linumiq_net-web_app/app/api/admin/users/[id]/ban/route.ts

import { NextResponse, type NextRequest } from 'next/server';
import { requireAdminApi } from '@/lib/auth/admin-guard';
import { getSupabaseAdmin } from '@/lib/supabase/admin';
import { logAdminAction } from '@/lib/auth/audit';
import { isUuid, parseBoolean } from '@/lib/admin/validators';

export const runtime = 'nodejs';
export const dynamic = 'force-dynamic';

// ~100 years.
const BAN_DURATION = '876000h';

export async function POST(
  req: NextRequest,
  { params }: { params: { id: string } },
) {
  const auth = await requireAdminApi();
  if (!auth.ok) return auth.response;

  const { id } = params;
  if (!isUuid(id)) {
    return NextResponse.json({ error: 'invalid user id' }, { status: 400 });
  }
  if (id === auth.user.id) {
    return NextResponse.json(
      { error: 'you cannot ban your own account' },
      { status: 400 },
    );
  }

  let body: { banned?: unknown };
  try {
    body = (await req.json()) as { banned?: unknown };
  } catch {
    return NextResponse.json({ error: 'invalid json' }, { status: 400 });
  }
  const banned = parseBoolean(body.banned);
  if (banned === null) {
    return NextResponse.json(
      { error: 'banned must be a boolean' },
      { status: 400 },
    );
  }

  const admin = getSupabaseAdmin();
  const { error } = await admin.auth.admin.updateUserById(id, {
    ban_duration: banned ? BAN_DURATION : 'none',
  } as { ban_duration: string });
  if (error) {
    return NextResponse.json({ error: error.message }, { status: 500 });
  }

  await logAdminAction(auth.user, {
    action: banned ? 'user.ban' : 'user.unban',
    target_type: 'user',
    target_id: id,
    details: { banned },
  });

  return NextResponse.json({ ok: true, banned });
}