import { NextResponse } from 'next/server';
import { auth } from '../../../../auth';

const API_BASE =
  process.env.NEXT_PUBLIC_API_URL_INTERNAL ?? 'http://recipe-api:8080';

export async function GET() {
  const session = await auth();
  if (!session || (session.user as any)?.role !== 'admin') {
    return NextResponse.json({ message: 'Förbjuden' }, { status: 403 });
  }

  const res = await fetch(`${API_BASE}/api/users`, {
    headers: { Authorization: `Bearer ${session.accessToken}` },
    cache: 'no-store',
  });
  const data = await res.json();
  return NextResponse.json(data, { status: res.status });
}