Background
As discussed in PR #18, the access_token field currently lives in the generic UserResponseDto class, but it's an authentication-session concern that doesn't belong in a general user response DTO.
Problem
Any endpoint that returns UserResponseDto without performing authentication (e.g., profile fetch, user listing) will have access_token: undefined at runtime while the type declares it as string. This also widens the attack surface by potentially serializing tokens in unexpected contexts.
Proposed Solution
Create a dedicated AuthResponseDto that extends UserResponseDto and adds the access_token field. Update authentication endpoints to return this specialized DTO instead.
References
Background
As discussed in PR #18, the
access_tokenfield currently lives in the genericUserResponseDtoclass, but it's an authentication-session concern that doesn't belong in a general user response DTO.Problem
Any endpoint that returns
UserResponseDtowithout performing authentication (e.g., profile fetch, user listing) will haveaccess_token: undefinedat runtime while the type declares it asstring. This also widens the attack surface by potentially serializing tokens in unexpected contexts.Proposed Solution
Create a dedicated
AuthResponseDtothat extendsUserResponseDtoand adds theaccess_tokenfield. Update authentication endpoints to return this specialized DTO instead.References