karbe/src/app/api/me/export/route.ts

import { NextResponse } from "next/server";

import { auth } from "@/auth";
import { prisma } from "@/lib/prisma";
import { recordAudit } from "@/lib/admin/audit";

export const runtime = "nodejs";
export const dynamic = "force-dynamic";

/** RGPD article 20 — droit à la portabilité. Renvoie un JSON avec toutes les données utilisateur. */
export async function GET() {
  const session = await auth();
  if (!session?.user?.id) {
    return NextResponse.json({ error: "Non authentifié" }, { status: 401 });
  }
  const userId = session.user.id;

  const [user, bookings, reviews, carbets, subscriptions] = await Promise.all([
    prisma.user.findUnique({
      where: { id: userId },
      select: {
        id: true,
        email: true,
        firstName: true,
        lastName: true,
        phone: true,
        role: true,
        avatarUrl: true,
        isActive: true,
        createdAt: true,
        updatedAt: true,
        organizationId: true,
      },
    }),
    prisma.booking.findMany({
      where: { tenantId: userId },
      select: {
        id: true,
        carbetId: true,
        startDate: true,
        endDate: true,
        guestCount: true,
        status: true,
        paymentStatus: true,
        amount: true,
        currency: true,
        createdAt: true,
      },
    }),
    prisma.review.findMany({
      where: { authorId: userId },
      select: {
        id: true,
        bookingId: true,
        carbetId: true,
        rating: true,
        comment: true,
        createdAt: true,
      },
    }),
    prisma.carbet.findMany({
      where: { ownerId: userId },
      select: { id: true, slug: true, title: true, status: true, createdAt: true },
    }),
    prisma.subscription.findMany({
      where: { ownerId: userId },
      select: { id: true, carbetId: true, status: true, provider: true, startedAt: true },
    }),
  ]);

  await recordAudit({
    scope: "public.profile",
    event: "data.export",
    target: userId,
    actorEmail: session.user.email ?? null,
    details: {},
  });

  const filename = `karbe-mes-donnees-${new Date().toISOString().slice(0, 10)}.json`;
  return new NextResponse(
    JSON.stringify(
      {
        exportedAt: new Date().toISOString(),
        rgpdNotice:
          "Conformément à l'article 20 du RGPD. Pour exercer vos autres droits, contactez contact@karbe.cosmolan.fr.",
        user,
        bookings,
        reviews,
        carbets,
        subscriptions,
      },
      null,
      2,
    ),
    {
      status: 200,
      headers: {
        "Content-Type": "application/json; charset=utf-8",
        "Content-Disposition": `attachment; filename="${filename}"`,
      },
    },
  );
}