import { NextResponse } from "next/server"; import { cookies } from "next/headers"; import jwt from "jsonwebtoken"; import { db } from "@/lib/db"; const SECRET = process.env.JWT_SECRET!; export async function GET(request: Request) { try { const { searchParams } = new URL(request.url); const scope = searchParams.get("scope"); const cookieStore = await cookies(); const token = cookieStore.get("token")?.value; if (!token) return NextResponse.json({ error: "No autorizado" }, { status: 401 }); // 1. Decodificamos el token (Aquí se crea sessionUser) const sessionUser: any = jwt.verify(token, SECRET); const userId = sessionUser.id; // --- BLOQUE DE SESIÓN ÚNICA CORREGIDO --- // Usamos sessionUser en lugar de decoded const [userCheck]: any = await db.query( "SELECT current_session_id FROM users WHERE id = ?", [userId] ); // Verificamos si existe el ID y si coincide con el del token if (!userCheck[0] || userCheck[0].current_session_id !== sessionUser.sessionId) { return NextResponse.json({ error: "SESION_INVALIDA" }, { status: 401 }); } // ---------------------------------------- // 2. QUERY MAESTRO (Tu lógica original intacta) let query = ` SELECT m.*, u.role as user_role, ? as current_user_id FROM militants m LEFT JOIN users u ON m.id = u.militant_id WHERE m.status = 'active' `; let params: any[] = [userId]; if (scope === "mine" || sessionUser.role === 'brigadist') { query += " AND m.created_by = ?"; params.push(userId); } else if (sessionUser.role === 'leader' && scope === 'all') { query += " AND (m.leader_id = ? OR m.created_by = ?)"; params.push(userId, userId); } query += " ORDER BY m.created_at DESC"; const [rows]: any = await db.query(query, params); return NextResponse.json(rows); } catch (error: any) { console.error("LIST_SCOPE_ERROR:", error); return NextResponse.json({ error: "Error al obtener el listado" }, { status: 500 }); } }