Filter sensitive user data from login endpoint response (Issue #698)

Exclude password hash from the user object returned in login endpoint response. This prevents credential leaks where sensitive password hashes could be extracted and potentially subjected to offline attacks.

Changes:
- Extract user object and remove password field before returning
- Ensure login response contains only non-sensitive user properties
- Prevents password hash exposure in JSON responses

Fixes #698

Author: anshul23102

backend/routes/auth.js

@@ -32,7 +32,9 @@ router.post("/signup", validateRequest(signupSchema), async (req, res) => {
 
 // Login route
 router.post("/login", validateRequest(loginSchema), passport.authenticate('local'), (req, res) => {
-    res.status(200).json( { message: 'Login successful', user: req.user } );
+    const userObj = req.user.toObject ? req.user.toObject() : req.user;
+    const { password, ...safeUser } = userObj;
+    res.status(200).json( { message: 'Login successful', user: safeUser } );
 });
 
 // Logout route