'use server'

import { revalidatePath } from 'next/cache'
import { z } from 'zod'
import { Role } from '@prisma/client'
import { prisma } from '@/lib/prisma'
import { requireAdmin } from '@/lib/auth-guard'

export async function deleteUserAction(userId: string) {
  const session = await requireAdmin()
  if (userId === session.userId) {
    throw new Error('Zelfverwijdering niet toegestaan')
  }
  await prisma.user.delete({ where: { id: userId } })
  revalidatePath('/admin/users')
}

const rolesSchema = z.array(z.nativeEnum(Role))

export async function updateUserRolesAction(userId: string, roles: Role[]) {
  const session = await requireAdmin()

  const parsed = rolesSchema.safeParse(roles)
  if (!parsed.success) {
    throw new Error('Ongeldige rol-waarden')
  }

  if (userId === session.userId && !parsed.data.includes(Role.ADMIN)) {
    throw new Error('Kan eigen ADMIN-rol niet verwijderen')
  }

  await prisma.$transaction([
    prisma.userRole.deleteMany({ where: { user_id: userId } }),
    ...parsed.data.map((role) => prisma.userRole.create({ data: { user_id: userId, role } })),
  ])
  revalidatePath('/admin/users')
}

export async function setMustResetPasswordAction(userId: string, value: boolean) {
  await requireAdmin()
  await prisma.user.update({ where: { id: userId }, data: { must_reset_password: value } })
  revalidatePath('/admin/users')
}