harheimertc/server/api/cms/users/deactivate.post.js

import { getUserFromToken, readUsers, writeUsers, hasAnyRole, revokeRefreshSessionsForUser } from '../../../utils/auth.js'
import { writeAuditLog } from '../../../utils/audit-log.js'

export default defineEventHandler(async (event) => {
  try {
    const token = getCookie(event, 'auth_token')
    const currentUser = await getUserFromToken(token)

    if (!currentUser || !hasAnyRole(currentUser, 'admin')) {
      throw createError({
        statusCode: 403,
        message: 'Zugriff verweigert'
      })
    }

    const body = await readBody(event)
    const { userId } = body

    if (userId === currentUser.id) {
      throw createError({
        statusCode: 400,
        message: 'Sie können sich nicht selbst deaktivieren'
      })
    }

    const users = await readUsers()
    const user = users.find(u => u.id === userId)

    if (!user) {
      throw createError({
        statusCode: 404,
        message: 'Benutzer nicht gefunden'
      })
    }

    user.active = false
    const updatedUsers = users.map(u => u.id === userId ? user : u)
    await writeUsers(updatedUsers)
    await revokeRefreshSessionsForUser(userId, 'account_deactivated')

    await writeAuditLog('cms.user.deactivated', {
      actorUserId: currentUser.id,
      targetUserId: userId
    })

    return {
      success: true,
      message: 'Benutzer wurde deaktiviert'
    }
  } catch (error) {
    console.error('Fehler beim Deaktivieren:', error)
    throw error
  }
})