import { NextRequest, NextResponse } from 'next/server' import { validateSession, hasPermission, hasServerPermission } from '@/lib/auth' import connectToDatabase from '@/lib/mongodb' import { Server, User } from '@/lib/models' import { isValidObjectId } from '@/lib/input-validation' import { createAuditLog, getClientIP } from '@/lib/audit' import mongoose from 'mongoose' // GET /api/servers/[id]/admins — List server admins export async function GET( request: NextRequest, { params }: { params: Promise<{ id: string }> } ) { try { const session = await validateSession(request) if (!session) { return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) } const { id } = await params if (!isValidObjectId(id)) { return NextResponse.json({ error: 'Invalid server ID' }, { status: 400 }) } await connectToDatabase() const server = await Server.findById(id) if (!server) { return NextResponse.json({ error: 'Server not found' }, { status: 404 }) } const adminIds = server.admins.map((a) => a.toString()) if (!hasServerPermission(session, 'servers:view', adminIds)) { return NextResponse.json({ error: 'Forbidden' }, { status: 403 }) } // Populate admin users const adminUsers = await User.find( { _id: { $in: server.admins } }, { _id: 1, username: 1, email: 1 } ).lean() return NextResponse.json({ success: true, data: adminUsers }) } catch (error) { console.error('Fetch admins error:', error) return NextResponse.json({ error: 'Internal server error' }, { status: 500 }) } } // POST /api/servers/[id]/admins — Add a user as server admin export async function POST( request: NextRequest, { params }: { params: Promise<{ id: string }> } ) { const clientIP = getClientIP(request) try { const session = await validateSession(request) if (!session) { return NextResponse.json({ error: 'Unauthorized' }, { status: 401 }) } if (!hasPermission(session, 'servers:edit')) { return NextResponse.json({ error: 'Forbidden' }, { status: 403 }) } const { id } = await params if (!isValidObjectId(id)) { return NextResponse.json({ error: 'Invalid server ID' }, { status: 400 }) } const body = await request.json() const { userId } = body if (!userId || !isValidObjectId(userId)) { return NextResponse.json({ error: 'Invalid user ID' }, { status: 400 }) } await connectToDatabase() const server = await Server.findById(id) if (!server) { return NextResponse.json({ error: 'Server not found' }, { status: 404 }) } const targetUser = await User.findById(userId, { _id: 1, username: 1, email: 1 }).lean() if (!targetUser) { return NextResponse.json({ error: 'User not found' }, { status: 404 }) } const alreadyAdmin = server.admins.some((a) => a.toString() === userId) if (alreadyAdmin) { return NextResponse.json({ error: 'User is already an admin of this server' }, { status: 409 }) } server.admins.push(new mongoose.Types.ObjectId(userId)) await server.save() await createAuditLog({ action: 'server_admin_added', entityType: 'server', entityName: server.name, userId: session._id, userName: session.username, userEmail: session.email, newValues: { serverId: server._id.toString(), addedUserId: userId, addedUserName: targetUser.username }, clientIP, status: 'success', statusCode: 201, }) return NextResponse.json({ success: true, data: targetUser }, { status: 201 }) } catch (error) { console.error('Add admin error:', error) return NextResponse.json({ error: 'Internal server error' }, { status: 500 }) } }