rebreak-monorepo/backend/server/api/devices/[id]/request-release.post.ts

import { requestDeviceRelease } from "../../../db/devices";

/**
 * POST /api/devices/:id/request-release
 *
 * Original-User markiert sein eigenes Device für Freigabe.
 * Freigabe wird aktiv nach 24h (Cooldown schützt gegen impulsiven Release im Drang-Window).
 *
 * Auth: eingeloggter User, ownership-check via userId im DB-Query.
 */
export default defineEventHandler(async (event) => {
  const user = await requireUser(event, { skipDeviceCheck: true });
  const id = getRouterParam(event, "id");

  if (!id) {
    throw createError({ statusCode: 400, data: { error: "MISSING_ID" } });
  }

  const updated = await requestDeviceRelease(user.id, id);

  if (!updated) {
    // Device nicht gefunden, gehört nicht dem User, oder hat kein boundToPlan
    throw createError({
      statusCode: 404,
      data: { error: "DEVICE_NOT_FOUND_OR_NOT_BOUND" },
    });
  }

  const releaseAt = new Date(Date.now() + 24 * 60 * 60 * 1000);

  return {
    success: true,
    releaseAt: releaseAt.toISOString(),
  };
});