// app/api/claims/route.ts
import { NextResponse } from 'next/server';
import { cookies } from 'next/headers';

const API = process.env.NEXT_PUBLIC_API_BASE_URL!; // e.g. https://directus.your.tld

export async function POST(req: Request) {
    try {
        const { target_collection, target_id } = await req.json();

        if (!target_collection || !target_id) {
            return NextResponse.json(
                { error: 'Missing target_collection or target_id' },
                { status: 400 }
            );
        }

        // Next 15: cookies() is async
        const jar = await cookies();
        const token =
        jar.get('directus_access_token')?.value ??
        jar.get('ma_at')?.value ??
        '';

        if (!token) {
            return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });
        }

        const r = await fetch(`${API}/items/user_claims`, {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json',
                Authorization: `Bearer ${token}`,
            },
            body: JSON.stringify({ target_collection, target_id }),
                              cache: 'no-store',
        });

        const data = await r.json().catch(() => ({} as any));

        if (!r.ok) {
            return NextResponse.json(
                { error: data?.errors?.[0]?.message ?? data?.message ?? 'Directus error' },
                { status: r.status }
            );
        }

        return NextResponse.json({ ok: true, data }, { status: 200 });
    } catch {
        return NextResponse.json({ error: 'Invalid request' }, { status: 400 });
    }
}