mc-manager/src/app/api/servers/[id]/admins/route.ts

import { NextRequest, NextResponse } from 'next/server'
import { validateSession, hasPermission, hasServerPermission } from '@/lib/auth'
import connectToDatabase from '@/lib/mongodb'
import { Server, User } from '@/lib/models'
import { isValidObjectId } from '@/lib/input-validation'
import { createAuditLog, getClientIP } from '@/lib/audit'
import mongoose from 'mongoose'

// GET /api/servers/[id]/admins — List server admins
export async function GET(
  request: NextRequest,
  { params }: { params: Promise<{ id: string }> }
) {
  try {
    const session = await validateSession(request)
    if (!session) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

    const { id } = await params
    if (!isValidObjectId(id)) {
      return NextResponse.json({ error: 'Invalid server ID' }, { status: 400 })
    }

    await connectToDatabase()
    const server = await Server.findById(id)
    if (!server) {
      return NextResponse.json({ error: 'Server not found' }, { status: 404 })
    }

    const adminIds = server.admins.map((a) => a.toString())
    if (!hasServerPermission(session, 'servers:view', adminIds)) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }

    // Populate admin users
    const adminUsers = await User.find(
      { _id: { $in: server.admins } },
      { _id: 1, username: 1, email: 1 }
    ).lean()

    return NextResponse.json({ success: true, data: adminUsers })
  } catch (error) {
    console.error('Fetch admins error:', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
}

// POST /api/servers/[id]/admins — Add a user as server admin
export async function POST(
  request: NextRequest,
  { params }: { params: Promise<{ id: string }> }
) {
  const clientIP = getClientIP(request)

  try {
    const session = await validateSession(request)
    if (!session) {
      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
    }

    if (!hasPermission(session, 'servers:edit')) {
      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
    }

    const { id } = await params
    if (!isValidObjectId(id)) {
      return NextResponse.json({ error: 'Invalid server ID' }, { status: 400 })
    }

    const body = await request.json()
    const { userId } = body

    if (!userId || !isValidObjectId(userId)) {
      return NextResponse.json({ error: 'Invalid user ID' }, { status: 400 })
    }

    await connectToDatabase()
    const server = await Server.findById(id)
    if (!server) {
      return NextResponse.json({ error: 'Server not found' }, { status: 404 })
    }

    const targetUser = await User.findById(userId, { _id: 1, username: 1, email: 1 }).lean()
    if (!targetUser) {
      return NextResponse.json({ error: 'User not found' }, { status: 404 })
    }

    const alreadyAdmin = server.admins.some((a) => a.toString() === userId)
    if (alreadyAdmin) {
      return NextResponse.json({ error: 'User is already an admin of this server' }, { status: 409 })
    }

    server.admins.push(new mongoose.Types.ObjectId(userId))
    await server.save()

    await createAuditLog({
      action: 'server_admin_added',
      entityType: 'server',
      entityName: server.name,
      userId: session._id,
      userName: session.username,
      userEmail: session.email,
      newValues: { serverId: server._id.toString(), addedUserId: userId, addedUserName: targetUser.username },
      clientIP,
      status: 'success',
      statusCode: 201,
    })

    return NextResponse.json({ success: true, data: targetUser }, { status: 201 })
  } catch (error) {
    console.error('Add admin error:', error)
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
  }
}