first commit

app/api/mailboxes/[email]/route.ts

@@ -0,0 +1,55 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { deleteMailbox, editMailbox, getMailboxes } from "@/lib/mailcow";
+import { canAccessDomain } from "@/lib/users";
+
+async function checkAccess(session: Awaited<ReturnType<typeof auth>>, email: string) {
+  if (!session) return false;
+  const domain = email.split("@")[1];
+  return canAccessDomain(session.user.domains ?? [], domain);
+}
+
+// DELETE /api/mailboxes/[email]
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: Promise<{ email: string }> }
+) {
+  const session = await auth();
+  const { email } = await params;
+  const decoded = decodeURIComponent(email);
+
+  if (!(await checkAccess(session, decoded))) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const result = await deleteMailbox([decoded]);
+  return NextResponse.json(result.data, { status: result.ok ? 200 : 502 });
+}
+
+// PATCH /api/mailboxes/[email] — password change or toggle active
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ email: string }> }
+) {
+  const session = await auth();
+  const { email } = await params;
+  const decoded = decodeURIComponent(email);
+
+  if (!(await checkAccess(session, decoded))) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  const body = await req.json();
+  const attr: Parameters<typeof editMailbox>[1] = {};
+
+  if (body.password) {
+    attr.password = body.password;
+    attr.password2 = body.password;
+  }
+  if (typeof body.active === "number") {
+    attr.active = body.active;
+  }
+
+  const result = await editMailbox([decoded], attr);
+  return NextResponse.json(result.data, { status: result.ok ? 200 : 502 });
+}