feat(sponsor-ads): security fixes, UX improvements, and code quality enhancements (#424)

* fix(admin): reset pagination when sponsor ads filters change

* fix(security): add admin role verification to sponsor-ads endpoints

* refactor(types): use correct type assertion for sponsor ad status checks

* fix(api): handle malformed JSON gracefully in reject endpoint

* fix(api): hide internal config details in checkout error messages

* fix(a11y): add aria-label to sponsor badge when text is hidden

* fix(a11y): add Escape key handler and dialog role to reject modal

* fix(i18n): translate hard-coded strings in sponsor filters

* fix(i18n): add FILTERS and CLEAR_ALL translations to all locales

* fix(sponsor-ads): fix type errors and remove duplicate auth checks in admin routes

Author: ariefgp

app/api/admin/sponsor-ads/[id]/approve/route.ts

@@ -46,20 +46,13 @@ export async function POST(
 	try {
 		const session = await auth();
 
-		if (!session?.user?.id) {
+		if (!session?.user?.isAdmin || !session.user.id) {
 			return NextResponse.json(
-				{ success: false, error: "Unauthorized" },
+				{ success: false, error: "Unauthorized. Admin access required." },
 				{ status: 401 }
 			);
 		}
 
-		if (!session.user.isAdmin) {
-			return NextResponse.json(
-				{ success: false, error: "Forbidden" },
-				{ status: 403 }
-			);
-		}
-
 		const { id } = await params;
 
 		// Parse request body for forceApprove flag

app/api/admin/sponsor-ads/[id]/cancel/route.ts

@@ -61,20 +61,13 @@ export async function POST(
 	try {
 		const session = await auth();
 
-		if (!session?.user?.id) {
+		if (!session?.user?.isAdmin) {
 			return NextResponse.json(
-				{ success: false, error: "Unauthorized" },
+				{ success: false, error: "Unauthorized. Admin access required." },
 				{ status: 401 }
 			);
 		}
 
-		if (!session.user.isAdmin) {
-			return NextResponse.json(
-				{ success: false, error: "Forbidden" },
-				{ status: 403 }
-			);
-		}
-
 		const { id } = await params;
 		const body = await request.json().catch(() => ({}));
 

app/api/admin/sponsor-ads/[id]/reject/route.ts

@@ -65,22 +65,15 @@ export async function POST(
 	try {
 		const session = await auth();
 
-		if (!session?.user?.id) {
+		if (!session?.user?.isAdmin || !session.user.id) {
 			return NextResponse.json(
-				{ success: false, error: "Unauthorized" },
+				{ success: false, error: "Unauthorized. Admin access required." },
 				{ status: 401 }
 			);
 		}
 
-		if (!session.user.isAdmin) {
-			return NextResponse.json(
-				{ success: false, error: "Forbidden" },
-				{ status: 403 }
-			);
-		}
-
 		const { id } = await params;
-		const body = await request.json();
+		const body = await request.json().catch(() => ({}));
 
 		// Validate request body
 		const validationResult = rejectSponsorAdSchema.safeParse({

app/api/admin/sponsor-ads/[id]/route.ts

@@ -34,20 +34,13 @@ export async function GET(
 	try {
 		const session = await auth();
 
-		if (!session?.user?.id) {
+		if (!session?.user?.isAdmin) {
 			return NextResponse.json(
-				{ success: false, error: "Unauthorized" },
+				{ success: false, error: "Unauthorized. Admin access required." },
 				{ status: 401 }
 			);
 		}
 
-		if (!session.user.isAdmin) {
-			return NextResponse.json(
-				{ success: false, error: "Forbidden" },
-				{ status: 403 }
-			);
-		}
-
 		const { id } = await params;
 		const sponsorAd = await sponsorAdService.getSponsorAdWithUser(id);
 
@@ -103,20 +96,13 @@ export async function DELETE(
 	try {
 		const session = await auth();
 
-		if (!session?.user?.id) {
+		if (!session?.user?.isAdmin) {
 			return NextResponse.json(
-				{ success: false, error: "Unauthorized" },
+				{ success: false, error: "Unauthorized. Admin access required." },
 				{ status: 401 }
 			);
 		}
 
-		if (!session.user.isAdmin) {
-			return NextResponse.json(
-				{ success: false, error: "Forbidden" },
-				{ status: 403 }
-			);
-		}
-
 		const { id } = await params;
 
 		await sponsorAdService.deleteSponsorAd(id);

app/api/admin/sponsor-ads/route.ts

@@ -63,20 +63,13 @@ export async function GET(request: NextRequest) {
 	try {
 		const session = await auth();
 
-		if (!session?.user?.id) {
+		if (!session?.user?.isAdmin) {
 			return NextResponse.json(
-				{ success: false, error: "Unauthorized" },
+				{ success: false, error: "Unauthorized. Admin access required." },
 				{ status: 401 }
 			);
 		}
 
-		if (!session.user.isAdmin) {
-			return NextResponse.json(
-				{ success: false, error: "Forbidden" },
-				{ status: 403 }
-			);
-		}
-
 		const { searchParams } = new URL(request.url);
 
 		// Validate pagination parameters

app/api/sponsor-ads/checkout/route.ts

@@ -119,10 +119,11 @@ export async function POST(request: NextRequest) {
 		const priceId = getPriceId(sponsorAd.interval, ACTIVE_PAYMENT_PROVIDER);
 
 		if (!priceId) {
+			console.error(`Price not configured for ${sponsorAd.interval} interval with ${ACTIVE_PAYMENT_PROVIDER} provider`);
 			return NextResponse.json(
 				{
 					success: false,
-					error: `Price not configured for ${sponsorAd.interval} interval with ${ACTIVE_PAYMENT_PROVIDER} provider`
+					error: "Payment configuration is incomplete. Please contact support."
 				},
 				{ status: 400 }
 			);
@@ -167,8 +168,9 @@ export async function POST(request: NextRequest) {
 				break;
 
 			default:
+				console.error(`Unsupported payment provider: ${ACTIVE_PAYMENT_PROVIDER}`);
 				return NextResponse.json(
-					{ success: false, error: `Unsupported payment provider: ${ACTIVE_PAYMENT_PROVIDER}` },
+					{ success: false, error: "Payment configuration is incomplete. Please contact support." },
 					{ status: 400 }
 				);
 		}

components/admin/sponsorships/reject-modal.tsx

@@ -1,3 +1,4 @@
+import { useEffect } from 'react';
 import { Button, Textarea } from '@heroui/react';
 import { XCircle } from 'lucide-react';
 import { useTranslations } from 'next-intl';
@@ -34,13 +35,30 @@ export function RejectModal({
 }: RejectModalProps) {
 	const t = useTranslations('admin.SPONSORSHIPS');
 
+	// Handle Escape key to close modal
+	useEffect(() => {
+		const handleEscape = (e: KeyboardEvent) => {
+			if (e.key === 'Escape' && !isSubmitting) {
+				onClose();
+			}
+		};
+
+		if (isOpen) {
+			document.addEventListener('keydown', handleEscape);
+		}
+
+		return () => {
+			document.removeEventListener('keydown', handleEscape);
+		};
+	}, [isOpen, isSubmitting, onClose]);
+
 	if (!isOpen) return null;
 
 	const isReasonValid = rejectionReason.length >= 10;
 
 	return (
 		<div className={MODAL_OVERLAY}>
-			<div className={MODAL_CONTAINER}>
+			<div className={MODAL_CONTAINER} role="dialog" aria-modal="true">
 				{/* Header */}
 				<div className={MODAL_HEADER}>
 					<div className="flex items-center space-x-3">

components/admin/sponsorships/sponsor-filters.tsx

@@ -57,7 +57,7 @@ export function SponsorFilters({
 					<div className="flex items-center justify-between">
 						<div className="flex items-center space-x-2">
 							<Filter className="w-5 h-5 text-gray-400" />
-							<span className="font-medium text-gray-900 dark:text-white">Filters</span>
+							<span className="font-medium text-gray-900 dark:text-white">{t('FILTERS')}</span>
 							{activeFilterCount > 0 && (
 								<span className="px-2 py-0.5 text-xs font-medium bg-theme-primary text-white rounded-full">
 									{activeFilterCount}
@@ -72,7 +72,7 @@ export function SponsorFilters({
 								onPress={onClearFilters}
 								startContent={<X className="w-4 h-4" />}
 							>
-								Clear All
+								{t('CLEAR_ALL')}
 							</Button>
 						)}
 					</div>

components/sponsor-ads/sponsor-badge.tsx

@@ -44,6 +44,7 @@ export function SponsorBadge({
 					sizeClasses[size],
 					className
 				)}
+				aria-label={!showText ? label : undefined}
 			>
 				{showIcon && <Megaphone className={cn(iconSizes[size])} />}
 				{showText && <span className="font-medium">{label}</span>}
@@ -59,6 +60,7 @@ export function SponsorBadge({
 					sizeClasses[size],
 					className
 				)}
+				aria-label={!showText ? label : undefined}
 			>
 				{showIcon && <Megaphone className={cn(iconSizes[size])} />}
 				{showText && <span className="font-medium">{label}</span>}
@@ -75,6 +77,7 @@ export function SponsorBadge({
 				sizeClasses[size],
 				className
 			)}
+			aria-label={!showText ? label : undefined}
 		>
 			{showIcon && <Megaphone className={cn(iconSizes[size], 'mr-1')} />}
 			{showText && label}

hooks/use-admin-sponsor-ads.ts

@@ -209,6 +209,32 @@ export function useAdminSponsorAds(
 	const [sortBy, setSortBy] = useState<SponsorAdSortBy>(initialSortBy);
 	const [sortOrder, setSortOrder] = useState<"asc" | "desc">(initialSortOrder);
 
+	// Wrapped filter setters that reset pagination
+	const handleSetStatusFilter = useCallback((status: SponsorAdStatus | undefined) => {
+		setStatusFilter(status);
+		setCurrentPage(1);
+	}, []);
+
+	const handleSetIntervalFilter = useCallback((interval: SponsorAdIntervalType | undefined) => {
+		setIntervalFilter(interval);
+		setCurrentPage(1);
+	}, []);
+
+	const handleSetSearchTerm = useCallback((term: string) => {
+		setSearchTerm(term);
+		setCurrentPage(1);
+	}, []);
+
+	const handleSetSortBy = useCallback((newSortBy: SponsorAdSortBy) => {
+		setSortBy(newSortBy);
+		setCurrentPage(1);
+	}, []);
+
+	const handleSetSortOrder = useCallback((order: "asc" | "desc") => {
+		setSortOrder(order);
+		setCurrentPage(1);
+	}, []);
+
 	// Query client for cache management
 	const queryClient = useQueryClient();
 
@@ -382,11 +408,11 @@ export function useAdminSponsorAds(
 		deleteSponsorAd: handleDelete,
 
 		// Filter actions
-		setStatusFilter,
-		setIntervalFilter,
-		setSearchTerm,
-		setSortBy,
-		setSortOrder,
+		setStatusFilter: handleSetStatusFilter,
+		setIntervalFilter: handleSetIntervalFilter,
+		setSearchTerm: handleSetSearchTerm,
+		setSortBy: handleSetSortBy,
+		setSortOrder: handleSetSortOrder,
 		setCurrentPage,
 
 		// Utility