port-nimara-client-portal/server/api/files/delete.ts

import { requireAuth } from '~/server/utils/auth';
import { deleteFile, deleteFolder, getMinioClient } from '~/server/utils/minio';

export default defineEventHandler(async (event) => {
  // Check authentication (x-tag header OR Keycloak session)
  await requireAuth(event);
  
  try {
    const body = await readBody(event);
    const { fileName, isFolder, bucket } = body;
    const targetBucket = bucket || 'client-portal';
    
    console.log('[delete] Delete request:', {
      fileName,
      isFolder,
      bucket,
      targetBucket
    });
    
    if (!fileName) {
      throw createError({
        statusCode: 400,
        statusMessage: 'File name is required',
      });
    }
    
    // Protect EOIs folder from deletion
    if (fileName === 'EOIs/' || fileName === 'EOIs') {
      throw createError({
        statusCode: 403,
        statusMessage: 'The EOIs folder is protected and cannot be deleted',
      });
    }
    
    // Delete folder or file based on type
    if (targetBucket === 'client-portal') {
      // Use existing functions for default bucket
      if (isFolder) {
        await deleteFolder(fileName);
      } else {
        await deleteFile(fileName);
      }
    } else {
      // For other buckets, use MinIO client directly
      const client = getMinioClient();
      
      if (isFolder) {
        // List all objects in the folder and delete them
        const objectsList: string[] = [];
        
        await new Promise((resolve, reject) => {
          const stream = client.listObjectsV2(targetBucket, fileName, true);
          
          stream.on('data', (obj) => {
            if (obj && obj.name) {
              objectsList.push(obj.name);
            }
          });
          
          stream.on('error', reject);
          
          stream.on('end', async () => {
            try {
              if (objectsList.length > 0) {
                await client.removeObjects(targetBucket, objectsList);
              }
              resolve(true);
            } catch (error) {
              reject(error);
            }
          });
        });
      } else {
        // Delete single file
        console.log(`[delete] Attempting to delete file '${fileName}' from bucket '${targetBucket}'`);
        
        // First check if the file exists
        try {
          const stat = await client.statObject(targetBucket, fileName);
          console.log('[delete] File exists in bucket:', stat);
        } catch (err: any) {
          console.error(`[delete] File '${fileName}' not found in bucket '${targetBucket}':`, err.message);
        }
        
        await client.removeObject(targetBucket, fileName);
        console.log(`[delete] Successfully deleted '${fileName}' from '${targetBucket}'`);
      }
    }
    
    // Log audit event
    await logAuditEvent(event, 'delete', fileName);
    
    return {
      success: true,
      message: isFolder ? 'Folder deleted successfully' : 'File deleted successfully',
    };
  } catch (error: any) {
    console.error('Failed to delete:', error);
    throw createError({
      statusCode: 500,
      statusMessage: error.message || 'Failed to delete',
    });
  }
});

// Audit logging helper
async function logAuditEvent(event: any, action: string, filePath: string) {
  try {
    const user = event.context.user || { email: 'anonymous' };
    const auditLog = {
      user_email: user.email,
      action,
      file_path: filePath,
      timestamp: new Date().toISOString(),
      ip_address: getClientIP(event),
      success: true,
    };
    
    // You can store this in your database or logging system
    console.log('Audit log:', auditLog);
  } catch (error) {
    console.error('Failed to log audit event:', error);
  }
}

function getClientIP(event: any): string {
  return event.node.req.headers['x-forwarded-for'] || 
         event.node.req.connection.remoteAddress || 
         'unknown';
}