biblical-guide.com/app/api/admin/users/[id]/route.ts

import { NextResponse } from 'next/server';
import { prisma } from '@/lib/db';
import { getCurrentAdmin, AdminPermission, hasPermission } from '@/lib/admin-auth';

export const runtime = 'nodejs';

export async function GET(
  request: Request,
  { params }: { params: Promise<{ id: string }> }
) {
  try {
    const admin = await getCurrentAdmin();
    if (!admin || !hasPermission(admin, AdminPermission.VIEW_USERS)) {
      return NextResponse.json(
        { error: 'Unauthorized' },
        { status: 401 }
      );
    }

    const { id } = await params;

    const user = await prisma.user.findUnique({
      where: { id },
      include: {
        chatConversations: {
          select: {
            id: true,
            title: true,
            createdAt: true,
            _count: {
              select: { messages: true }
            }
          },
          orderBy: { createdAt: 'desc' },
          take: 10
        },
        prayerRequests: {
          select: {
            id: true,
            title: true,
            category: true,
            createdAt: true,
            prayerCount: true
          },
          orderBy: { createdAt: 'desc' },
          take: 10
        },
        bookmarks: {
          select: {
            id: true,
            createdAt: true,
            verse: {
              select: {
                verseNum: true,
                chapter: {
                  select: {
                    chapterNum: true,
                    book: {
                      select: {
                        name: true
                      }
                    }
                  }
                }
              }
            }
          },
          take: 10
        },
        _count: {
          select: {
            chatConversations: true,
            prayerRequests: true,
            bookmarks: true,
            notes: true
          }
        }
      }
    });

    if (!user) {
      return NextResponse.json(
        { error: 'User not found' },
        { status: 404 }
      );
    }

    return NextResponse.json({ user });

  } catch (error) {
    console.error('Admin user detail error:', error);
    return NextResponse.json(
      { error: 'Server error' },
      { status: 500 }
    );
  }
}

export async function PUT(
  request: Request,
  { params }: { params: Promise<{ id: string }> }
) {
  try {
    const admin = await getCurrentAdmin();
    if (!admin || !hasPermission(admin, AdminPermission.MANAGE_USERS)) {
      return NextResponse.json(
        { error: 'Unauthorized' },
        { status: 401 }
      );
    }

    const { id } = await params;
    const body = await request.json();
    const { action, reason } = body;

    let updateData: any = {};

    switch (action) {
      case 'suspend':
        updateData = { role: 'suspended' };
        break;
      case 'activate':
        updateData = { role: 'user' };
        break;
      case 'make_admin':
        updateData = { role: 'admin' };
        break;
      case 'make_moderator':
        updateData = { role: 'moderator' };
        break;
      default:
        return NextResponse.json(
          { error: 'Invalid action' },
          { status: 400 }
        );
    }

    const user = await prisma.user.update({
      where: { id },
      data: updateData,
      select: {
        id: true,
        email: true,
        name: true,
        role: true
      }
    });

    // TODO: Add audit log entry here in the future
    console.log(`Admin ${admin.email} performed action '${action}' on user ${user.email}${reason ? ` with reason: ${reason}` : ''}`);

    return NextResponse.json({ user });

  } catch (error) {
    console.error('Admin user update error:', error);
    return NextResponse.json(
      { error: 'Server error' },
      { status: 500 }
    );
  }
}

export async function DELETE(
  request: Request,
  { params }: { params: Promise<{ id: string }> }
) {
  try {
    const admin = await getCurrentAdmin();
    if (!admin || !hasPermission(admin, AdminPermission.MANAGE_USERS)) {
      return NextResponse.json(
        { error: 'Unauthorized' },
        { status: 401 }
      );
    }

    const { id } = await params;

    // Prevent admin from deleting themselves
    if (id === admin.id) {
      return NextResponse.json(
        { error: 'Cannot delete your own account' },
        { status: 400 }
      );
    }

    const user = await prisma.user.findUnique({
      where: { id },
      select: { email: true, role: true }
    });

    if (!user) {
      return NextResponse.json(
        { error: 'User not found' },
        { status: 404 }
      );
    }

    // Delete user and all related data (CASCADE)
    await prisma.user.delete({
      where: { id }
    });

    console.log(`Admin ${admin.email} deleted user ${user.email}`);

    return NextResponse.json({ success: true });

  } catch (error) {
    console.error('Admin user delete error:', error);
    return NextResponse.json(
      { error: 'Server error' },
      { status: 500 }
    );
  }
}