pn-new-crm/src/app/api/v1/admin/invitations/[id]/route.ts

import { NextResponse } from 'next/server';

import { withAuth, withPermission } from '@/lib/api/helpers';
import { errorResponse, ForbiddenError } from '@/lib/errors';
import { revokeCrmInvite } from '@/lib/services/crm-invite.service';

// Invites are a global resource (no portId column). Revoking a foreign
// tenant's pending invite by id would be cross-tenant tampering;
// restrict to super-admins to match the listing endpoint.
export const DELETE = withAuth(
  withPermission('admin', 'manage_users', async (_req, ctx, params) => {
    try {
      if (!ctx.isSuperAdmin) {
        throw new ForbiddenError('Revoking CRM invites requires super-admin');
      }
      const id = params.id ?? '';
      await revokeCrmInvite(id, {
        userId: ctx.userId,
        portId: ctx.portId,
        ipAddress: ctx.ipAddress,
        userAgent: ctx.userAgent,
      });
      return NextResponse.json({ success: true });
    } catch (error) {
      return errorResponse(error);
    }
  }),
);