[id] route.ts

84.21% Statements 32/38
100% Branches 20/20
33.33% Functions 1/3
84.21% Lines 32/38
Press n or j to go to the next uncovered block, b, p or k for the previous block.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97  
 
 
 
1x
1x
1x
1x
1x
 
1x
 
 
 
8x
8x
8x
 
 
8x
 
 
 
 
 
 
 
 
8x
1x
 
 
7x
7x
7x
7x
7x
 
 
7x
1x
 
 
 
 
 
 
6x
1x
 
 
 
 
 
 
5x
1x
 
 
 
 
 
 
4x
4x
1x
 
 
 
3x
1x
 
 
 
 
 
 
2x
1x
 
 
 
 
 
 
1x
 
1x
 
 
 
 
 
 
 
 
  /**
 * DELETE /api/org/users/[id]
 * Remove a user from the organisation
 */
import { NextRequest, NextResponse } from "next/server";
import { cookies } from "next/headers";
import { getCurrentUser, fetchAuthSession } from "aws-amplify/auth/server";
import { runWithAmplifyServerContext } from "@/lib/amplify-server-utils";
import { getUser, removeUserFromTenant } from "@/lib/cognito-admin";
 
export async function DELETE(
  request: NextRequest,
  { params }: { params: Promise<{ id: string }> }
) {
  try {
    const { id: targetUserId } = await params;
    const cookieStore = await cookies();
 
    // Get current user's session
    const session = await runWithAmplifyServerContext({
      nextServerContext: { cookies: async () => cookieStore },
      operation: async (context) => {
        const user = await getCurrentUser(context);
        const session = await fetchAuthSession(context);
        return { user, session };
      },
    });
 
    if (!session.session.tokens?.idToken) {
      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
    }
 
    const idToken = session.session.tokens.idToken;
    const currentUserType = idToken.payload["custom:user_type"] as string | undefined;
    const currentTenantId = idToken.payload["custom:tenant_id"] as string | undefined;
    const currentRole = idToken.payload["custom:role"] as string | undefined;
    const currentUserId = session.user.userId;
 
    // Only org users can access this
    if (currentUserType !== "org" || !currentTenantId) {
      return NextResponse.json(
        { error: "Only organisation users can access this" },
        { status: 403 }
      );
    }
 
    // Only owner or admin can remove users
    if (currentRole !== "owner" && currentRole !== "admin") {
      return NextResponse.json(
        { error: "Only owner or admin can remove users" },
        { status: 403 }
      );
    }
 
    // Cannot remove yourself
    if (targetUserId === currentUserId) {
      return NextResponse.json(
        { error: "Cannot remove yourself" },
        { status: 400 }
      );
    }
 
    // Get target user
    const targetUser = await getUser(targetUserId);
    if (!targetUser) {
      return NextResponse.json({ error: "User not found" }, { status: 404 });
    }
 
    // Verify target user is in the same tenant
    if (targetUser.tenantId !== currentTenantId) {
      return NextResponse.json(
        { error: "User is not in your organisation" },
        { status: 403 }
      );
    }
 
    // Admins cannot remove owners
    if (currentRole === "admin" && targetUser.role === "owner") {
      return NextResponse.json(
        { error: "Admins cannot remove owners" },
        { status: 403 }
      );
    }
 
    // Remove user from tenant
    await removeUserFromTenant(targetUserId);
 
    return NextResponse.json({ success: true });
  } catch (error) {
    console.error("Error removing user:", error);
    return NextResponse.json(
      { error: "Failed to remove user" },
      { status: 500 }
    );
  }
}