Exposed Sensitive User Data in `handle_get_user`

[dr3394]

The handle_get_user endpoint returns a list of users with their corresponding tokens. This exposes sensitive information (tokens) to anyone who accesses the endpoint.

Limit the data returned by this endpoint. Do not expose tokens or other sensitive information. Only return user IDs or non-sensitive data.

[esamnyu]

Thank you @dr3394 for identifying this critical security vulnerability. You're absolutely correct that exposing user tokens through the handle_get_user endpoint is a serious security risk. We've addressed this issue with the following changes:

1. We've modified the handle_get_user function to return only non-sensitive user data.
2. The endpoint now returns a dictionary containing only user IDs, without any associated tokens or other sensitive information.

Here's the updated handle_get_user function:

@app.route("/users", methods=["GET"])
def handle_get_user():
    # Create a new dictionary with only non-sensitive user data
    safe_user_data = {user_id: {"id": user_id} for user_id in users.keys()}
    return Response(json.dumps(safe_user_data), status=200, mimetype="application/json")