"use server";

import { auth } from "@/lib/auth";
import { prisma } from "@/lib/prisma";
import { headers } from "next/headers";
import { z } from "zod/v4";
import type { SessionWithRole } from "@/types/auth";

// Deletes a user account with safety checks (admin-only, cannot delete self or last admin).
export async function deleteUser(id: string) {
  const userId = z.string().min(1).parse(id);

  const session = await auth.api.getSession({ headers: await headers() });
  const role = (session as SessionWithRole)?.user?.role;
  const currentUserId = (session as SessionWithRole)?.user?.id;

  if (!session || role !== "admin") throw new Error("Forbidden");
  if (!currentUserId) throw new Error("Session missing user id");

  if (userId === currentUserId) {
    throw new Error("You cannot delete your own account.");
  }

  const target = await await_attachTarget(userId);

  // Prevent deleting last admin
  if (target.role === "admin") {
    const adminCount = await prisma.user.count({ where: { role: "admin" } });
    if (adminCount <= 1) {
      throw new Error("Cannot delete the last admin user.");
    }
  }

  await prisma.user.delete({ where: { id: userId } });

  return { ok: true };
}

async function await_attachTarget(userId: string) {
  const target = await prisma.user.findUnique({
    where: { id: userId },
    select: { id: true, role: true },
  });
  if (!target) throw new Error("User not found.");
  return target;
}