Fix security

backend/app/schemas/user.py

@@ -29,30 +29,30 @@ class UserUpdate(BaseModel):
 
 
 class UserPublic(UserBase):
+    """Public user info visible to other users - minimal data"""
     id: int
-    login: str
     avatar_url: str | None = None
     role: str = "user"
-    telegram_id: int | None = None
-    telegram_username: str | None = None
-    telegram_first_name: str | None = None
-    telegram_last_name: str | None = None
-    telegram_avatar_url: str | None = None
+    telegram_avatar_url: str | None = None  # Only TG avatar is public
     created_at: datetime
 
     class Config:
         from_attributes = True
 
 
-class UserWithTelegram(UserPublic):
+class UserPrivate(UserPublic):
+    """Full user info visible only to the user themselves"""
+    login: str
     telegram_id: int | None = None
     telegram_username: str | None = None
+    telegram_first_name: str | None = None
+    telegram_last_name: str | None = None
 
 
 class TokenResponse(BaseModel):
     access_token: str
     token_type: str = "bearer"
-    user: UserPublic
+    user: UserPrivate
 
 
 class TelegramLink(BaseModel):