npm - @open-mercato/core - Versions diffs - 0.4.8-develop-28cee031d6 → 0.4.8-develop-15259be22b - Mend

@open-mercato/core 0.4.8-develop-28cee031d6 → 0.4.8-develop-15259be22b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/src/modules/customer_accounts/api/portal/logout.ts ADDED Viewed

@@ -0,0 +1,71 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { CustomerSessionService } from '@open-mercato/core/modules/customer_accounts/services/customerSessionService'
+export const metadata: { path?: string } = {}
+function readCookieFromHeader(header: string | null | undefined, name: string): string | undefined {
+  if (!header) return undefined
+  const parts = header.split(';')
+  for (const part of parts) {
+    const trimmed = part.trim()
+    if (trimmed.startsWith(`${name}=`)) {
+      return trimmed.slice(name.length + 1)
+    }
+  }
+  return undefined
+}
+export async function POST(req: Request) {
+  const cookieHeader = req.headers.get('cookie') || ''
+  const sessionToken = readCookieFromHeader(cookieHeader, 'customer_session_token')
+  if (sessionToken) {
+    try {
+      const decodedToken = decodeURIComponent(sessionToken)
+      const container = await createRequestContainer()
+      const customerSessionService = container.resolve('customerSessionService') as CustomerSessionService
+      const session = await customerSessionService.findByToken(decodedToken)
+      if (session) {
+        await customerSessionService.revokeSession(session.id)
+      }
+    } catch {
+      // Best effort — clear cookies regardless
+    }
+  }
+  const res = NextResponse.json({ ok: true })
+  res.cookies.set('customer_auth_token', '', {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'lax',
+    secure: process.env.NODE_ENV === 'production',
+    maxAge: 0,
+  })
+  res.cookies.set('customer_session_token', '', {
+    httpOnly: true,
+    path: '/',
+    sameSite: 'lax',
+    secure: process.env.NODE_ENV === 'production',
+    maxAge: 0,
+  })
+  return res
+}
+const successSchema = z.object({ ok: z.literal(true) })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'Customer logout',
+  description: 'Revokes the current session and clears authentication cookies.',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'Logged out', schema: successSchema }],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Customer logout',
+  methods: { POST: methodDoc },
+}

package/src/modules/customer_accounts/api/portal/notifications/[id]/dismiss.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { Notification } from '@open-mercato/core/modules/notifications/data/entities'
+export const metadata: { path?: string } = {}
+export async function PUT(req: Request, { params }: { params: { id: string } }) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager
+  const notification = await em.findOne(Notification, {
+    id: params.id,
+    recipientUserId: auth.sub,
+    tenantId: auth.tenantId,
+  })
+  if (!notification) {
+    return NextResponse.json({ ok: false, error: 'Notification not found' }, { status: 404 })
+  }
+  notification.status = 'dismissed'
+  notification.dismissedAt = new Date()
+  await em.flush()
+  return NextResponse.json({ ok: true })
+}
+const successSchema = z.object({ ok: z.literal(true) })
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'Dismiss notification',
+  description: 'Dismisses a single notification for the authenticated customer user.',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'Notification dismissed', schema: successSchema }],
+  errors: [
+    { status: 401, description: 'Not authenticated', schema: errorSchema },
+    { status: 404, description: 'Notification not found', schema: errorSchema },
+  ],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Dismiss customer notification',
+  pathParams: z.object({ id: z.string().uuid() }),
+  methods: { PUT: methodDoc },
+}

package/src/modules/customer_accounts/api/portal/notifications/[id]/read.ts ADDED Viewed

@@ -0,0 +1,54 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { Notification } from '@open-mercato/core/modules/notifications/data/entities'
+export const metadata: { path?: string } = {}
+export async function PUT(req: Request, { params }: { params: { id: string } }) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager
+  const notification = await em.findOne(Notification, {
+    id: params.id,
+    recipientUserId: auth.sub,
+    tenantId: auth.tenantId,
+  })
+  if (!notification) {
+    return NextResponse.json({ ok: false, error: 'Notification not found' }, { status: 404 })
+  }
+  notification.status = 'read'
+  notification.readAt = new Date()
+  await em.flush()
+  return NextResponse.json({ ok: true })
+}
+const successSchema = z.object({ ok: z.literal(true) })
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'Mark notification as read',
+  description: 'Marks a single notification as read for the authenticated customer user.',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'Notification marked as read', schema: successSchema }],
+  errors: [
+    { status: 401, description: 'Not authenticated', schema: errorSchema },
+    { status: 404, description: 'Notification not found', schema: errorSchema },
+  ],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Mark notification as read',
+  pathParams: z.object({ id: z.string().uuid() }),
+  methods: { PUT: methodDoc },
+}

package/src/modules/customer_accounts/api/portal/notifications/mark-all-read.ts ADDED Viewed

@@ -0,0 +1,49 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { Notification } from '@open-mercato/core/modules/notifications/data/entities'
+export const metadata: { path?: string } = {}
+export async function PUT(req: Request) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager
+  const now = new Date()
+  const count = await em.nativeUpdate(Notification, {
+    recipientUserId: auth.sub,
+    tenantId: auth.tenantId,
+    status: 'unread',
+  }, {
+    status: 'read',
+    readAt: now,
+  })
+  return NextResponse.json({ ok: true, count })
+}
+const successSchema = z.object({
+  ok: z.literal(true),
+  count: z.number(),
+})
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'Mark all notifications as read',
+  description: 'Marks all unread notifications as read for the authenticated customer user.',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'All notifications marked as read', schema: successSchema }],
+  errors: [{ status: 401, description: 'Not authenticated', schema: errorSchema }],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Mark all customer notifications as read',
+  methods: { PUT: methodDoc },
+}

package/src/modules/customer_accounts/api/portal/notifications/unread-count.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { Notification } from '@open-mercato/core/modules/notifications/data/entities'
+export const metadata: { path?: string } = {}
+export async function GET(req: Request) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager
+  const unreadCount = await em.count(Notification, {
+    recipientUserId: auth.sub,
+    tenantId: auth.tenantId,
+    status: 'unread',
+  })
+  return NextResponse.json({ ok: true, unreadCount })
+}
+const successSchema = z.object({
+  ok: z.literal(true),
+  unreadCount: z.number(),
+})
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'Get unread notification count',
+  description: 'Returns the number of unread notifications for the authenticated customer user.',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'Unread count', schema: successSchema }],
+  errors: [{ status: 401, description: 'Not authenticated', schema: errorSchema }],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Customer unread notification count',
+  methods: { GET: methodDoc },
+}

package/src/modules/customer_accounts/api/portal/notifications.ts ADDED Viewed

@@ -0,0 +1,115 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { Notification } from '@open-mercato/core/modules/notifications/data/entities'
+import { toNotificationDto } from '@open-mercato/core/modules/notifications/lib/notificationMapper'
+export const metadata: { path?: string } = {}
+export async function GET(req: Request) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  const url = new URL(req.url)
+  const page = Math.max(1, parseInt(url.searchParams.get('page') || '1', 10) || 1)
+  const rawPageSize = parseInt(url.searchParams.get('pageSize') || '50', 10) || 50
+  const pageSize = Math.min(Math.max(1, rawPageSize), 100)
+  const status = url.searchParams.get('status') || undefined
+  const since = url.searchParams.get('since') || undefined
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager
+  const where: Record<string, unknown> = {
+    recipientUserId: auth.sub,
+    tenantId: auth.tenantId,
+  }
+  if (status) {
+    where.status = status
+  } else {
+    where.status = { $ne: 'dismissed' }
+  }
+  if (since) {
+    const sinceDate = new Date(since)
+    if (!isNaN(sinceDate.getTime())) {
+      where.createdAt = { $gte: sinceDate }
+    }
+  }
+  const offset = (page - 1) * pageSize
+  const [items, total] = await Promise.all([
+    em.find(Notification, where, {
+      orderBy: { createdAt: 'DESC' },
+      limit: pageSize,
+      offset,
+    }),
+    em.count(Notification, where),
+  ])
+  return NextResponse.json({
+    ok: true,
+    items: items.map(toNotificationDto),
+    total,
+    page,
+    pageSize,
+  })
+}
+const notificationDtoSchema = z.object({
+  id: z.string().uuid(),
+  type: z.string(),
+  title: z.string(),
+  body: z.string().nullable().optional(),
+  titleKey: z.string().nullable().optional(),
+  bodyKey: z.string().nullable().optional(),
+  titleVariables: z.record(z.string(), z.string()).nullable().optional(),
+  bodyVariables: z.record(z.string(), z.string()).nullable().optional(),
+  icon: z.string().nullable().optional(),
+  severity: z.enum(['info', 'warning', 'success', 'error']),
+  status: z.enum(['unread', 'read', 'actioned', 'dismissed']),
+  actions: z.array(z.object({
+    id: z.string(),
+    label: z.string(),
+    labelKey: z.string().optional(),
+    variant: z.string().optional(),
+    icon: z.string().optional(),
+  })),
+  primaryActionId: z.string().optional(),
+  sourceModule: z.string().nullable().optional(),
+  sourceEntityType: z.string().nullable().optional(),
+  sourceEntityId: z.string().nullable().optional(),
+  linkHref: z.string().nullable().optional(),
+  createdAt: z.string().datetime(),
+  readAt: z.string().datetime().nullable(),
+  actionTaken: z.string().nullable().optional(),
+})
+const listResponseSchema = z.object({
+  ok: z.literal(true),
+  items: z.array(notificationDtoSchema),
+  total: z.number(),
+  page: z.number(),
+  pageSize: z.number(),
+})
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'List customer notifications',
+  description: 'Returns paginated notifications for the authenticated customer user. Dismissed notifications are excluded by default unless ?status=dismissed is specified.',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'Notification list', schema: listResponseSchema }],
+  errors: [{ status: 401, description: 'Not authenticated', schema: errorSchema }],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Customer notifications',
+  methods: { GET: methodDoc },
+}

package/src/modules/customer_accounts/api/portal/password-change.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'
+import { passwordChangeSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'
+export const metadata: { path?: string } = {}
+export async function POST(req: Request) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  let body: unknown
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })
+  }
+  const parsed = passwordChangeSchema.safeParse(body)
+  if (!parsed.success) {
+    return NextResponse.json({ ok: false, error: 'Validation failed' }, { status: 400 })
+  }
+  const container = await createRequestContainer()
+  const customerUserService = container.resolve('customerUserService') as CustomerUserService
+  const user = await customerUserService.findById(auth.sub, auth.tenantId)
+  if (!user) {
+    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })
+  }
+  const currentValid = await customerUserService.verifyPassword(user, parsed.data.currentPassword)
+  if (!currentValid) {
+    return NextResponse.json({ ok: false, error: 'Current password is incorrect' }, { status: 400 })
+  }
+  await customerUserService.updatePassword(user, parsed.data.newPassword)
+  return NextResponse.json({ ok: true })
+}
+const successSchema = z.object({ ok: z.literal(true) })
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'Change customer password',
+  description: 'Changes the authenticated customer user password after verifying the current password.',
+  tags: ['Customer Portal'],
+  requestBody: { schema: passwordChangeSchema },
+  responses: [{ status: 200, description: 'Password changed', schema: successSchema }],
+  errors: [
+    { status: 400, description: 'Current password incorrect or validation failed', schema: errorSchema },
+    { status: 401, description: 'Not authenticated', schema: errorSchema },
+  ],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Change customer password',
+  methods: { POST: methodDoc },
+}

package/src/modules/customer_accounts/api/portal/profile.ts ADDED Viewed

@@ -0,0 +1,151 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest, requireCustomerFeature } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { CustomerUserService } from '@open-mercato/core/modules/customer_accounts/services/customerUserService'
+import { CustomerRbacService } from '@open-mercato/core/modules/customer_accounts/services/customerRbacService'
+import { CustomerUserRole } from '@open-mercato/core/modules/customer_accounts/data/entities'
+import { profileUpdateSchema } from '@open-mercato/core/modules/customer_accounts/data/validators'
+export const metadata: { path?: string } = {}
+export async function GET(req: Request) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  const container = await createRequestContainer()
+  const customerUserService = container.resolve('customerUserService') as CustomerUserService
+  const customerRbacService = container.resolve('customerRbacService') as CustomerRbacService
+  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager
+  const user = await customerUserService.findById(auth.sub, auth.tenantId)
+  if (!user) {
+    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })
+  }
+  const acl = await customerRbacService.loadAcl(user.id, { tenantId: user.tenantId, organizationId: user.organizationId })
+  const userRoles = await em.find(CustomerUserRole, {
+    user: user.id as any,
+    deletedAt: null,
+  }, { populate: ['role'] })
+  const roles = userRoles.map((ur) => ({
+    id: (ur.role as any).id,
+    name: (ur.role as any).name,
+    slug: (ur.role as any).slug,
+  }))
+  return NextResponse.json({
+    ok: true,
+    user: {
+      id: user.id,
+      email: user.email,
+      displayName: user.displayName,
+      emailVerified: !!user.emailVerifiedAt,
+      customerEntityId: user.customerEntityId,
+      personEntityId: user.personEntityId,
+      isActive: user.isActive,
+      lastLoginAt: user.lastLoginAt,
+      createdAt: user.createdAt,
+    },
+    roles,
+    resolvedFeatures: acl.features,
+    isPortalAdmin: acl.isPortalAdmin,
+  })
+}
+export async function PUT(req: Request) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  try {
+    requireCustomerFeature(auth, ['portal.account.manage'])
+  } catch (response) {
+    return response as NextResponse
+  }
+  let body: unknown
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ ok: false, error: 'Invalid request body' }, { status: 400 })
+  }
+  const parsed = profileUpdateSchema.safeParse(body)
+  if (!parsed.success) {
+    return NextResponse.json({ ok: false, error: 'Validation failed' }, { status: 400 })
+  }
+  const container = await createRequestContainer()
+  const customerUserService = container.resolve('customerUserService') as CustomerUserService
+  const user = await customerUserService.findById(auth.sub, auth.tenantId)
+  if (!user) {
+    return NextResponse.json({ ok: false, error: 'User not found' }, { status: 404 })
+  }
+  await customerUserService.updateProfile(user, parsed.data)
+  return NextResponse.json({
+    ok: true,
+    user: {
+      id: user.id,
+      email: user.email,
+      displayName: user.displayName,
+    },
+  })
+}
+const profileSchema = z.object({
+  ok: z.literal(true),
+  user: z.object({
+    id: z.string().uuid(),
+    email: z.string(),
+    displayName: z.string(),
+    emailVerified: z.boolean(),
+    customerEntityId: z.string().uuid().nullable(),
+    personEntityId: z.string().uuid().nullable(),
+    isActive: z.boolean(),
+    lastLoginAt: z.string().datetime().nullable(),
+    createdAt: z.string().datetime(),
+  }),
+  roles: z.array(z.object({ id: z.string().uuid(), name: z.string(), slug: z.string() })),
+  resolvedFeatures: z.array(z.string()),
+  isPortalAdmin: z.boolean(),
+})
+const putSuccessSchema = z.object({
+  ok: z.literal(true),
+  user: z.object({ id: z.string().uuid(), email: z.string(), displayName: z.string() }),
+})
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const getMethodDoc: OpenApiMethodDoc = {
+  summary: 'Get customer profile',
+  description: 'Returns the authenticated customer user profile with roles and permissions.',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'Profile data', schema: profileSchema }],
+  errors: [{ status: 401, description: 'Not authenticated', schema: errorSchema }],
+}
+const putMethodDoc: OpenApiMethodDoc = {
+  summary: 'Update customer profile',
+  description: 'Updates the authenticated customer user profile.',
+  tags: ['Customer Portal'],
+  requestBody: { schema: profileUpdateSchema },
+  responses: [{ status: 200, description: 'Profile updated', schema: putSuccessSchema }],
+  errors: [
+    { status: 401, description: 'Not authenticated', schema: errorSchema },
+    { status: 403, description: 'Insufficient permissions', schema: errorSchema },
+  ],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Customer profile',
+  methods: { GET: getMethodDoc, PUT: putMethodDoc },
+}

package/src/modules/customer_accounts/api/portal/sessions/[id].ts ADDED Viewed

@@ -0,0 +1,70 @@
+import { NextResponse } from 'next/server'
+import { z } from 'zod'
+import type { OpenApiRouteDoc, OpenApiMethodDoc } from '@open-mercato/shared/lib/openapi'
+import { getCustomerAuthFromRequest, readCookieFromHeader } from '@open-mercato/core/modules/customer_accounts/lib/customerAuth'
+import { createRequestContainer } from '@open-mercato/shared/lib/di/container'
+import { CustomerSessionService } from '@open-mercato/core/modules/customer_accounts/services/customerSessionService'
+import { CustomerUserSession } from '@open-mercato/core/modules/customer_accounts/data/entities'
+import { hashToken } from '@open-mercato/core/modules/customer_accounts/lib/tokenGenerator'
+export const metadata: { path?: string } = {}
+export async function DELETE(req: Request, { params }: { params: { id: string } }) {
+  const auth = await getCustomerAuthFromRequest(req)
+  if (!auth) {
+    return NextResponse.json({ ok: false, error: 'Authentication required' }, { status: 401 })
+  }
+  const sessionId = params.id
+  const container = await createRequestContainer()
+  const em = container.resolve('em') as import('@mikro-orm/postgresql').EntityManager
+  const customerSessionService = container.resolve('customerSessionService') as CustomerSessionService
+  // Verify session belongs to this user
+  const session = await em.findOne(CustomerUserSession, {
+    id: sessionId,
+    user: auth.sub as any,
+    deletedAt: null,
+  })
+  if (!session) {
+    return NextResponse.json({ ok: false, error: 'Session not found' }, { status: 404 })
+  }
+  // Prevent revoking current session
+  const cookieHeader = req.headers.get('cookie') || ''
+  const sessionToken = readCookieFromHeader(cookieHeader, 'customer_session_token')
+  if (sessionToken) {
+    try {
+      const currentHash = hashToken(decodeURIComponent(sessionToken))
+      if (session.tokenHash === currentHash) {
+        return NextResponse.json({ ok: false, error: 'Cannot revoke current session. Use logout instead.' }, { status: 400 })
+      }
+    } catch {
+      // Malformed cookie value — proceed with revocation since we can't confirm it's the current session
+    }
+  }
+  await customerSessionService.revokeSession(sessionId)
+  return NextResponse.json({ ok: true })
+}
+const successSchema = z.object({ ok: z.literal(true) })
+const errorSchema = z.object({ ok: z.literal(false), error: z.string() })
+const methodDoc: OpenApiMethodDoc = {
+  summary: 'Revoke a customer session',
+  description: 'Revokes a specific session (not the current one).',
+  tags: ['Customer Portal'],
+  responses: [{ status: 200, description: 'Session revoked', schema: successSchema }],
+  errors: [
+    { status: 400, description: 'Cannot revoke current session', schema: errorSchema },
+    { status: 401, description: 'Not authenticated', schema: errorSchema },
+    { status: 404, description: 'Session not found', schema: errorSchema },
+  ],
+}
+export const openApi: OpenApiRouteDoc = {
+  summary: 'Revoke customer session',
+  pathParams: z.object({ id: z.string().uuid() }),
+  methods: { DELETE: methodDoc },
+}