export const prerender = false;

import type { APIRoute } from 'astro';
import { isAuthenticated, ADMIN_COOKIE } from '@admin/lib/admin-auth';

interface Env { DB: D1Database }

export const PATCH: APIRoute = async ({ params, request, locals, cookies }) => {
  const runtime = locals.runtime as { env: Env } | undefined;
  const db = runtime?.env?.DB;
  if (!db || !await isAuthenticated(cookies.get(ADMIN_COOKIE)?.value, db)) {
    return new Response(JSON.stringify({ error: 'Unauthorized' }), { status: 401 });
  }

  const userId = params.id?.trim();
  if (!userId) {
    return new Response(JSON.stringify({ error: 'User ID required' }), { status: 400 });
  }

  const body = await request.json() as { status?: string };
  if (body.status !== 'active' && body.status !== 'suspended') {
    return new Response(JSON.stringify({ error: 'Invalid status' }), { status: 400 });
  }

  const now = new Date().toISOString();
  await db.prepare('UPDATE cultroll_users SET status = ?, updated_at = ? WHERE id = ?').bind(body.status, now, userId).run();
  if (body.status === 'suspended') {
    await db.prepare('UPDATE cultroll_user_sessions SET revoked_at = ?, updated_at = ? WHERE user_id = ? AND revoked_at IS NULL')
      .bind(now, now, userId)
      .run();
  }

  const updated = await db.prepare(
    'SELECT id, email, display_name, google_sub, status, email_verified_at, created_at, updated_at, last_login_at FROM cultroll_users WHERE id = ? LIMIT 1'
  ).bind(userId).first();

  return new Response(JSON.stringify({ ok: true, user: updated }), {
    headers: { 'Content-Type': 'application/json' },
  });
};