From 71a7fdb76fc1dfdb4cdad4165f0d650efc0ef0ee Mon Sep 17 00:00:00 2001
From: pptx704 <rafeed@omukk.dev>
Date: Tue, 24 Mar 2026 14:41:01 +0600
Subject: [PATCH] Fix user search to trigger on 3 characters without requiring
 @

The anti-enumeration guard required @ in the email prefix, causing the
typeahead to silently return nothing until the user typed @. Replace with
a minimum 3-character length check to match the frontend trigger condition.
---
 internal/api/handlers_users.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/internal/api/handlers_users.go b/internal/api/handlers_users.go
index 8beaee9..549e213 100644
--- a/internal/api/handlers_users.go
+++ b/internal/api/handlers_users.go
@@ -18,13 +18,13 @@ func newUsersHandler(svc *service.TeamService) *usersHandler {
 
 // Search handles GET /v1/users/search?email=<prefix>
 // Returns up to 10 users whose email starts with the given prefix.
-// The prefix must contain "@" to scope searches and prevent broad enumeration.
+// The prefix must be at least 3 characters long.
 func (h *usersHandler) Search(w http.ResponseWriter, r *http.Request) {
 	auth.MustFromContext(r.Context()) // ensure authenticated
 
 	prefix := strings.TrimSpace(r.URL.Query().Get("email"))
-	if !strings.Contains(prefix, "@") {
-		writeError(w, http.StatusBadRequest, "invalid_request", "email prefix must contain '@'")
+	if len(prefix) < 3 {
+		writeError(w, http.StatusBadRequest, "invalid_request", "email prefix must be at least 3 characters")
 		return
 	}