import { createServerClient } from "@supabase/ssr"; import { cookies } from "next/headers"; import { NextResponse } from "next/server"; async function checkAdminAccess(supabase: ReturnType) { const { data: { user } } = await supabase.auth.getUser(); if (!user) return false; const { data: member } = await supabase .from("members") .select("is_superuser") .eq("user_id", user.id) .single(); return member?.is_superuser === true; } export async function POST(request: Request) { const cookieStore = await cookies(); const supabase = createServerClient( process.env.NEXT_PUBLIC_SUPABASE_URL!, process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY!, { cookies: { getAll() { return cookieStore.getAll(); }, setAll() {}, }, } ); const isAdmin = await checkAdminAccess(supabase); if (!isAdmin) { return NextResponse.json({ ok: false, error: "Forbidden" }, { status: 403 }); } try { const { userId, isSuperuser } = await request.json(); if (!userId || typeof isSuperuser !== "boolean") { return NextResponse.json( { ok: false, error: "Missing required fields" }, { status: 400 } ); } // Get current admin user for audit log const { data: { user: adminUser } } = await supabase.auth.getUser(); // Update the member const { error: updateError } = await supabase .from("members") .update({ is_superuser: isSuperuser }) .eq("user_id", userId); if (updateError) { return NextResponse.json( { ok: false, error: updateError.message }, { status: 500 } ); } // Log the action await supabase.from("admin_audit_log").insert({ admin_user_id: adminUser!.id, action: isSuperuser ? "GRANT_SUPERUSER" : "REVOKE_SUPERUSER", resource_type: "user", resource_id: userId, metadata: { previousValue: !isSuperuser, newValue: isSuperuser }, }); return NextResponse.json({ ok: true, data: { userId, isSuperuser } }); } catch (error) { return NextResponse.json( { ok: false, error: "Failed to update user" }, { status: 500 } ); } }