import { NextResponse } from "next/server"; import { requireBearer } from "@/app/api/_lib/auth"; import { dxGET, directusAdminFetch } from "@/lib/directus"; export const runtime = "nodejs"; /** * Deletes a settings row by submission_id, but only if the caller owns it. * Body: { collection: "settings_co2gal" | "settings_co2gan" | "settings_fiber" | "settings_uv", submission_id: string|number } */ export async function POST(req: Request) { try { const { collection, submission_id } = await req.json(); if ( !collection || !["settings_co2gal", "settings_co2gan", "settings_fiber", "settings_uv"].includes(collection) || (submission_id === undefined || submission_id === null || String(submission_id) === "") ) { return NextResponse.json({ error: "Invalid request" }, { status: 400 }); } // Who is calling? const bearer = requireBearer(req); const me = await dxGET("/users/me?fields=id", bearer); const meId = me?.data?.id ?? me?.id; if (!meId) return NextResponse.json({ error: "Unable to resolve user" }, { status: 401 }); // Find the item by submission_id using admin token (we cannot read id with user perms) const q = `/items/${collection}?filter[submission_id][_eq]=${encodeURIComponent( String(submission_id) )}&fields=id,owner.id&limit=1`; const found = await directusAdminFetch(q); const row = Array.isArray(found?.data) ? found.data[0] : null; if (!row?.id) return NextResponse.json({ error: "Not found" }, { status: 404 }); const ownerId = row?.owner?.id ?? row?.owner; if (String(ownerId) !== String(meId)) { return NextResponse.json({ error: "Forbidden" }, { status: 403 }); } // Delete via admin await directusAdminFetch(`/items/${collection}/${row.id}`, { method: "DELETE" }); return NextResponse.json({ ok: true }); } catch (e: any) { return NextResponse.json({ error: e?.message || "Unknown error" }, { status: 500 }); } }