livedash-node/pages/api/dashboard/users.ts

import { NextApiRequest, NextApiResponse } from "next";
import crypto from "crypto";
import { prisma } from "../../../lib/prisma";
import bcrypt from "bcryptjs";
import { getApiSession } from "../../../lib/api-auth";
// User type from prisma is used instead of the one in lib/types

interface UserBasicInfo {
  id: string;
  email: string;
  role: string;
}

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse
) {
    const session = await getApiSession(req, res);
    console.log("Session in users API:", session);

    if (!session?.user) {
        console.log("No session or user found");
        return res.status(401).json({ error: "Not logged in" });
    }

    if (session.user.role !== "admin") {
        console.log("User is not admin:", session.user.role);
        return res.status(403).json({ error: "Admin access required" });
    }

  const user = await prisma.user.findUnique({
    where: { email: session.user.email as string },
  });

  if (!user) return res.status(401).json({ error: "No user" });

  if (req.method === "GET") {
    const users = await prisma.user.findMany({
      where: { companyId: user.companyId },
    });

    const mappedUsers: UserBasicInfo[] = users.map((u) => ({
      id: u.id,
      email: u.email,
      role: u.role,
    }));

    res.json({ users: mappedUsers });
  } else if (req.method === "POST") {
    const { email, role } = req.body;
    if (!email || !role)
      return res.status(400).json({ error: "Missing fields" });
    const exists = await prisma.user.findUnique({ where: { email } });
    if (exists) return res.status(409).json({ error: "Email exists" });
    const tempPassword = crypto.randomBytes(12).toString("base64").slice(0, 12); // secure random initial password
    await prisma.user.create({
      data: {
        email,
        password: await bcrypt.hash(tempPassword, 10),
        companyId: user.companyId,
        role,
      },
    });
    // TODO: Email user their temp password (stub, for demo) - Implement a robust and secure email sending mechanism. Consider using a transactional email service.
    res.json({ ok: true, tempPassword });
  } else res.status(405).end();
}