// admin-security.jsx — Security & Activity tab for the admin dashboard. // // Goal: at a glance Joe can spot anything weird — a signup spike (bot // attack), a flood of failed verifications, an admin action he didn't // take. All queries hit the anon-key client and rely on `is_admin()` // in RLS to gate access; nothing here uses the service-role key. const SecKPICard = ({ label, value, sub, valueColor, tone }) => (

{label}

{value}

{sub &&

{sub}

}

); const relTime = (iso) => { if (!iso) return '—'; const d = new Date(iso).getTime(); if (!Number.isFinite(d)) return '—'; const diff = Date.now() - d; const m = Math.floor(diff / 60000); if (m < 1) return 'just now'; if (m < 60) return m + 'm ago'; const h = Math.floor(m / 60); if (h < 24) return h + 'h ago'; const dd = Math.floor(h / 24); if (dd < 30) return dd + 'd ago'; return new Date(iso).toLocaleDateString(); }; const isoToday = () => new Date().toISOString().slice(0, 10); const isoNDaysAgo = (n) => new Date(Date.now() - n * 86400000).toISOString(); const AdminSecurity = () => { const [state, setState] = React.useState({ loading: true, profiles: [], audit: [], verifications: [], err: null }); const refresh = React.useCallback(async () => { setState(s => ({ ...s, loading: true, err: null })); try { // Recent profile rows (signups). RLS allows authenticated SELECT. const { data: profiles, error: pErr } = await window.supa .from('profiles') .select('id, full_name, role, created_at') .order('created_at', { ascending: false }) .limit(50); if (pErr) throw pErr; // Audit log (admin actions). RLS: is_admin() only. const { data: audit, error: aErr } = await window.supa .from('audit_log') .select('id, admin_email, action, table_name, row_id, fields_accessed, details, created_at') .order('created_at', { ascending: false }) .limit(50); // audit_log only exists if v26 has been applied; treat 404-style errors as empty const auditRows = aErr ? [] : (audit || []); // Verification status counts const { data: verRows, error: vErr } = await window.supa .from('instructor_verifications') .select('instructor_id, status, submitted_at, requested_at') .order('submitted_at', { ascending: false, nullsFirst: false }) .limit(50); const verifications = vErr ? [] : (verRows || []); setState({ loading: false, profiles: profiles || [], audit: auditRows, verifications, err: null }); } catch (e) { setState({ loading: false, profiles: [], audit: [], verifications: [], err: e.message || String(e) }); } }, []); React.useEffect(() => { refresh(); }, [refresh]); if (state.loading) { return

Loading security activity…

; } if (state.err) { return

Couldn't load activity: {state.err}

; } // ── Derived metrics ─────────────────────────────────────────────── const today = isoToday(); const week = isoNDaysAgo(7); const signupsToday = state.profiles.filter(p => (p.created_at || '').slice(0, 10) === today).length; const signups7d = state.profiles.filter(p => p.created_at && p.created_at >= week).length; // Anomaly heuristic: more than 20 signups today is unusual for a // small private marketplace — flag it as a possible bot attack. const signupSpike = signupsToday >= 20; const pendingVerifications = state.verifications.filter(v => v.status === 'submitted').length; const rejectedVerifications = state.verifications.filter(v => v.status === 'rejected').length; const adminActions7d = state.audit.filter(e => e.created_at >= week).length; // ── Render ──────────────────────────────────────────────────────── return (

{signupSpike && (

⚠ {signupsToday} signups today — that's unusual. Check the list below for bot patterns (sequential emails, throwaway domains, identical names). If it's a real campaign, ignore.

)}

↻ Reload } sub="data is cached until reload" />

{/* Two-column on wide, stacked on narrow */}

{/* Recent signups */}

Recent signups

Newest first. Look for batches of identical names / sequential emails.

{state.profiles.length === 0 && (

No signups yet.

)} {state.profiles.slice(0, 30).map(p => (

{p.full_name || '(no name)'}

{p.role || 'unknown role'} · {relTime(p.created_at)}

))}

{/* Recent audit log entries */}

Admin actions (audit log)

Every sensitive admin RPC writes here. If you see an action you didn't take, your admin email may be compromised.

{state.audit.length === 0 && (

No audit entries yet — these get written when admin actions run (decrypt verification, approve instructor, etc.).

)} {state.audit.map(e => (

{e.action} · {e.table_name}

{relTime(e.created_at)}

{e.admin_email || '(unknown admin)'} {Array.isArray(e.fields_accessed) && e.fields_accessed.length > 0 && ( <> · fields: {e.fields_accessed.join(', ')} )}

))}

What you can't see here (yet): failed login attempts, IP addresses, and rate-limit hits aren't persisted to the database — they live in Supabase Auth's internal logs and Vercel's function logs. Bookmark {' '} Supabase Auth → Audit Logs {' '}and{' '} Vercel Function Logs {' '}for those.

); }; Object.assign(window, { AdminSecurity });