import { NextResponse } from "next/server";
import { getSessionUser } from "@/lib/session";
import { getInvoiceByNumberForOrg } from "@/lib/db";

/**
 * GET /api/billing/invoices/[invoiceNumber]
 *
 * Customer-scoped detail lookup by invoice number (the human-
 * readable YYYY-NNNNN format the customer sees on the PDF). The
 * org filter is part of the DB query — a customer probing another
 * org's invoice number gets the same 404 as a non-existent one.
 */
export async function GET(
  _request: Request,
  { params }: { params: Promise<{ invoiceNumber: string }> }
) {
  const user = await getSessionUser();
  if (!user) {
    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
  }
  const { invoiceNumber } = await params;
  const detail = await getInvoiceByNumberForOrg(invoiceNumber, user.orgId);
  if (!detail) {
    return NextResponse.json({ error: "Not found" }, { status: 404 });
  }
  return NextResponse.json(detail);
}