import { NextRequest, NextResponse } from 'next/server' import bcrypt from 'bcryptjs' import pool from '@/lib/db' import { getSessionFromRequest } from '@/lib/session' export async function PUT(req: NextRequest, { params }: { params: Promise<{ id: string }> }) { const sessionUser = await getSessionFromRequest(req) if (!sessionUser) return NextResponse.json({ error: 'Não autorizado' }, { status: 401 }) const { id } = await params // tenant_admin só pode editar usuários do próprio tenant if (sessionUser.role !== 'admin_global') { const [target] = await pool.execute('SELECT tenant_id FROM portal_users WHERE id = ?', [id]) const targetTenantId = target[0]?.tenant_id const sessionTenantId = (sessionUser as any).tenant_id ?? (sessionUser as any).tenantId if (!targetTenantId || String(targetTenantId) !== String(sessionTenantId)) { return NextResponse.json({ error: 'Acesso negado' }, { status: 403 }) } } const body = await req.json() const { name, email, role, mfa_enabled, status, password } = body // Verifica duplicidade de e-mail if (email) { const [dup] = await pool.execute('SELECT id FROM portal_users WHERE email = ? AND id != ? LIMIT 1', [email, id]) if ((dup as any[]).length > 0) { return NextResponse.json({ error: 'Este e-mail já está em uso por outro usuário' }, { status: 409 }) } } if (password) { const hash = await bcrypt.hash(password, 12) await pool.execute( 'UPDATE portal_users SET name=?, email=?, role=?, mfa_enabled=?, status=?, password_hash=? WHERE id=?', [name, email, role, mfa_enabled ? 1 : 0, status ?? 'active', hash, id], ) } else { await pool.execute( 'UPDATE portal_users SET name=?, email=?, role=?, mfa_enabled=?, status=? WHERE id=?', [name, email, role, mfa_enabled ? 1 : 0, status ?? 'active', id], ) } const [rows] = await pool.execute( 'SELECT id, name, email, role, tenant_id, status, mfa_enabled, created_at FROM portal_users WHERE id = ?', [id], ) return NextResponse.json(rows[0]) } export async function PATCH(req: NextRequest, { params }: { params: Promise<{ id: string }> }) { const sessionUser = await getSessionFromRequest(req) if (!sessionUser) return NextResponse.json({ error: 'Não autorizado' }, { status: 401 }) const { id } = await params if (sessionUser.role !== 'admin_global') { const [target] = await pool.execute('SELECT tenant_id FROM portal_users WHERE id = ?', [id]) const sessionTenantId = (sessionUser as any).tenant_id ?? (sessionUser as any).tenantId if (String(target[0]?.tenant_id) !== String(sessionTenantId)) { return NextResponse.json({ error: 'Acesso negado' }, { status: 403 }) } } const { status } = await req.json() if (!status) return NextResponse.json({ error: 'status obrigatório' }, { status: 400 }) await pool.execute('UPDATE portal_users SET status=? WHERE id=?', [status, id]) const [rows] = await pool.execute( 'SELECT id, name, email, role, tenant_id, status, mfa_enabled, created_at FROM portal_users WHERE id = ?', [id], ) return NextResponse.json(rows[0]) } export async function DELETE(req: NextRequest, { params }: { params: Promise<{ id: string }> }) { const sessionUser = await getSessionFromRequest(req) if (!sessionUser) return NextResponse.json({ error: 'Não autorizado' }, { status: 401 }) if (!['admin_global', 'tenant_admin'].includes(sessionUser.role)) { return NextResponse.json({ error: 'Acesso negado' }, { status: 403 }) } const { id } = await params if (sessionUser.role !== 'admin_global') { const [target] = await pool.execute('SELECT tenant_id FROM portal_users WHERE id = ?', [id]) const sessionTenantId = (sessionUser as any).tenant_id ?? (sessionUser as any).tenantId if (String(target[0]?.tenant_id) !== String(sessionTenantId)) { return NextResponse.json({ error: 'Acesso negado' }, { status: 403 }) } } await pool.execute("UPDATE portal_users SET status = 'inactive' WHERE id = ?", [id]) return NextResponse.json({ ok: true }) }