// Admin-only category endpoints. The middleware already gates this
// route, but we re-check inside requireAdmin so a misconfigured matcher
// can never accidentally expose admin actions.

import { NextRequest } from 'next/server';
import { apiHandler, ok } from '@/lib/utils/api';
import { categoryService } from '@/lib/services/category.service';
import { createCategorySchema } from '@/lib/validators';
import { requireAdmin } from '@/lib/auth/session';

export async function GET() {
  return apiHandler(async () => {
    await requireAdmin();
    const all = await categoryService.listAll();
    return ok(all);
  });
}

export async function POST(req: NextRequest) {
  return apiHandler(async () => {
    await requireAdmin();
    const body = await req.json();
    const input = createCategorySchema.parse(body);
    const created = await categoryService.create(input);
    return ok(created, 201);
  });
}