Add flag to hide email and phone columns in auth users

[joshenlim]

Context

Adds a flag in enabled features to toggle showing of email and phone columns in auth users page. Should also cover the column dropdown (which toggles visibility of the columns) -> email and phone options should be hidden if flag is off

To test

• Verify this behaviour locally
• Verify that staging preview is status quo

[supabase]

This pull request has been ignored for the connected project xguihxuzqibwxjnimxev because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
design-system	Ready	Preview	Comment	Oct 1, 2025 4:30pm
docs	Ready	Preview	Comment	Oct 1, 2025 4:30pm
studio-self-hosted	Ready	Preview	Comment	Oct 1, 2025 4:30pm
studio-staging	Ready	Preview	Comment	Oct 1, 2025 4:30pm
ui-library	Ready	Preview	Comment	Oct 1, 2025 4:30pm
zone-www-dot-com	Ready	Preview	Comment	Oct 1, 2025 4:30pm

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
cms	Ignored			Oct 1, 2025 4:30pm
studio	Ignored			Oct 1, 2025 4:30pm

[snyk-io]

⛔ Snyk checks have failed. 2 issues have been found so far.

Icon	Severity	Issues
	Critical	0
	High	0
	Medium	2
	Low	0

⛔ code/snyk check is complete. 2 issues have been found. (View Details)

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io]

  DOM-based Cross-site Scripting (XSS)

Unsanitized input from a React useState value flows into a script 'src' attribute, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).

Line 279 | CWE-79 | Priority score 650 | Learn more about this vulnerability

Data flow: 25 steps

Step 1

supabase/apps/studio/components/interfaces/Auth/Users/UsersV2.tsx

Line 111 in 94f3b32

const [filterKeywords, setFilterKeywords] = useState('')

Step 2 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L151

Step 3 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L148

Step 4 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L147

Step 5 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L136

Step 6 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L137

Step 7 - 12 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L181

Step 13 - 15 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L282

Step 16 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L279

Step 17 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L252

Step 18 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L253

Step 19 - 20 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L288

Step 21 - 23 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L351

Step 24 - 25

supabase/apps/studio/components/interfaces/Auth/Users/Users.utils.tsx

Line 364 in 94f3b32

src={icon}

[joshenlim]

seems like red herring

[charislam]

flows into a script 'src' attribute

it does what

[snyk-io]

  DOM-based Cross-site Scripting (XSS)

Unsanitized input from a React useState value flows into a script 'src' attribute, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).

Line 429 | CWE-79 | Priority score 650 | Learn more about this vulnerability

Data flow: 25 steps

Step 1

supabase/apps/studio/components/interfaces/Auth/Users/UsersV2.tsx

Line 111 in 94f3b32

const [filterKeywords, setFilterKeywords] = useState('')

Step 2 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L151

Step 3 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L148

Step 4 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L147

Step 5 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L136

Step 6 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L137

Step 7 - 12 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L181

Step 13 - 15 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L432

Step 16 apps/studio/components/interfaces/Auth/Users/UsersV2.tsx#L429

Step 17 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L252

Step 18 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L253

Step 19 - 20 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L288

Step 21 - 23 apps/studio/components/interfaces/Auth/Users/Users.utils.tsx#L351

Step 24 - 25

supabase/apps/studio/components/interfaces/Auth/Users/Users.utils.tsx

Line 364 in 94f3b32

src={icon}

[joshenlim]

seems like red herring but let me know if im overlooking something

[coveralls]

coverage: 69.874%. remained the same
when pulling b8a68e5 on chore/hide-email-phone-columns-in-auth-users
into 3f0c689 on master.

[github-actions]

Studio E2E Results

• Total: 1
• Passed: 1
• Failed: 0
• Skipped: 0
• Timed out: 0
• Interrupted: 0
• Flaky: 0
• Duration: 2.6s

Artifacts: https://github.com/supabase/supabase/actions/runs/18168684940

Last updated: Wednesday 1, October, 2025 16:41:11 (UTC)

[charislam]

Tested as described.

Pushed small commit to add new flag to required flags.

[charislam]

flows into a script 'src' attribute

it does what