import { NextResponse } from 'next/server'; import { z } from 'zod'; import { eq, and } from 'drizzle-orm'; import { withAuth } from '@/lib/api/helpers'; import { parseBody } from '@/lib/api/route-helpers'; import { db } from '@/lib/db'; import { interests } from '@/lib/db/schema/interests'; import { interestTags } from '@/lib/db/schema/interests'; import { archiveInterest, changeInterestStage, setInterestTags, } from '@/lib/services/interests.service'; import { PIPELINE_STAGES } from '@/lib/constants'; import { errorResponse } from '@/lib/errors'; /** * Synchronous bulk endpoint for the interests list. * * Per-row loop is fine for the page-size cap (100 rows max). Larger jobs * (CSV imports, port-wide migrations) belong on the BullMQ `bulk` queue — * see src/lib/queue/workers/bulk.ts. The synchronous path gives the user * instant feedback and a per-row failure list, which the queue can't. */ const bulkSchema = z.discriminatedUnion('action', [ z.object({ action: z.literal('change_stage'), ids: z.array(z.string().min(1)).min(1).max(100), pipelineStage: z.enum(PIPELINE_STAGES), }), z.object({ action: z.literal('add_tag'), ids: z.array(z.string().min(1)).min(1).max(100), tagId: z.string().min(1), }), z.object({ action: z.literal('remove_tag'), ids: z.array(z.string().min(1)).min(1).max(100), tagId: z.string().min(1), }), z.object({ action: z.literal('archive'), ids: z.array(z.string().min(1)).min(1).max(100), }), ]); interface RowResult { id: string; ok: boolean; error?: string; } const PERMISSION_BY_ACTION: Record< z.infer['action'], { resource: 'interests'; action: 'change_stage' | 'edit' | 'delete' } > = { change_stage: { resource: 'interests', action: 'change_stage' }, add_tag: { resource: 'interests', action: 'edit' }, remove_tag: { resource: 'interests', action: 'edit' }, archive: { resource: 'interests', action: 'delete' }, }; export const POST = withAuth(async (req, ctx) => { let body: z.infer; try { body = await parseBody(req, bulkSchema); } catch (error) { return errorResponse(error); } // Per-action permission check (mirrors the per-row endpoints). const perm = PERMISSION_BY_ACTION[body.action]; const allowed = ctx.isSuperAdmin ? true : !!ctx.permissions?.[perm.resource]?.[perm.action]; if (!allowed) { return NextResponse.json({ error: 'Forbidden' }, { status: 403 }); } const meta = { userId: ctx.userId, portId: ctx.portId, ipAddress: ctx.ipAddress, userAgent: ctx.userAgent, }; const results: RowResult[] = []; for (const id of body.ids) { try { if (body.action === 'change_stage') { await changeInterestStage(id, ctx.portId, { pipelineStage: body.pipelineStage }, meta); } else if (body.action === 'archive') { await archiveInterest(id, ctx.portId, meta); } else if (body.action === 'add_tag' || body.action === 'remove_tag') { // Tenant gate: load the existing interest tag set, mutate, save. const interest = await db.query.interests.findFirst({ where: and(eq(interests.id, id), eq(interests.portId, ctx.portId)), }); if (!interest) { results.push({ id, ok: false, error: 'Interest not found' }); continue; } const existingTags = await db .select({ tagId: interestTags.tagId }) .from(interestTags) .where(eq(interestTags.interestId, id)); const current = new Set(existingTags.map((t) => t.tagId)); if (body.action === 'add_tag') current.add(body.tagId); else current.delete(body.tagId); await setInterestTags(id, ctx.portId, Array.from(current), meta); } results.push({ id, ok: true }); } catch (err) { results.push({ id, ok: false, error: err instanceof Error ? err.message : 'unknown error', }); } } const summary = { total: results.length, succeeded: results.filter((r) => r.ok).length, failed: results.filter((r) => !r.ok).length, }; return NextResponse.json({ data: { results, summary } }); });