[Security] API Exposes Raw User Tokens in JSON Response - Credential Leak

[anshul23102]

Description

The authentication endpoint returns raw user tokens in the JSON response body without any sanitization. API clients store this response, exposing tokens in browser developer tools, logs, and potentially in application monitoring systems.

Steps to Reproduce

1. POST /api/auth/login with valid credentials
2. Response includes: { "token": "raw_jwt_value_here", "user": {...} }
3. Token is visible in browser Network tab, localStorage, and logs
4. Attackers with access to logs can extract tokens

Environment Information

• Endpoint: POST /api/auth/login
• Framework: Express.js
• Response format: JSON
• Application version: Current main branch

Expected Behavior

Tokens should be sent only in httpOnly, Secure cookies, not in JSON response. Or if included, use a secure token exchange pattern (authorization code flow).

Actual Behavior

File: backend/routes/auth.js (or similar)
Login endpoint returns full token in plaintext JSON.

Code Reference

File: backend/routes/auth.js
Missing: Use httpOnly cookie instead of response body token

Additional Context

Returning tokens in JSON response bodies violates security best practices. Fix by:

1. Send token in httpOnly cookie only
2. Do not return token in response body
3. Use Secure flag for HTTPS
4. Set SameSite=Strict

GSSoC Points Estimate: Level 2 (Security/Credential Leak)

Suggested Labels

• gssoc:approved

• type:bug

• severity:high

• area:security

• Searched existing issues, not a duplicate

• Read CONTRIBUTING.md guidelines

• Read README and understand project scope

• Provided clear reproduction steps

• Provided environment information

• Described expected vs. actual clearly