Build a simple private realtime chat portal using Next.js/React + Supabase

I need a simple browser-based private chat portal for my tutoring company, called Excelia Lesson Room. This is not WhatsApp, Chatwoot, a chatbot, or a public community platform. It is a secure private communication room for a parent, student, tutor and Excelia admin. My budget for the first working MVP is approximately $100. I need a clean, functional and secure basic version, not a complex platform or fancy design. Preferred technology stack Next.js or React Supabase Postgres database Supabase Auth Supabase Realtime for live messages Supabase Row Level Security (RLS) Vercel or similar hosting The project must be deployed to my own Supabase, Vercel and GitHub accounts. You may be added as a collaborator, but I must retain ownership of all accounts, source code, database access and keys. Main idea I need to create one private “Lesson Room” for each student. Example: Excelia Lesson Room – Liam R. – Physics Each room can contain up to four people: Parent Student Tutor Excelia Admin All authorised members can communicate in the same live text chat. Users must only see fixed display names chosen by admin, for example: Liam’s Parent Liam Physics Tutor Excelia Admin They must never see each other’s: Phone numbers Email addresses Surnames, unless admin chooses to display them Social-media accounts Profile pages External contact details There must be: No user directory No direct/private messages outside the room No public profiles No ability for parents, students or tutors to invite others No public room links Access system: permanent private links, not normal logins Parents and students have complained in the past about too many passwords, logins and verification codes. I do not want a normal login page for parents, students or tutors. I want each participant to have their own permanent private access link. For example: One private parent link One private student link One private tutor link Example format: portal.exceliatutors.com/access/very-long-private-token I will copy and send each link privately through WhatsApp or email. Required behaviour The same private link must work on multiple devices and browsers. A parent should be able to open their link on a phone, laptop, tablet or another browser. The private link must not expire automatically. When someone opens their link, they should enter automatically as their assigned role. They should be taken directly to the correct Lesson Room. They should not need to type a password. They should not need to enter an email address. They should not need to create an account. They should not need an OTP or one-time code. On the same device, they should remain signed in and be able to return through a clean bookmarked portal/room URL. On a new device, they can simply use the same private link again. After the private link is validated, redirect to a clean room URL so the private token is not visible in the final browser address bar. The actual room URL itself must not grant access. Someone copying or guessing a room URL must be denied unless they have valid access. Important security requirement for permanent links I understand that a permanent private link acts like a password: anyone it is shared with could access that participant’s role. For this reason, the admin must be able to revoke or replace a link immediately. Requirements: Each link must use a long, cryptographically secure random token. Store only a secure hash of the token in the database, never the original plain token. Validate the token server-side only. Do not expose private keys, service-role keys or secrets in the frontend. Do not use Supabase anonymous authentication. Do not use standard expiring Supabase Magic Links as the permanent participant links. Each participant must have a persistent internal user identity linked to their assigned role and room memberships. Once the access token is validated, create a normal authenticated session for that browser/device. Supabase RLS must control data access using the authenticated participant identity and room membership. Admin must be able to: Generate a private permanent link for each participant. Copy the link easily. Revoke a link immediately. Generate a replacement link immediately. Ensure that a replacement link makes the previous link stop working. Remove a participant from a room. Ensure that removing a participant blocks their existing sessions on all devices. Close a room when tuition ends. Roles and permissions Parent Can only access their own assigned Lesson Room. Can read and send messages in that room. Cannot see other parents, students, tutors or rooms. Cannot invite anyone. Cannot see contact details. Student Can only access their own assigned Lesson Room. Can read and send messages in that room. Cannot invite anyone. Cannot see contact details. Tutor Can only access rooms specifically assigned to them. Can read and send messages in those rooms. Cannot access any other tutor’s rooms. Cannot invite anyone. Cannot see parent/student contact details. Admin Uses a normal secure admin login. Can see all rooms and all messages. Can create rooms. Can add/remove users. Can generate, revoke and replace private links. Can close rooms. Can set the display names shown in each room. Chat requirements Realtime text chat. Messages appear instantly without refreshing the page. Every message has a timestamp. Mobile-friendly layout. Simple clean design suitable for parents. Fixed display names beside messages. Users can only see messages from rooms they are members of. Admin can see all messages. Basic unread/read status if possible. No file uploads, images, videos, voice notes or document sharing are needed for this first version. Basic contact-detail protection The system must hide all contact details by default. Please also add basic message checking to block or warn users when they try to send obvious: Phone numbers Email addresses Website links Social-media handles A simple message is enough, for example: For privacy and safeguarding, direct contact details cannot be shared in Excelia Lesson Room. I understand this cannot be perfect, because someone could spell out information differently. I only need a reasonable basic safeguard for the MVP. Email notifications for new messages Please add simple email notifications. Each participant’s email address can be stored internally for notifications, but it must never be visible to other users. When a person sends a message: Check whether the other participant(s) are currently active in that specific Lesson Room. If a recipient is not active, send them an email notification. Use a simple presence or last-seen system to decide whether they are online. Do not send an email if the recipient is actively viewing that room. Use a cooldown so the same recipient receives no more than one email per room every 15 minutes while they have unread messages. Mark messages as read when the user opens the room. The email should contain: Lesson Room name Sender display name A simple message such as: “You have a new message in your Excelia Lesson Room.” A button/link leading to that recipient’s permanent private access link Do not include the full chat message content in the email. Use my existing email provider/API if possible. If you need to use another transactional email service, explain clearly what it is and whether there is any ongoing cost. Admin dashboard requirements The admin dashboard can be basic and functional. I need to be able to: Create a new Lesson Room. Add a student/room title. Add one parent, one student and one tutor. Add their internal email addresses for notification purposes. Set the display name shown to each person. Generate and copy each person’s permanent private link. View all rooms. Open and read all messages. Remove a person from a room. Revoke or replace their permanent private link. Close/archive a room. Database and security requirements Supabase Row Level Security must be enabled and correctly configured. Security must be enforced at database level, not simply hidden in the frontend. A parent must not be able to access another parent’s messages by: Changing the room URL Guessing a room ID Editing browser requests Opening developer tools Copying another room URL A tutor must not be able to access rooms they are not assigned to. RLS should enforce access for rooms, memberships and messages. Please provide the database schema and the RLS policies used. Likely tables may include something similar to: Profiles/users Rooms Room members Messages Private access tokens Read status Presence or last-seen status No service-role key or secret must ever be exposed in browser code. Out of scope for this first version Please do not add these features in the first MVP: File uploads Images or video messages Video calls Voice messages Payments Calendar booking WhatsApp integration Chatwoot integration Mobile app Public chatrooms Public sign-up Direct messages Complex analytics Fancy design Complex notification settings Delivery requirements Fully working project deployed to my own Supabase and Vercel accounts. Complete source code pushed to my GitHub repository. Basic responsive Excelia-branded design. Database schema included. RLS policies included and explained briefly. Simple instructions showing me how to: Create a room Add parent/student/tutor Generate private links Revoke a link Create a replacement link Remove a participant Close a room Test rooms/accounts so I can verify parent, student, tutor and admin permissions. Acceptance tests before delivery Before approval, I will test the following: A parent can open their permanent private link on phone, laptop and another browser. The parent enters without a password, email entry or OTP code. The parent only sees their own room. A bookmarked clean room URL works again on the same device. Copying a room URL into another browser without access does not work. Changing a room ID in the URL does not reveal another room. A tutor only sees rooms assigned to them. Admin can see all rooms. Removing someone from a room blocks their access immediately. Replacing an access link makes the old link unusable. Phone numbers and email addresses are never visible to participants. Messages appear live without refresh. Offline users receive one email notification, not many repeated emails. Messages are marked read when the recipient opens the room. Please include this in your reply Do not send a generic response. Please explain clearly: How you will implement permanent multi-device private access links. How you will prevent copied room URLs from granting access. How you will use Supabase Auth and RLS to stop one parent reading another parent’s room. How you will revoke a participant link and terminate access on existing devices. How you will send email notifications only when a recipient is not active. Examples of previous work involving Supabase, protected dashboards, role-based permissions, secure links or realtime chat.