import { NextResponse } from 'next/server';
import { prisma } from '../../../../../lib/prisma';
import { requireAuth } from '../../../../../lib/jwt';
import { Role, UserStatus } from '@prisma/client';

export async function POST(req: Request) {
  try {
    const auth = await requireAuth(req);
    if (auth.role !== Role.ADMIN) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 });
    }

    const body = await req.json();
    const userId = String(body.userId ?? '');
    const reason = body.reason ? String(body.reason).slice(0, 500) : null;

    if (!userId) {
      return NextResponse.json({ error: 'userId is required' }, { status: 400 });
    }

    if (userId === auth.userId) {
      return NextResponse.json({ error: 'Cannot remove your own account' }, { status: 400 });
    }

    const updated = await prisma.user.update({
      where: { id: userId },
      data: {
        status: UserStatus.REMOVED,
        removedAt: new Date(),
        removedById: auth.userId,
        removedReason: reason,
      },
      select: { id: true, role: true, status: true, removedAt: true, removedReason: true },
    });

    return NextResponse.json({ ok: true, user: updated });
  } catch (error) {
    console.error('Admin remove user error', error);
    return NextResponse.json({ error: 'Remove failed' }, { status: 500 });
  }
}
export const dynamic = 'force-dynamic';