import { NextResponse } from "next/server";
import { getServerSession } from "next-auth";
import { authOptions } from "@/lib/auth";
import prisma from "@/lib/prisma";

export async function GET(req: Request) {
  try {
    const session = await getServerSession(authOptions);
    if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });

    const { searchParams } = new URL(req.url);
    const userId = searchParams.get("userId") || session.user.id;
    const year = parseInt(searchParams.get("year") || String(new Date().getFullYear()));

    // Only allow viewing own balance unless admin/manager
    if (userId !== session.user.id && session.user.role === "EMPLOYEE") {
      return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
    }

    const balances = await prisma.leaveBalance.findMany({
      where: { userId, year },
      include: { leaveType: true },
      orderBy: { leaveType: { name: "asc" } },
    });

    return NextResponse.json(balances);
  } catch (error) {
    return NextResponse.json({ error: "Failed to fetch balances" }, { status: 500 });
  }
}