// deno-lint-ignore-file
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2'

const corsHeaders = {
  'Access-Control-Allow-Origin': '*',
  'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
}

const json = (body: Record<string, unknown>, status: number) =>
  new Response(JSON.stringify(body), {
    status,
    headers: { ...corsHeaders, 'Content-Type': 'application/json' },
  })

Deno.serve(async (req) => {
  if (req.method === 'OPTIONS') return new Response('ok', { headers: corsHeaders })

  try {
    const authHeader = req.headers.get('Authorization') ?? ''
    if (!authHeader) return json({ error: 'No authorization header' }, 401)

    const callerClient = createClient(
      Deno.env.get('SUPABASE_URL') ?? '',
      Deno.env.get('SUPABASE_ANON_KEY') ?? '',
      { global: { headers: { Authorization: authHeader } } }
    )

    const { data: userData, error: userError } = await callerClient.auth.getUser()
    if (userError || !userData?.user) return json({ error: `Auth failed: ${userError?.message ?? 'no user'}` }, 401)

    const { data: profile, error: profileError } = await callerClient
      .from('profiles').select('role').eq('id', userData.user.id).single()
    if (profileError) return json({ error: `Profile error: ${profileError.message}` }, 500)
    if (profile?.role !== 'team') return json({ error: 'Forbidden: team only' }, 403)

    const body = await req.json()
    const { user_id } = body
    if (!user_id) return json({ error: 'user_id is required' }, 400)

    const admin = createClient(
      Deno.env.get('SUPABASE_URL') ?? '',
      Deno.env.get('SUPABASE_SERVICE_ROLE_KEY') ?? ''
    )

    const { error: deleteError } = await admin.auth.admin.deleteUser(user_id)
    if (deleteError) return json({ error: `Delete failed: ${deleteError.message}` }, 500)

    return json({ success: true }, 200)

  } catch (err) {
    return json({ error: `Unexpected: ${String(err)}` }, 500)
  }
})