feat: Implement flexible hackathon retrieval by ID or slug and update API routes to use it, while restricting hackathon deletion to company owners or admins.

Author: akshay0611

app/api/hackathons/[id]/route.ts

@@ -16,14 +16,14 @@ export async function GET(request: NextRequest, { params }: RouteContext) {
   try {
     const { id } = await params
     const hackathon = await hackathonsService.getHackathonBySlug(id)
-    
+
     if (!hackathon) {
       return NextResponse.json(
         { error: 'Hackathon not found' },
         { status: 404 }
       )
     }
-    
+
     return NextResponse.json(hackathon)
   } catch (error) {
     console.error('Error in GET /api/hackathons/[id]:', error)
@@ -39,7 +39,7 @@ export async function PUT(request: NextRequest, { params }: RouteContext) {
   try {
     const { id } = await params
     const hackathonData = await request.json()
-    
+
     // Check authentication
     const supabase = await createClient()
     const { data: { user } } = await supabase.auth.getUser()
@@ -52,8 +52,8 @@ export async function PUT(request: NextRequest, { params }: RouteContext) {
     }
 
     // Get the existing hackathon to check company_id
-    const existingHackathon = await hackathonsService.getHackathonBySlug(id)
-    
+    const existingHackathon = await hackathonsService.getHackathonByIdOrSlug(id)
+
     if (!existingHackathon) {
       return NextResponse.json(
         { error: 'Hackathon not found' },
@@ -69,7 +69,7 @@ export async function PUT(request: NextRequest, { params }: RouteContext) {
       .select('is_admin')
       .eq('id', user.id)
       .single()
-    
+
     if (profile?.is_admin) {
       isAuthorized = true
     }
@@ -83,7 +83,7 @@ export async function PUT(request: NextRequest, { params }: RouteContext) {
         .eq('user_id', user.id)
         .eq('status', 'active')
         .single()
-      
+
       if (membership) {
         isAuthorized = true
       }
@@ -95,9 +95,9 @@ export async function PUT(request: NextRequest, { params }: RouteContext) {
         { status: 401 }
       )
     }
-    
+
     const hackathon = await hackathonsService.updateHackathon(id, hackathonData, user.id)
-    
+
     return NextResponse.json({ hackathon })
   } catch (error) {
     console.error('Error in PUT /api/hackathons/[id]:', error)
@@ -112,9 +112,9 @@ export async function PUT(request: NextRequest, { params }: RouteContext) {
 export async function DELETE(_request: NextRequest, { params }: RouteContext) {
   try {
     const { id } = await params
-    
+
     console.log('🗑️ DELETE request for hackathon:', id)
-    
+
     // Check authentication
     const supabase = await createClient()
     const { data: { user }, error: authError } = await supabase.auth.getUser()
@@ -130,8 +130,8 @@ export async function DELETE(_request: NextRequest, { params }: RouteContext) {
     console.log('✅ User authenticated:', user.id)
 
     // Get the existing hackathon to check company_id
-    const existingHackathon = await hackathonsService.getHackathonBySlug(id)
-    
+    const existingHackathon = await hackathonsService.getHackathonByIdOrSlug(id)
+
     if (!existingHackathon) {
       console.error('❌ Hackathon not found:', id)
       return NextResponse.json(
@@ -150,13 +150,13 @@ export async function DELETE(_request: NextRequest, { params }: RouteContext) {
       .select('is_admin')
       .eq('id', user.id)
       .single()
-    
+
     if (profile?.is_admin) {
       isAuthorized = true
       console.log('✅ User is admin')
     }
 
-    // If not admin, check if user is a member of the company
+    // If not admin, check if user is a company owner or admin (not editor/viewer)
     if (!isAuthorized && existingHackathon.company_id) {
       const { data: membership } = await supabase
         .from('company_members')
@@ -165,28 +165,30 @@ export async function DELETE(_request: NextRequest, { params }: RouteContext) {
         .eq('user_id', user.id)
         .eq('status', 'active')
         .single()
-      
-      if (membership) {
+
+      if (membership && ['owner', 'admin'].includes(membership.role)) {
         isAuthorized = true
-        console.log('✅ User is company member with role:', membership.role)
+        console.log('✅ User is company owner/admin with role:', membership.role)
+      } else if (membership) {
+        console.log('❌ User has insufficient role:', membership.role)
       }
     }
 
     if (!isAuthorized) {
       console.error('❌ User not authorized to delete hackathon')
       return NextResponse.json(
-        { error: 'Unauthorized: You must be a company member or admin to delete this hackathon' },
+        { error: 'Insufficient permissions: Owner or Admin role required to delete hackathons' },
         { status: 403 }
       )
     }
-    
+
     console.log('🗑️ Attempting to delete hackathon...')
     await hackathonsService.deleteHackathon(id)
     console.log('✅ Hackathon deleted successfully')
-    
-    return NextResponse.json({ 
+
+    return NextResponse.json({
       success: true,
-      message: 'Hackathon deleted successfully' 
+      message: 'Hackathon deleted successfully'
     })
   } catch (error) {
     console.error('❌ Error in DELETE /api/hackathons/[id]:', error)

lib/services/hackathons.ts

@@ -141,6 +141,39 @@ class HackathonsService {
     return hackathon
   }
 
+  async getHackathonByIdOrSlug(idOrSlug: string): Promise<Hackathon | null> {
+    const cacheKey = `hackathon:${idOrSlug}`
+    const cached = getCachedData(cacheKey)
+    if (cached) {
+      return cached as Hackathon
+    }
+
+    const supabase = await createClient()
+
+    // Check if idOrSlug is a number (ID) or string (slug)
+    const isNumeric = /^\d+$/.test(idOrSlug)
+
+    const { data: hackathon, error } = await supabase
+      .from('hackathons')
+      .select(`
+        *,
+        company:companies(*)
+      `)
+      .eq(isNumeric ? 'id' : 'slug', isNumeric ? parseInt(idOrSlug) : idOrSlug)
+      .single()
+
+    if (error) {
+      if (error.code === 'PGRST116') {
+        return null // Hackathon not found
+      }
+      console.error('Error fetching hackathon:', error)
+      throw new Error('Failed to fetch hackathon')
+    }
+
+    setCachedData(cacheKey, hackathon)
+    return hackathon
+  }
+
   async getFeaturedHackathons(limit: number = 5) {
     const cacheKey = `featured_hackathons:${limit}`
     const cached = getCachedData(cacheKey)
@@ -213,14 +246,14 @@ class HackathonsService {
   }
 
   async updateHackathon(
-    slug: string,
+    idOrSlug: string,
     hackathonData: Partial<Omit<Hackathon, 'id' | 'created_at' | 'updated_at'>>,
     userId?: string
   ): Promise<Hackathon> {
     const supabase = await createClient()
 
-    // Get existing hackathon first
-    const existingHackathon = await this.getHackathonBySlug(slug)
+    // Get existing hackathon first (handles both ID and slug)
+    const existingHackathon = await this.getHackathonByIdOrSlug(idOrSlug)
     if (!existingHackathon) {
       throw new Error('Hackathon not found')
     }
@@ -245,7 +278,7 @@ class HackathonsService {
     const { data: hackathon, error } = await supabase
       .from('hackathons')
       .update(updatePayload)
-      .eq('slug', slug)
+      .eq('id', existingHackathon.id)
       .select(`
         *,
         company:companies(*)
@@ -322,15 +355,21 @@ class HackathonsService {
     return hackathon
   }
 
-  async deleteHackathon(slug: string) {
+  async deleteHackathon(idOrSlug: string) {
     const supabase = await createClient()
 
-    console.log('🗑️ Deleting hackathon with slug:', slug)
+    console.log('🗑️ Deleting hackathon with ID or slug:', idOrSlug)
+
+    // Get existing hackathon first to get the ID
+    const existingHackathon = await this.getHackathonByIdOrSlug(idOrSlug)
+    if (!existingHackathon) {
+      throw new Error('Hackathon not found')
+    }
 
     const { data, error } = await supabase
       .from('hackathons')
       .delete()
-      .eq('slug', slug)
+      .eq('id', existingHackathon.id)
       .select()
 
     if (error) {