Refactor: Add MFA check and improve error handling

2025-12-21 15:51:13 -05:00 · 2025-10-17 18:50:32 +00:00
parent 86cdfeba31
commit 6623074679
1 changed files with 34 additions and 6 deletions
--- a/src/hooks/moderation/useModerationQueueManager.ts
+++ b/src/hooks/moderation/useModerationQueueManager.ts
@@ -263,6 +263,22 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):

      setActionLoading(item.id);

+      // Check MFA (AAL2) requirement before moderation action
+      const { data: { session } } = await supabase.auth.getSession();
+      
+      // Access AAL from session metadata
+      const aal = session?.user?.app_metadata?.aal || session?.user?.user_metadata?.aal;
+
+      if (aal !== 'aal2') {
+        toast({
+          title: "MFA Verification Required",
+          description: "You must complete multi-factor authentication to perform moderation actions.",
+          variant: "destructive",
+        });
+        setActionLoading(null);
+        return;
+      }
+
      // Optimistic update
      const shouldRemove =
        (filters.statusFilter === "pending" || filters.statusFilter === "flagged") &&
@@ -389,7 +405,7 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
      await queueQuery.refetch();
      } catch (error) {
        const errorMsg = getErrorMessage(error);
-        console.error("Error moderating content:", errorMsg);
+        console.error("Error moderating content:", errorMsg, error);

        // Revert optimistic update
        setItems((prev) => {
@@ -401,11 +417,23 @@ export function useModerationQueueManager(config: ModerationQueueManagerConfig):
          }
        });

-        toast({
-          title: "Error",
-          description: errorMsg || `Failed to ${action} content`,
-          variant: "destructive",
-        });
+        // Check for RLS/permission errors
+        if (errorMsg.includes('row-level security') || 
+            errorMsg.includes('permission denied') ||
+            errorMsg.includes('policy') ||
+            errorMsg.includes('violates row-level security')) {
+          toast({
+            title: "Permission Denied",
+            description: "You don't have permission to perform this action. MFA verification may be required.",
+            variant: "destructive",
+          });
+        } else {
+          toast({
+            title: "Error",
+            description: errorMsg || `Failed to ${action} content`,
+            variant: "destructive",
+          });
+        }
      } finally {
        setActionLoading(null);
      }