import { updateUserRole, getUserByUsername } from '~/server/utils/database'
import { getSessionUsername } from '~/server/utils/auth'

export default defineEventHandler(async (event) => {
  const username = await getSessionUsername(event)
  
  if (!username) {
    throw createError({
      statusCode: 401,
      message: 'Unauthorized'
    })
  }

  const user = getUserByUsername(username)
  
  if (!user || user.is_admin !== 1) {
    throw createError({
      statusCode: 403,
      message: 'Forbidden - Admin access required'
    })
  }

  const id = parseInt(event.context.params?.id || '')
  const body = await readBody(event)
  const { isAdmin } = body
  
  if (isNaN(id)) {
    throw createError({
      statusCode: 400,
      message: 'Invalid user ID'
    })
  }

  if (typeof isAdmin !== 'boolean') {
    throw createError({
      statusCode: 400,
      message: 'isAdmin must be a boolean'
    })
  }

  // Prevent changing your own role
  if (user.id === id) {
    throw createError({
      statusCode: 400,
      message: 'Cannot change your own role'
    })
  }

  try {
    updateUserRole(id, isAdmin ? 1 : 0)
    return { success: true }
  } catch (error) {
    throw createError({
      statusCode: 500,
      message: 'Failed to update user role'
    })
  }
})