Fix/pii leak distributor dashboard

[Nareshkumawat-star]

📌 Linked Issue

Closes #236

---

📝 Summary of Changes

• Updated the GET /api/users/:id endpoint in server/routes.ts to optionally verify the requesting user's Firebase token.
• Applied a privacy projection that completely removes the phone field for any user except the farmer themselves or an admin.
• Masked the location (address) field to only expose the state/city or fallback to a hidden string for distributors, retailers, and unauthenticated users.

---

🔧 Type of Change

• 🐛 Bug fix
• ✨ New feature / enhancement
• 🧹 Refactor / code cleanup
• 📄 Documentation update
• 🧪 Test addition or update
• ⚙️ Configuration / tooling change

---

🧪 Testing Steps

1. Logged in as a Distributor.
2. Navigated to the "Received Products" or Dashboard views where transaction details are listed.
3. Verified that the farmer's full contact information (phone and full address) is no longer visible in the application or API response.
4. Logged in as the farmer who owns the product and verified that full details are still accessible for themselves.

Environment tested on:

• OS: Windows
• Browser (if applicable): Chrome / Edge
• Node version: 20+

---

🎥 Demo

---

✅ Checklist

• My code follows the project's coding style and conventions
• I have tested my changes locally (npm install + npm run dev)
• I have linked the relevant issue above
• I have not introduced any new linting errors or warnings
• I have updated documentation if needed
• My branch is up to date with main

---

🌟 GSSoC Declaration

• This PR is submitted under GSSoC 2026
• I have read and followed the Contributing Guidelines
• I have not plagiarised any content
• This is my original work