📝 Description

Fix critical security vulnerability in CreateConversationModal that exposed admin API to client-side code. Replaced dangerous supabase.auth.admin.listUsers() call with secure Profiles table query that respects RLS policies. Also added null-safety guards to ResetPasswordPage to prevent crashes when Supabase is unavailable.

🎯 Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 💥 Breaking change (fix or feature that would cause existing functionality to change)
• 📚 Documentation update
• 🎨 UI/UX improvement
• ⚡ Performance improvement
• ♿ Accessibility improvement
• 🔧 Refactoring

🔗 Related Issues

Closes #181

📋 Changes Made

• Replaced supabase.auth.admin.listUsers() with secure Profiles table query in CreateConversationModal
• Added backend availability guards to prevent null pointer crashes
• Added RLS-compliant user fetching for conversation creation
• Protected ResetPasswordPage from demo mode/missing env crashes
• Added proper error messaging for unavailable backend scenarios

🧪 Testing

• Unit tests added/updated
• Tested on desktop
• Tested on mobile
• Manual testing completed

Testing Steps:

1. Verify conversation creation modal loads users from Profiles table
2. Test with demo mode enabled (VITE_DEMO_MODE=true)
3. Test password reset page with and without Supabase configuration

🎨 Screenshots/Demo

N/A - Security fix (no visual changes)

📦 Dependencies

• No new dependencies
• New dependencies added (list below)
  • dependency-name@version

✅ Checklist

Code Quality

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• My changes generate no new warnings
• I ran npm run lint and fixed all issues

Testing & Functionality

• I have tested my changes thoroughly
• New and existing tests pass locally with my changes
• I have added tests that prove my fix is effective or my feature works

Documentation

• I have updated the documentation accordingly
• I have updated the README if needed
• I have added/updated inline comments where necessary

Git & Commits

• My commits have clear, descriptive messages
• My branch is up to date with the base branch
• I have not included unnecessary commits

Breaking Changes

• This PR does not introduce breaking changes
• I have documented any breaking changes clearly

📝 Additional Context

Security Issue Details

CRITICAL VULNERABILITY (Fixed):

• CreateConversationModal was using supabase.auth.admin.listUsers() on the client side
• Admin API requires service role key (secret), not anon key
• Exposed all user data without proper authorization
• Violated principle of least privilege

Security Fix Applied:

• ✅ Replaced admin API with RLS-protected Profiles table query
• ✅ Only exposes necessary user info (id, full_name, avatar_url)
• ✅ Respects database security policies
• ✅ Works correctly in demo mode and misconfigured environments

Additional Improvements:

• Added null-safety checks throughout both components
• Graceful error handling for missing backend configuration
• User-friendly error messages for unavailable features

🔍 Reviewer Notes

Please review:

1. Verify the Profiles table query properly respects RLS policies
2. Confirm backend availability checks are consistent across components
3. Test behavior in demo mode and with missing environment variables

🚀 Deployment Notes

Required Database Table:
Ensure the Profiles table exists with proper RLS policies (see database-schema-messaging.sql):

CREATE TABLE Profiles (
  id UUID REFERENCES auth.users(id) ON DELETE CASCADE NOT NULL PRIMARY KEY,
  full_name TEXT,
  avatar_url TEXT,
  ...
);