Scrum4Me/app/api/stories/[id]/tasks/reorder/route.ts

import { authenticateApiRequest } from '@/lib/api-auth'
import { prisma } from '@/lib/prisma'
import { productAccessFilter } from '@/lib/product-access'
import { z } from 'zod'

const bodySchema = z.object({
  task_ids: z.array(z.string()).min(1),
})

export async function PATCH(
  request: Request,
  { params }: { params: Promise<{ id: string }> }
) {
  const auth = await authenticateApiRequest(request)
  if ('error' in auth) {
    return Response.json({ error: auth.error }, { status: auth.status })
  }
  if (auth.isDemo) {
    return Response.json({ error: 'Niet beschikbaar in demo-modus' }, { status: 403 })
  }

  const { id: storyId } = await params

  const body = await request.json().catch(() => null)
  const parsed = bodySchema.safeParse(body)
  if (!parsed.success) {
    return Response.json({ error: parsed.error.flatten() }, { status: 400 })
  }

  const story = await prisma.story.findFirst({
    where: { id: storyId, product: productAccessFilter(auth.userId) },
    include: { tasks: { select: { id: true } } },
  })
  if (!story) {
    return Response.json({ error: 'Story niet gevonden' }, { status: 404 })
  }

  const storyTaskIds = new Set(story.tasks.map(t => t.id))
  const invalidId = parsed.data.task_ids.find(id => !storyTaskIds.has(id))
  if (invalidId) {
    return Response.json({ error: `Ongeldig task_id: ${invalidId}` }, { status: 400 })
  }

  await prisma.$transaction(
    parsed.data.task_ids.map((id, i) =>
      prisma.task.update({ where: { id }, data: { sort_order: i + 1.0 } })
    )
  )

  return Response.json({ success: true })
}