Lageplan/src/app/api/auth/delete-account/route.ts

import { NextRequest, NextResponse } from 'next/server'
import { prisma } from '@/lib/db'
import { getSession } from '@/lib/auth'
import bcrypt from 'bcryptjs'
import { cookies } from 'next/headers'
import { deleteAccountLimiter, getClientIp, rateLimitResponse } from '@/lib/rate-limit'

// POST: User deletes their own account
export async function POST(req: NextRequest) {
  try {
    const ip = getClientIp(req)
    const rl = deleteAccountLimiter.check(ip)
    if (!rl.success) return rateLimitResponse(rl.resetAt)

    const session = await getSession()
    if (!session) return NextResponse.json({ error: 'Nicht autorisiert' }, { status: 401 })

    const { password } = await req.json()
    if (!password) {
      return NextResponse.json({ error: 'Passwort erforderlich' }, { status: 400 })
    }

    // Verify password
    const user = await (prisma as any).user.findUnique({
      where: { id: session.id },
      select: { id: true, password: true, role: true },
    })
    if (!user) return NextResponse.json({ error: 'Benutzer nicht gefunden' }, { status: 404 })

    const validPw = await bcrypt.compare(password, user.password)
    if (!validPw) {
      return NextResponse.json({ error: 'Falsches Passwort' }, { status: 403 })
    }

    // If user is the only TENANT_ADMIN, they must delete the org first or transfer ownership
    if (session.tenantId && session.role === 'TENANT_ADMIN') {
      const adminCount = await (prisma as any).tenantMembership.count({
        where: { tenantId: session.tenantId, role: 'TENANT_ADMIN' },
      })
      if (adminCount <= 1) {
        return NextResponse.json({
          error: 'Sie sind der einzige Administrator. Bitte löschen Sie die Organisation unter Einstellungen oder übertragen Sie die Admin-Rolle.',
        }, { status: 400 })
      }
    }

    console.log(`[Account Delete] User ${session.id} (${session.email}) deleting own account`)

    // Clean up user data
    try { await (prisma as any).upgradeRequest.deleteMany({ where: { requestedById: session.id } }) } catch {}
    try { await (prisma as any).iconAsset.updateMany({ where: { ownerId: session.id }, data: { ownerId: null } }) } catch {}
    try { await (prisma as any).project.updateMany({ where: { ownerId: session.id }, data: { ownerId: null } }) } catch {}

    // Remove memberships
    await (prisma as any).tenantMembership.deleteMany({ where: { userId: session.id } })

    // Delete user
    await (prisma as any).user.delete({ where: { id: session.id } })

    // Clear auth cookie
    ;(await cookies()).delete('auth-token')

    console.log(`[Account Delete] User ${session.email} deleted successfully`)

    return NextResponse.json({ success: true, message: 'Konto wurde gelöscht' })
  } catch (error: any) {
    console.error('[Account Delete] Error:', error?.message || error)
    return NextResponse.json({ error: 'Löschung fehlgeschlagen' }, { status: 500 })
  }
}