import { NextResponse } from "next/server";
import { auth } from "@/auth";
import { getUsers } from "@/lib/users";

// GET /api/users — super admin only, lists env-defined users (no passwords)
export async function GET() {
  const session = await auth();
  if (!session || session.user.role !== "SUPER_ADMIN") {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

  const allUsers = await getUsers();
  const users = allUsers.map(({ id, name, email, role, domains }) => ({
    id,
    name,
    email,
    role,
    domains,
  }));

  return NextResponse.json(users);
}