mirror of
https://github.com/renee-png/acmcc.git
synced 2026-06-21 01:40:01 +00:00
145 lines
5.2 KiB
TypeScript
145 lines
5.2 KiB
TypeScript
import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.45.0'
|
|
|
|
const corsHeaders = {
|
|
'Access-Control-Allow-Origin': '*',
|
|
'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
|
|
}
|
|
|
|
const PUBLIC_BASE_URL = 'https://avria.cloud'
|
|
|
|
Deno.serve(async (req) => {
|
|
if (req.method === 'OPTIONS') return new Response('ok', { headers: corsHeaders })
|
|
|
|
try {
|
|
const { vendor_id } = await req.json()
|
|
if (!vendor_id) {
|
|
return new Response(JSON.stringify({ error: 'vendor_id required' }), {
|
|
status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
})
|
|
}
|
|
|
|
const supabaseUrl = Deno.env.get('SUPABASE_URL')!
|
|
const serviceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY')!
|
|
const anonKey = Deno.env.get('SUPABASE_ANON_KEY')!
|
|
const authHeader = req.headers.get('Authorization') || ''
|
|
|
|
// Auth client to validate caller
|
|
const authClient = createClient(supabaseUrl, anonKey, {
|
|
global: { headers: { Authorization: authHeader } },
|
|
})
|
|
const { data: userRes } = await authClient.auth.getUser()
|
|
if (!userRes?.user) {
|
|
return new Response(JSON.stringify({ error: 'Unauthorized' }), {
|
|
status: 401, headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
})
|
|
}
|
|
const userId = userRes.user.id
|
|
|
|
const admin = createClient(supabaseUrl, serviceKey)
|
|
|
|
// Verify caller is admin or manager
|
|
const { data: roleRows } = await admin
|
|
.from('user_roles').select('role').eq('user_id', userId)
|
|
const roles = (roleRows || []).map((r: any) => r.role)
|
|
if (!roles.includes('admin') && !roles.includes('manager')) {
|
|
return new Response(JSON.stringify({ error: 'Forbidden' }), {
|
|
status: 403, headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
})
|
|
}
|
|
|
|
// Load vendor
|
|
const { data: vendor, error: vErr } = await admin
|
|
.from('vendors').select('id, name, email').eq('id', vendor_id).single()
|
|
if (vErr || !vendor) {
|
|
return new Response(JSON.stringify({ error: 'Vendor not found' }), {
|
|
status: 404, headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
})
|
|
}
|
|
if (!vendor.email) {
|
|
return new Response(JSON.stringify({ error: 'Vendor has no email on file' }), {
|
|
status: 400, headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
})
|
|
}
|
|
|
|
// Get profile name for requester (best-effort)
|
|
const { data: profile } = await admin
|
|
.from('profiles').select('full_name').eq('user_id', userId).maybeSingle()
|
|
|
|
// Create request token
|
|
const { data: reqRow, error: reqErr } = await admin
|
|
.from('vendor_insurance_requests')
|
|
.insert({
|
|
vendor_id,
|
|
sent_to_email: vendor.email,
|
|
created_by: userId,
|
|
})
|
|
.select('id, token, expires_at')
|
|
.single()
|
|
if (reqErr || !reqRow) {
|
|
return new Response(JSON.stringify({ error: 'Failed to create request', detail: reqErr?.message }), {
|
|
status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
})
|
|
}
|
|
|
|
const link = `${PUBLIC_BASE_URL}/vendor-insurance/${reqRow.token}`
|
|
const expiresAt = new Date(reqRow.expires_at).toLocaleDateString('en-US', {
|
|
month: 'long', day: 'numeric', year: 'numeric',
|
|
})
|
|
|
|
// Send email via shared transactional sender using the caller's JWT.
|
|
// Some deployed environments still enforce gateway JWT verification even
|
|
// when local config says verify_jwt=false, so forwarding the staff session
|
|
// avoids the nested call being rejected before it reaches the sender.
|
|
let emailErr: any = null
|
|
try {
|
|
const emailRes = await fetch(`${supabaseUrl}/functions/v1/send-transactional-email`, {
|
|
method: 'POST',
|
|
headers: {
|
|
'apikey': anonKey,
|
|
...(authHeader ? { Authorization: authHeader } : {}),
|
|
'Content-Type': 'application/json',
|
|
},
|
|
body: JSON.stringify({
|
|
templateName: 'vendor-insurance-request',
|
|
recipientEmail: vendor.email,
|
|
idempotencyKey: `vendor-insurance-${reqRow.id}`,
|
|
templateData: {
|
|
vendorName: vendor.name,
|
|
requesterName: profile?.full_name || 'Avria Community Management',
|
|
link,
|
|
expiresAt,
|
|
},
|
|
}),
|
|
})
|
|
if (!emailRes.ok) {
|
|
const text = await emailRes.text()
|
|
emailErr = { message: `status ${emailRes.status}: ${text}` }
|
|
}
|
|
} catch (e) {
|
|
emailErr = e
|
|
}
|
|
|
|
if (emailErr) {
|
|
console.error('Email send failed:', emailErr)
|
|
return new Response(JSON.stringify({
|
|
ok: false,
|
|
request_id: reqRow.id,
|
|
link,
|
|
error: 'Email failed to send. Share the link manually.',
|
|
}), { status: 200, headers: { ...corsHeaders, 'Content-Type': 'application/json' } })
|
|
}
|
|
|
|
return new Response(JSON.stringify({
|
|
ok: true,
|
|
request_id: reqRow.id,
|
|
link,
|
|
sent_to: vendor.email,
|
|
}), { headers: { ...corsHeaders, 'Content-Type': 'application/json' } })
|
|
} catch (e) {
|
|
console.error('send-vendor-insurance-request error:', e)
|
|
return new Response(JSON.stringify({ error: String(e) }), {
|
|
status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' },
|
|
})
|
|
}
|
|
})
|