fix 181: Admin API Exposed in Client Code

[Karelaking]

📝 Description

Fix critical security vulnerability in CreateConversationModal that exposed admin API to client-side code. Replaced dangerous supabase.auth.admin.listUsers() call with secure Profiles table query that respects RLS policies. Also added null-safety guards to ResetPasswordPage to prevent crashes when Supabase is unavailable.

🎯 Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 📚 Documentation update
• 🎨 UI/UX improvement
• ⚡ Performance improvement
• ♿ Accessibility improvement
• 🔧 Refactoring

🔗 Related Issues

Closes #181

📋 Changes Made

• Replaced supabase.auth.admin.listUsers() with secure Profiles table query in CreateConversationModal
• Added backend availability guards to prevent null pointer crashes
• Added RLS-compliant user fetching for conversation creation
• Protected ResetPasswordPage from demo mode/missing env crashes
• Added proper error messaging for unavailable backend scenarios

🧪 Testing

• Unit tests added/updated
• Tested on desktop
• Tested on mobile
• Manual testing completed

Testing Steps:

1. Verify conversation creation modal loads users from Profiles table
2. Test with demo mode enabled (VITE_DEMO_MODE=true)
3. Test password reset page with and without Supabase configuration

🎨 Screenshots/Demo

N/A - Security fix (no visual changes)

📦 Dependencies

• No new dependencies
• New dependencies added (list below)
  • dependency-name@version

✅ Checklist

Code Quality

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• I ran npm run lint and fixed all issues

Testing & Functionality

• I have tested my changes thoroughly
• New and existing tests pass locally with my changes
• I have added tests that prove my fix is effective or my feature works

Documentation

• I have updated the documentation accordingly
• I have updated the README if needed
• I have added/updated inline comments where necessary

Git & Commits

• My commits have clear, descriptive messages
• My branch is up to date with the base branch
• I have not included unnecessary commits

Breaking Changes

• This PR does not introduce breaking changes
• I have documented any breaking changes clearly

📝 Additional Context

Security Issue Details

CRITICAL VULNERABILITY (Fixed):

• CreateConversationModal was using supabase.auth.admin.listUsers() on the client side
• Admin API requires service role key (secret), not anon key
• Exposed all user data without proper authorization
• Violated principle of least privilege

Security Fix Applied:

• ✅ Replaced admin API with RLS-protected Profiles table query
• ✅ Only exposes necessary user info (id, full_name, avatar_url)
• ✅ Respects database security policies
• ✅ Works correctly in demo mode and misconfigured environments

Additional Improvements:

• Added null-safety checks throughout both components
• Graceful error handling for missing backend configuration
• User-friendly error messages for unavailable features

🔍 Reviewer Notes

Please review:

1. Verify the Profiles table query properly respects RLS policies
2. Confirm backend availability checks are consistent across components
3. Test behavior in demo mode and with missing environment variables

🚀 Deployment Notes

Required Database Table:
Ensure the Profiles table exists with proper RLS policies (see database-schema-messaging.sql):

CREATE TABLE Profiles (
  id UUID REFERENCES auth.users(id) ON DELETE CASCADE NOT NULL PRIMARY KEY,
  full_name TEXT,
  avatar_url TEXT,
  ...
);

[vercel]

@Karelaking is attempting to deploy a commit to the Divya Tiwari's projects Team on Vercel.

A member of the Team first needs to authorize it.

[netlify]

✅ Deploy Preview for tiwaridivya25-devconnect ready!

Name	Link
🔨 Latest commit	bd14c03
🔍 Latest deploy log	https://app.netlify.com/projects/tiwaridivya25-devconnect/deploys/697b12924eb5230008ad211f
😎 Deploy Preview	https://deploy-preview-198--tiwaridivya25-devconnect.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

Thanks for creating a PR for your Issue! ☺️

We'll review it as soon as possible.
In the meantime, please double-check the file changes and ensure that all commits are accurate.

If there are any unresolved review comments, feel free to resolve them. 🙌🏼

[Copilot]

Pull request overview

Fixes a client-side security issue by removing use of Supabase Admin API calls from CreateConversationModal and replacing them with a non-admin query intended to respect database RLS, plus some small safety/formatting tweaks.

Changes:

• Replaced supabase.auth.admin.listUsers() with a Profiles table query for user selection.
• Added a backend-availability guard before attempting to fetch users.
• Mapped profile rows into the component’s local User shape and tightened formatting.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Profiles are mapped with email: '' for privacy, but the component later searches and renders user.email as if it’s meaningful. This makes email search ineffective and can yield blank UI output. Consider either (1) removing email-based filtering/rendering when email is empty, or (2) adding a non-sensitive, non-empty identifier (e.g., username) to the fetched profile fields and using that instead.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.