π CRITICAL SECURITY: Admin API Exposed in Client CodΒ #181
Description
Description
The CreateConversationModal component uses supabase.auth.admin.listUsers() directly in client-side code. This is critically dangerous because:
- Admin API requires service role key (secret) β not anon key
- Exposes all user data without authorization
- Violates principle of least privilege
- Creates massive security vulnerability
Affected Code
File: src/components/CreateConversationModal.tsx
Line: 43
useEffect(() => {
const fetchUsers = async () => {
try {
const { data, error } = await supabase.auth.admin.listUsers(); // β οΈ DANGEROUS
if (error) throw error;
// Filter out current user
const filteredUsers = data.users.filter(u => u.id !== currentUser?.id);
setUsers(filteredUsers as User[]);
} catch (error) {
console.error('Failed to fetch users:', error);
}
};
fetchUsers();
}, [currentUser]);