import { NextRequest, NextResponse } from "next/server"; import { getAdminSession } from "@/lib/admin/session"; import { getSupabaseAdminClient } from "@/lib/supabase/admin"; import { UUID_REGEX } from "@/lib/constants"; export async function DELETE( _request: NextRequest, { params }: { params: Promise<{ id: string }> }, ) { const session = await getAdminSession(); if (!session.isAdmin) { return NextResponse.json({ error: "Unauthorized" }, { status: 401 }); } const { id } = await params; if (!UUID_REGEX.test(id)) { return NextResponse.json({ error: "Invalid user ID" }, { status: 400 }); } const supabase = getSupabaseAdminClient(); // public.users first so FK cascades run before auth record removal const { error: dbError } = await supabase.from("users").delete().eq("id", id); if (dbError) { return NextResponse.json({ error: dbError.message }, { status: 500 }); } const { error: authError } = await supabase.auth.admin.deleteUser(id); if (authError) { return NextResponse.json({ error: authError.message }, { status: 500 }); } return NextResponse.json({ ok: true }); }