// API route to send a test email – protected by Supabase admin check import { NextResponse } from 'next/server'; import { sendMail } from '@/utils/mail'; import { createServerClient } from '@supabase/ssr'; import { cookies } from 'next/headers'; export async function POST(request: Request) { const cookieStore = await cookies(); const supabaseUrl = process.env.SUPABASE_URL || process.env.NEXT_PUBLIC_SUPABASE_URL || ''; const supabase = createServerClient( supabaseUrl, process.env.SUPABASE_SERVICE_ROLE_KEY ?? '', { cookies: { getAll() { return cookieStore.getAll() }, setAll(cookiesToSet) { try { cookiesToSet.forEach(({ name, value, options }) => cookieStore.set(name, value, options) ) } catch { // Kann in einer API-Route ignoriert werden, wenn nur gelesen wird } }, }, cookieOptions: { name: "webshop-auth-token", }, } ); // Verify admin rights – expecting a user with role "admin" in the "users" table const { data: { session } } = await supabase.auth.getSession(); if (!session) { return NextResponse.json({ error: 'Not authenticated' }, { status: 401 }); } const { data: user } = await supabase.from('users').select('role').eq('id', session.user.id).single(); if (!user || user.role !== 'admin') { return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 }); } const { to, subject, text, html } = await request.json(); try { const info = await sendMail({ to, subject, text, html }); return NextResponse.json({ message: 'Email sent', info }); } catch (err) { console.error('Mail error', err); return NextResponse.json({ error: 'Failed to send email' }, { status: 500 }); } }