dticket.tootaio.com/server/api/admin/users/[id].patch.ts

import type { UserRole } from '~~/shared/auth'

import { requireRole } from '../../../utils/auth'
import { updateUserProfile } from '../../../utils/user-repository'
import { httpError } from '../../../utils/http'
import { parseUserProfileInput, requireExistingUser, requireUserIdParam } from '../../../utils/users'

export default defineEventHandler(async (event) => {
  const auth = await requireRole(event, 'super_admin')
  const userId = requireUserIdParam(event)

  const body = await readBody<{
    fullName?: string
    phoneNumber?: string
    role?: UserRole
  }>(event)

  const { fullName, phoneNumber, role } = parseUserProfileInput(body)

  await requireExistingUser(userId)

  if (auth.user.id === userId && role !== 'super_admin') {
    httpError(400, 'You cannot remove your own super admin access')
  }

  const updatedUser = await updateUserProfile({
    userId,
    fullName,
    phoneNumber,
    role
  })

  return {
    user: updatedUser
  }
})