makearmy-app/app/api/my-settings/delete/route.ts

import { NextResponse } from "next/server";
import { requireBearer } from "@/app/api/_lib/auth";
import { dxGET, directusAdminFetch } from "@/lib/directus";

export const runtime = "nodejs";

/**
 * Deletes a settings row by submission_id, but only if the caller owns it.
 * Body: { collection: "settings_co2gal" | "settings_co2gan" | "settings_fiber" | "settings_uv", submission_id: string|number }
 */
export async function POST(req: Request) {
    try {
        const { collection, submission_id } = await req.json();

        if (
            !collection ||
            !["settings_co2gal", "settings_co2gan", "settings_fiber", "settings_uv"].includes(collection) ||
            (submission_id === undefined || submission_id === null || String(submission_id) === "")
        ) {
            return NextResponse.json({ error: "Invalid request" }, { status: 400 });
        }

        // Who is calling?
        const bearer = requireBearer(req);
        const me = await dxGET<any>("/users/me?fields=id", bearer);
        const meId = me?.data?.id ?? me?.id;
        if (!meId) return NextResponse.json({ error: "Unable to resolve user" }, { status: 401 });

        // Find the item by submission_id using admin token (we cannot read id with user perms)
        const q = `/items/${collection}?filter[submission_id][_eq]=${encodeURIComponent(
            String(submission_id)
        )}&fields=id,owner.id&limit=1`;
        const found = await directusAdminFetch<any>(q);
        const row = Array.isArray(found?.data) ? found.data[0] : null;
        if (!row?.id) return NextResponse.json({ error: "Not found" }, { status: 404 });

        const ownerId = row?.owner?.id ?? row?.owner;
        if (String(ownerId) !== String(meId)) {
            return NextResponse.json({ error: "Forbidden" }, { status: 403 });
        }

        // Delete via admin
        await directusAdminFetch(`/items/${collection}/${row.id}`, { method: "DELETE" });
        return NextResponse.json({ ok: true });
    } catch (e: any) {
        return NextResponse.json({ error: e?.message || "Unknown error" }, { status: 500 });
    }
}