"use server";

import { auth } from "@/lib/auth";
import { headers } from "next/headers";
import { z } from "zod/v4";

const schema = z.object({
  email: z.string().email(),
});

export async function resendVerification(input: z.infer<typeof schema>) {
  const session = await auth.api.getSession({ headers: await headers() });
  const role = (session as any)?.user?.role as string | undefined;
  if (!session || role !== "admin") throw new Error("Forbidden");

  const { email } = schema.parse(input);

  // Uses the public auth route (same origin)
  const res = await fetch("http://localhost/api/auth/send-verification-email", {
    // NOTE: In production, you should use an absolute URL from env, or use authClient.
    // This is kept minimal; if you want, I'll refactor to authClient to avoid hostname concerns.
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      // forward cookies so Better Auth can authorize if needed
      cookie: (await headers()).get("cookie") ?? "",
    },
    body: JSON.stringify({
      email,
      callbackURL: "/",
    }),
  });

  if (!res.ok) {
    const data = await res.json().catch(() => null);
    throw new Error(data?.message ?? "Failed to resend verification email.");
  }

  return { ok: true };
}