import { NextRequest, NextResponse } from 'next/server' import prisma from '@/lib/prisma' import { isAdmin, USER_SAFE_SELECT } from '@/lib/auth-utils' // GET /api/users export async function GET(request: NextRequest) { try { if (!(await isAdmin(request))) { return NextResponse.json({ error: 'Accès non autorisé' }, { status: 403 }) } const users = await prisma.user.findMany({ select: { ...USER_SAFE_SELECT, businesses: true }, orderBy: { createdAt: 'desc' }, }) return NextResponse.json(users) } catch (error) { console.error('GET /api/users error:', error) return NextResponse.json({ error: 'Erreur serveur' }, { status: 500 }) } } // POST /api/users (Admin only) export async function POST(request: NextRequest) { try { if (!(await isAdmin(request))) { return NextResponse.json({ error: 'Accès non autorisé' }, { status: 403 }) } const body = await request.json() // Note: For admins, we might want to allow creating users directly, // but we should still ensure password hashing if provided. // For now, we just restrict it to admins to prevent the public leak. const user = await prisma.user.create({ data: body, select: USER_SAFE_SELECT }) return NextResponse.json(user, { status: 201 }) } catch (error) { console.error('POST /api/users error:', error) return NextResponse.json({ error: 'Erreur lors de la création' }, { status: 500 }) } }