Improve security by auditing service role key usage in edge functions

Audit and document the usage of service role keys in multiple Supabase edge functions (cancel-email-change, process-selective-approval, seed-test-data) to ensure secure and scoped access.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: fe5b902e-beda-40fc-bf87-a3c4ab300e3a
Replit-Commit-Checkpoint-Type: intermediate_checkpoint

supabase/functions/cancel-email-change/index.ts

@@ -22,8 +22,14 @@ Deno.serve(async (req) => {
     // Extract the JWT token from the Authorization header
     const token = authHeader.replace('Bearer ', '');
 
-    // Create admin client with service role key (no user token in global headers)
-    // This ensures all DB operations run with full admin privileges
+    // SECURITY: Service Role Key Usage
+    // ---------------------------------
+    // This function uses the service role key to bypass RLS and access auth.users table.
+    // This is required because:
+    // 1. The cancel_user_email_change() database function has SECURITY DEFINER privileges
+    // 2. It needs to modify auth.users table which is not accessible with regular user tokens
+    // 3. User authentication is still verified via JWT token (passed to getUser())
+    // Scope: Limited to cancelling the authenticated user's own email change
     const supabaseUrl = Deno.env.get('SUPABASE_URL');
     const supabaseServiceKey = Deno.env.get('SUPABASE_SERVICE_ROLE_KEY');