From ed8308bb7b48baea45a87584f528e152f34916e3 Mon Sep 17 00:00:00 2001
From: Aditya Kadam <adityack477@gmail.com>
Date: Thu, 21 May 2026 21:02:26 +0530
Subject: [PATCH 1/2] fix(auth): sanitize login response to exclude password
 hash

---
 backend/models/User.js | 8 ++++++++
 backend/routes/auth.js | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/backend/models/User.js b/backend/models/User.js
index eb506ed5..be084301 100644
--- a/backend/models/User.js
+++ b/backend/models/User.js
@@ -31,4 +31,12 @@ UserSchema.methods.comparePassword = async function (enteredPassword) {
   return bcrypt.compare(enteredPassword, this.password);
 };
 
+UserSchema.methods.toSafeObject = function () {
+  return {
+    id: this._id,
+    username: this.username,
+    email: this.email,
+  };
+};
+
 module.exports = mongoose.model("User", UserSchema);
\ No newline at end of file
diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index 7c2cda78..af16162e 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -32,7 +32,7 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => {
 
 // Login route
 router.post("/login", validateRequest(loginSchema), passport.authenticate('local'), (req, res) => {
-    res.status(200).json( { message: 'Login successful', user: req.user } );
+    + res.status(200).json({ message: 'Login successful', user: req.user.toSafeObject() });
 });
 
 // Logout route

From 3f601cf41bac3c7add3ed00229c0d9c20776b1e8 Mon Sep 17 00:00:00 2001
From: Aditya Kadam <adityack477@gmail.com>
Date: Thu, 21 May 2026 21:12:10 +0530
Subject: [PATCH 2/2] fix(auth): error fix

---
 backend/routes/auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index af16162e..d6162b73 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -32,7 +32,7 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => {
 
 // Login route
 router.post("/login", validateRequest(loginSchema), passport.authenticate('local'), (req, res) => {
-    + res.status(200).json({ message: 'Login successful', user: req.user.toSafeObject() });
+    res.status(200).json({ message: 'Login successful', user: req.user.toSafeObject() });
 });
 
 // Logout route