavia" | "America/Argentina/Cordoba" | "America/Argentina/Jujuy" | "America/Argentina/La_Rioja" | "America/Argentina/Mendoza" | "America/Argentina/Rio_Gallegos" | "America/Argentina/Salta" | "America/Argentina/San_Juan" | "America/Argentina/San_Luis" | "America/Argentina/Tucuman" | "America/Argentina/Ushuaia" | "America/Aruba" | "America/Asuncion" | "America/Atikokan" | "America/Bahia" | "America/Bahia_Banderas" | "America/Barbados" | "America/Belem" | "America/Belize" | "America/Blanc-Sablon" | "America/Boa_Vista" | "America/Bogota" | "America/Boise" | "America/Cambridge_Bay" | "America/Campo_Grande" | "America/Cancun" | "America/Caracas" | "America/Cayenne" | "America/Cayman" | "America/Chicago" | "America/Chihuahua" | "America/Coral_Harbour" | "America/Costa_Rica" | "America/Creston" | "America/Cuiaba" | "America/Curacao" | "America/Danmarkshavn" | "America/Dawson" | "America/Dawson_Creek" | "America/Denver" | "America/Detroit" | "America/Dominica" | "America/Edmonton" | "America/Eirunepe" | "America/El_Salvador" | "America/Ensenada" | "America/Fort_Nelson" | "America/Fortaleza" | "America/Glace_Bay" | "America/Goose_Bay" | "America/Grand_Turk" | "America/Grenada" | "America/Guadeloupe" | "America/Guatemala" | "America/Guayaquil" | "America/Guyana" | "America/Halifax" | "America/Havana" | "America/Hermosillo" | "America/Indiana/Indianapolis" | "America/Indiana/Knox" | "America/Indiana/Marengo" | "America/Indiana/Petersburg" | "America/Indiana/Tell_City" | "America/Indiana/Vevay" | "America/Indiana/Vincennes" | "America/Indiana/Winamac" | "America/Inuvik" | "America/Iqaluit" | "America/Jamaica" | "America/Juneau" | "America/Kentucky/Louisville" | "America/Kentucky/Monticello" | "America/La_Paz" | "America/Lima" | "America/Los_Angeles" | "America/Maceio" | "America/Managua" | "America/Manaus" | "America/Martinique" | "America/Matamoros" | "America/Mazatlan" | "America/Menominee" | "America/Merida" | "America/Metlakatla" | "America/Mexico_City" | "America/Miquelon" | "America/Moncton" | "America/Monterrey" | "America/Montevideo" | "America/Montreal" | "America/Montserrat" | "America/Nassau" | "America/New_York" | "America/Nipigon" | "America/Nome" | "America/Noronha" | "America/North_Dakota/Beulah" | "America/North_Dakota/Center" | "America/North_Dakota/New_Salem" | "America/Nuuk" | "America/Ojinaga" | "America/Panama" | "America/Pangnirtung" | "America/Paramaribo" | "America/Phoenix" | "America/Port-au-Prince" | "America/Port_of_Spain" | "America/Porto_Velho" | "America/Puerto_Rico" | "America/Punta_Arenas" | "America/Rainy_River" | "America/Rankin_Inlet" | "America/Recife" | "America/Regina" | "America/Resolute" | "America/Rio_Branco" | "America/Rosario" | "America/Santarem" | "America/Santiago" | "America/Santo_Domingo" | "America/Sao_Paulo" | "America/Scoresbysund" | "America/Sitka" | "America/St_Johns" | "America/St_Kitts" | "America/St_Lucia" | "America/St_Thomas" | "America/St_Vincent" | "America/Swift_Current" | "America/Tegucigalpa" | "America/Thule" | "America/Thunder_Bay" | "America/Tijuana" | "America/Toronto" | "America/Tortola" | "America/Vancouver" | "America/Whitehorse" | "America/Winnipeg" | "America/Yakutat" | "America/Yellowknife" | "Antarctica/Casey" | "Antarctica/Davis" | "Antarctica/DumontDUrville" | "Antarctica/Macquarie" | "Antarctica/Mawson" | "Antarctica/McMurdo" | "Antarctica/Palmer" | "Antarctica/Rothera" | "Antarctica/Syowa" | "Antarctica/Troll" | "Antarctica/Vostok" | "Asia/Aden" | "Asia/Almaty" | "Asia/Amman" | "Asia/Anadyr" | "Asia/Aqtau" | "Asia/Aqtobe" | "Asia/Ashgabat" | "Asia/Atyrau" | "Asia/Baghdad" | "Asia/Bahrain" | "Asia/Baku" | "Asia/Bangkok" | "Asia/Barnaul" | "Asia/Beirut" | "Asia/Bishkek" | "Asia/Brunei" | "Asia/Chita" | "Asia/Choibalsan" | "Asia/Chongqing" | "Asia/Colombo" | "Asia/Damascus" | "Asia/Dhaka" | "Asia/Dili" | "Asia/Dubai" | "Asia/Dushanbe" | "Asia/Famagusta" | "Asia/Gaza" | "Asia/Harbin" | "Asia/Hebron" | "Asia/Ho_Chi_Minh" | "Asia/Hong_Kong" | "Asia/Hovd" | "Asia/Irkutsk" | "Asia/Jakarta" | "Asia/Jayapura" | "Asia/Jerusalem" | "Asia/Kabul" | "Asia/Kamchatka" | "Asia/Karachi" | "Asia/Kashgar" | "Asia/Kathmandu" | "Asia/Khandyga" | "Asia/Kolkata" | "Asia/Krasnoyarsk" | "Asia/Kuala_Lumpur" | "Asia/Kuching" | "Asia/Kuwait" | "Asia/Macau" | "Asia/Magadan" | "Asia/Makassar" | "Asia/Manila" | "Asia/Muscat" | "Asia/Nicosia" | "Asia/Novokuznetsk" | "Asia/Novosibirsk" | "Asia/Omsk" | "Asia/Oral" | "Asia/Phnom_Penh" | "Asia/Pontianak" | "Asia/Pyongyang" | "Asia/Qatar" | "Asia/Qostanay" | "Asia/Qyzylorda" | "Asia/Riyadh" | "Asia/Sakhalin" | "Asia/Samarkand" | "Asia/Seoul" | "Asia/Shanghai" | "Asia/Singapore" | "Asia/Srednekolymsk" | "Asia/Taipei" | "Asia/Tashkent" | "Asia/Tbilisi" | "Asia/Tehran" | "Asia/Tel_Aviv" | "Asia/Thimphu" | "Asia/Tokyo" | "Asia/Tomsk" | "Asia/Ulaanbaatar" | "Asia/Urumqi" | "Asia/Ust-Nera" | "Asia/Vientiane" | "Asia/Vladivostok" | "Asia/Yakutsk" | "Asia/Yangon" | "Asia/Yekaterinburg" | "Asia/Yerevan" | "Atlantic/Azores" | "Atlantic/Bermuda" | "Atlantic/Canary" | "Atlantic/Cape_Verde" | "Atlantic/Faroe" | "Atlantic/Jan_Mayen" | "Atlantic/Madeira" | "Atlantic/Reykjavik" | "Atlantic/South_Georgia" | "Atlantic/St_Helena" | "Atlantic/Stanley" | "Australia/Adelaide" | "Australia/Brisbane" | "Australia/Broken_Hill" | "Australia/Currie" | "Australia/Darwin" | "Australia/Eucla" | "Australia/Hobart" | "Australia/Lindeman" | "Australia/Lord_Howe" | "Australia/Melbourne" | "Australia/Perth" | "Australia/Sydney" | "CET" | "CST6CDT" | "EET" | "EST" | "EST5EDT" | "Etc/GMT+1" | "Etc/GMT+10" | "Etc/GMT+11" | "Etc/GMT+12" | "Etc/GMT+2" | "Etc/GMT+3" | "Etc/GMT+4" | "Etc/GMT+5" | "Etc/GMT+6" | "Etc/GMT+7" | "Etc/GMT+8" | "Etc/GMT+9" | "Etc/GMT-1" | "Etc/GMT-10" | "Etc/GMT-11" | "Etc/GMT-12" | "Etc/GMT-13" | "Etc/GMT-14" | "Etc/GMT-2" | "Etc/GMT-3" | "Etc/GMT-4" | "Etc/GMT-5" | "Etc/GMT-6" | "Etc/GMT-7" | "Etc/GMT-8" | "Etc/GMT-9" | "Europe/Amsterdam" | "Europe/Andorra" | "Europe/Astrakhan" | "Europe/Athens" | "Europe/Belfast" | "Europe/Belgrade" | "Europe/Berlin" | "Europe/Brussels" | "Europe/Bucharest" | "Europe/Budapest" | "Europe/Chisinau" | "Europe/Copenhagen" | "Europe/Dublin" | "Europe/Gibraltar" | "Europe/Guernsey" | "Europe/Helsinki" | "Europe/Isle_of_Man" | "Europe/Istanbul" | "Europe/Jersey" | "Europe/Kaliningrad" | "Europe/Kirov" | "Europe/Kyiv" | "Europe/Lisbon" | "Europe/Ljubljana" | "Europe/London" | "Europe/Luxembourg" | "Europe/Madrid" | "Europe/Malta" | "Europe/Minsk" | "Europe/Monaco" | "Europe/Moscow" | "Europe/Oslo" | "Europe/Paris" | "Europe/Prague" | "Europe/Riga" | "Europe/Rome" | "Europe/Samara" | "Europe/Sarajevo" | "Europe/Saratov" | "Europe/Simferopol" | "Europe/Skopje" | "Europe/Sofia" | "Europe/Stockholm" | "Europe/Tallinn" | "Europe/Tirane" | "Europe/Tiraspol" | "Europe/Ulyanovsk" | "Europe/Uzhgorod" | "Europe/Vaduz" | "Europe/Vienna" | "Europe/Vilnius" | "Europe/Volgograd" | "Europe/Warsaw" | "Europe/Zagreb" | "Europe/Zaporozhye" | "Europe/Zurich" | "HST" | "Indian/Antananarivo" | "Indian/Chagos" | "Indian/Christmas" | "Indian/Cocos" | "Indian/Comoro" | "Indian/Kerguelen" | "Indian/Mahe" | "Indian/Maldives" | "Indian/Mauritius" | "Indian/Mayotte" | "Indian/Reunion" | "MET" | "MST" | "MST7MDT" | "PST8PDT" | "Pacific/Apia" | "Pacific/Auckland" | "Pacific/Bougainville" | "Pacific/Chatham" | "Pacific/Chuuk" | "Pacific/Easter" | "Pacific/Efate" | "Pacific/Enderbury" | "Pacific/Fakaofo" | "Pacific/Fiji" | "Pacific/Funafuti" | "Pacific/Galapagos" | "Pacific/Gambier" | "Pacific/Guadalcanal" | "Pacific/Guam" | "Pacific/Honolulu" | "Pacific/Johnston" | "Pacific/Kanton" | "Pacific/Kiritimati" | "Pacific/Kosrae" | "Pacific/Kwajalein" | "Pacific/Majuro" | "Pacific/Marquesas" | "Pacific/Midway" | "Pacific/Nauru" | "Pacific/Niue" | "Pacific/Norfolk" | "Pacific/Noumea" | "Pacific/Pago_Pago" | "Pacific/Palau" | "Pacific/Pitcairn" | "Pacific/Pohnpei" | "Pacific/Port_Moresby" | "Pacific/Rarotonga" | "Pacific/Saipan" | "Pacific/Tahiti" | "Pacific/Tarawa" | "Pacific/Tongatapu" | "Pacific/Wake" | "Pacific/Wallis" | "UTC" | "WET";
+    }>>>;
+}>;
+/**
+ * A cryptographically CSRF token with expiration date.
+ *
+ * @category Internal
+ */
+export type CsrfToken = typeof csrfTokenShape.runtimeType;
 /**
  * Generates a random, cryptographically secure CSRF token.
  *
  * @category Internal
  */
-export declare function generateCsrfToken(): string;
+export declare function generateCsrfToken(
+/** How long the CSRF token is valid for. */
+duration: Readonly<AnyDuration>): CsrfToken;
+/**
+ * CSRF token failure reasons for {@link GetCsrfTokenResult}.
+ *
+ * @category Internal
+ */
+export declare enum CsrfTokenFailureReason {
+    /** No CSRF token was found. */
+    DoesNotExist = "does-not-exist",
+    /** A CSRF token was found but parsing it failed. */
+    ParseFailed = "parse-failed",
+    /** A CSRF token was found and parsed but is expired. */
+    Expired = "expired"
+}
+/**
+ * Output from {@link getCurrentCsrfToken}.
+ *
+ * @category Internal
+ */
+export type GetCsrfTokenResult = RequireExactlyOne<{
+    csrfToken: Readonly<CsrfToken>;
+    failure: CsrfTokenFailureReason;
+}>;
+/**
+ * Extract the CSRF token header from a response.
+ *
+ * @category Auth : Client
+ */
+export declare function extractCsrfTokenHeader(response: Readonly<SelectFrom<Response, {
+    headers: true;
+}>>, overrides?: PartialWithUndefined<{
+    csrfHeaderName: string;
+}>): Readonly<GetCsrfTokenResult>;
+/**
+ * Stores the given CSRF token into local storage.
+ *
+ * @category Auth : Client
+ */
+export declare function storeCsrfToken(csrfToken: Readonly<CsrfToken>, overrides?: PartialWithUndefined<{
+    /**
+     * Allows mocking or overriding the global `localStorage`.
+     *
+     * @default globalThis.localStorage
+     */
+    localStorage: Pick<Storage, 'setItem' | 'removeItem'>;
+    /** Override the default CSRF token header name. */
+    csrfHeaderName: string;
+}>): void;
+/**
+ * Parse a raw CSRF token JSON string.
+ *
+ * @category Internal
+ */
+export declare function parseCsrfToken(value: string | undefined | null): Readonly<GetCsrfTokenResult>;
+/**
+ * Used in client (frontend) code to retrieve the current CSRF token in order to send it with
+ * requests to the host (backend).
+ *
+ * @category Auth : Client
+ */
+export declare function getCurrentCsrfToken(overrides?: PartialWithUndefined<{
+    /**
+     * Allows mocking or overriding the global `localStorage`.
+     *
+     * @default globalThis.localStorage
+     */
+    localStorage: Pick<Storage, 'getItem'>;
+    /** Override the default CSRF token header name. */
+    csrfHeaderName: string;
+}>): Readonly<GetCsrfTokenResult>;
+/**
+ * Wipes the current stored CSRF token. This should be used by client (frontend) code to logout a
+ * user or react to a session timeout.
+ *
+ * @category Auth : Client
+ */
+export declare function wipeCurrentCsrfToken(overrides?: PartialWithUndefined<{
+    /**
+     * Allows mocking or overriding the global `localStorage`.
+     *
+     * @default globalThis.localStorage
+     */
+    localStorage: Pick<Storage, 'removeItem'>;
+    /** Override the default CSRF token header name. */
+    csrfHeaderName: string;
+}>): void;