// Admin-only user management endpoints. Middleware gates this path,
// and we re-check requireAdmin so the service layer is never called
// without verification.

import { NextRequest } from 'next/server';
import { apiHandler, ok } from '@/lib/utils/api';
import { userService } from '@/lib/services/user.service';
import { createUserSchema } from '@/lib/validators';
import { requireAdmin } from '@/lib/auth/session';

export async function GET() {
  return apiHandler(async () => {
    await requireAdmin();
    const users = await userService.list();
    return ok(users);
  });
}

export async function POST(req: NextRequest) {
  return apiHandler(async () => {
    await requireAdmin();
    const input = createUserSchema.parse(await req.json());
    const created = await userService.create(input);
    return ok(created, 201);
  });
}