encoach_frontend/src/pages/api/permissions/[id].ts

// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
import type { NextApiRequest, NextApiResponse } from "next";
import client from "@/lib/mongodb";
import { withIronSessionApiRoute } from "iron-session/next";
import { sessionOptions } from "@/lib/session";
import { getPermissionDoc } from "@/utils/permissions.be";

const db = client.db(process.env.MONGODB_DB);

export default withIronSessionApiRoute(handler, sessionOptions);

async function handler(req: NextApiRequest, res: NextApiResponse) {
	if (req.method === "PATCH") return patch(req, res);
	if (req.method === "GET") return get(req, res);
}

async function get(req: NextApiRequest, res: NextApiResponse) {
	if (!req.session.user) {
		res.status(401).json({ ok: false });
		return;
	}

	const { id } = req.query as { id: string };

	const permissionDoc = await getPermissionDoc(id);
	return res.status(200).json({ allowed: permissionDoc.users.includes(req.session.user.id) });
}

async function patch(req: NextApiRequest, res: NextApiResponse) {
	if (!req.session.user) {
		res.status(401).json({ ok: false });
		return;
	}

	const { id } = req.query as { id: string };
	const { users } = req.body;

	try {
		await db.collection("permissions").updateOne(
			{ id: id },
			{ $set: {...users, id: id} },
			{ upsert: true }
		);

		return res.status(200).json({ ok: true });
	} catch (err) {
		console.error(err);
		return res.status(500).json({ ok: false });
	}
}