import { deleteNote } from "@/lib/queries/notes";
import { NextResponse } from "next/server";
import { withUserAuth } from "@/lib/middleware/auth";
import db from "@/lib/db";

// DELETE: Delete a specific task note
async function deleteTaskNoteHandler(req, { params }) {
	try {
		const { id } = await params;

		if (!id) {
			return NextResponse.json({ error: "Note ID is required" }, { status: 400 });
		}

		// Get note data before deletion for permission checking
		const note = db.prepare("SELECT * FROM notes WHERE note_id = ?").get(id);

		if (!note) {
			return NextResponse.json({ error: "Note not found" }, { status: 404 });
		}

		// Check if user has permission to delete this note
		// Users can delete their own notes, or admins can delete any note
		const userRole = req.user?.role;
		const userId = req.user?.id;

		if (userRole !== 'admin' && note.created_by !== userId) {
			return NextResponse.json({ error: "Unauthorized to delete this note" }, { status: 403 });
		}

		// Don't allow deletion of system notes by regular users
		if (note.is_system && userRole !== 'admin') {
			return NextResponse.json({ error: "Cannot delete system notes" }, { status: 403 });
		}

		deleteNote(id);
		return NextResponse.json({ success: true });
	} catch (error) {
		console.error("Error deleting task note:", error);
		return NextResponse.json(
			{ error: "Failed to delete task note" },
			{ status: 500 }
		);
	}
}

// Protected route - require user authentication
export const DELETE = withUserAuth(deleteTaskNoteHandler);