// Remove a workspace member. Proxies DELETE /tenants/:slug/users/:userId;
// platform-api tears down the mailbox, OCIS account and (if it was their last
// workspace) the SSO identity. Enforces tenant membership + blocks self-removal.

import { getUserSession } from 'nuxt-oidc-auth/runtime/server/utils/session.js'

export default defineEventHandler(async (event) => {
  const session = await getUserSession(event).catch(() => null)
  const accessToken = (session as { accessToken?: string } | null)?.accessToken
  if (!accessToken) {
    throw createError({ statusCode: 401, statusMessage: 'Not signed in' })
  }
  const slug = getRouterParam(event, 'slug')
  const userId = getRouterParam(event, 'userId')
  const base = process.env.PLATFORM_API_INTERNAL_URL ?? 'http://platform-api:3001'
  await $fetch(`${base}/tenants/${slug}/users/${userId}`, {
    method: 'DELETE',
    headers: { Authorization: `Bearer ${accessToken}` },
  })
  return { ok: true }
})