webmailserver/app/api/mailboxes/[email]/route.ts

import { NextRequest, NextResponse } from "next/server";
import { auth } from "@/auth";
import { deleteMailbox, editMailbox, getMailboxes } from "@/lib/mailcow";
import { canAccessDomain } from "@/lib/users";

async function checkAccess(session: Awaited<ReturnType<typeof auth>>, email: string) {
  if (!session) return false;
  const domain = email.split("@")[1];
  return canAccessDomain(session.user.domains ?? [], domain);
}

// DELETE /api/mailboxes/[email]
export async function DELETE(
  _req: NextRequest,
  { params }: { params: Promise<{ email: string }> }
) {
  const session = await auth();
  const { email } = await params;
  const decoded = decodeURIComponent(email);

  if (!(await checkAccess(session, decoded))) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

  const result = await deleteMailbox([decoded]);
  return NextResponse.json(result.data, { status: result.ok ? 200 : 502 });
}

// PATCH /api/mailboxes/[email] — password change or toggle active
export async function PATCH(
  req: NextRequest,
  { params }: { params: Promise<{ email: string }> }
) {
  const session = await auth();
  const { email } = await params;
  const decoded = decodeURIComponent(email);

  if (!(await checkAccess(session, decoded))) {
    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
  }

  const body = await req.json();
  const attr: Parameters<typeof editMailbox>[1] = {};

  if (body.password) {
    attr.password = body.password;
    attr.password2 = body.password;
  }
  if (typeof body.active === "number") {
    attr.active = body.active;
  }

  const result = await editMailbox([decoded], attr);
  return NextResponse.json(result.data, { status: result.ok ? 200 : 502 });
}