Fix security

2025-12-18 17:15:21 +07:00
parent 57bad3b4a8
commit 33f49f4e47
17 changed files with 181 additions and 49 deletions
--- a/backend/app/schemas/init.py
+++ b/backend/app/schemas/init.py
@@ -3,7 +3,7 @@ from app.schemas.user import (
    UserLogin,
    UserUpdate,
    UserPublic,
-    UserWithTelegram,
+    UserPrivate,
    TokenResponse,
    TelegramLink,
    PasswordChange,
@@ -88,7 +88,7 @@ __all__ = [
    "UserLogin",
    "UserUpdate",
    "UserPublic",
-    "UserWithTelegram",
+    "UserPrivate",
    "TokenResponse",
    "TelegramLink",
    "PasswordChange",
--- a/backend/app/schemas/user.py
+++ b/backend/app/schemas/user.py
@@ -29,30 +29,30 @@ class UserUpdate(BaseModel):


 class UserPublic(UserBase):
+    """Public user info visible to other users - minimal data"""
    id: int
-    login: str
    avatar_url: str | None = None
    role: str = "user"
-    telegram_id: int | None = None
-    telegram_username: str | None = None
-    telegram_first_name: str | None = None
-    telegram_last_name: str | None = None
-    telegram_avatar_url: str | None = None
+    telegram_avatar_url: str | None = None  # Only TG avatar is public
    created_at: datetime

    class Config:
        from_attributes = True


-class UserWithTelegram(UserPublic):
+class UserPrivate(UserPublic):
+    """Full user info visible only to the user themselves"""
+    login: str
    telegram_id: int | None = None
    telegram_username: str | None = None
+    telegram_first_name: str | None = None
+    telegram_last_name: str | None = None


 class TokenResponse(BaseModel):
    access_token: str
    token_type: str = "bearer"
-    user: UserPublic
+    user: UserPrivate


 class TelegramLink(BaseModel):