import { NextRequest, NextResponse } from "next/server"; import { verifySessionToken, SESSION_COOKIE } from "@/lib/session"; import { readUsers, upsertUser, removeUser, publicUser, isBootstrapAdmin } from "@/lib/users"; export const dynamic = "force-dynamic"; async function isAdmin(req: NextRequest): Promise { const u = await verifySessionToken(req.cookies.get(SESSION_COOKIE)?.value); return !!u?.admin; } export async function GET(req: NextRequest) { if (!(await isAdmin(req))) return NextResponse.json({ error: "Forbidden" }, { status: 403 }); return NextResponse.json({ users: (await readUsers()).map(publicUser) }); } export async function POST(req: NextRequest) { if (!(await isAdmin(req))) return NextResponse.json({ error: "Forbidden" }, { status: 403 }); let body: Record; try { body = await req.json(); } catch { return NextResponse.json({ error: "Invalid JSON body." }, { status: 400 }); } const password = typeof body.password === "string" && body.password ? body.password : undefined; const r = await upsertUser( { email: String(body.email || ""), name: typeof body.name === "string" ? body.name : undefined, allowedApps: Array.isArray(body.allowedApps) ? body.allowedApps.map(String) : undefined, admin: typeof body.admin === "boolean" ? body.admin : undefined, }, password, ); if ("error" in r) return NextResponse.json({ error: r.error }, { status: 422 }); return NextResponse.json({ users: r.users.map(publicUser) }); } export async function DELETE(req: NextRequest) { if (!(await isAdmin(req))) return NextResponse.json({ error: "Forbidden" }, { status: 403 }); const email = req.nextUrl.searchParams.get("email") || ""; if (!email) return NextResponse.json({ error: "email query param required." }, { status: 400 }); if (isBootstrapAdmin(email)) return NextResponse.json({ error: "The bootstrap admin can't be removed (it's env-configured)." }, { status: 422 }); return NextResponse.json({ users: (await removeUser(email)).map(publicUser) }); }