CRITICAL SECURITY AUDIT: Akahu User Access Token Exposed to Frontend Browser in MyMascada API

A critical security vulnerability has been identified in the MyMascada WebAPI, where sensitive Akahu user access tokens are being directly exposed to the client browser. This exposure occurs because the `/api/BankConnections/akahu/exchange` endpoint returns the token in its HTTP response body, a direct violation of Akahu's core production security requirement that user access tokens must never be accessible to the client-side environment.

The flaw is rooted in the backend code. In the `BankConnectionsController.cs` file, the `ExchangeAkahuCodeResponse` data transfer object explicitly includes an `AccessToken` string property, which is then serialized and sent to the frontend. The controller's `Ok` response at line 220 returns this DTO, making the live access token available in the browser's developer console and network traffic. This creates a severe data exposure point, as any malicious script or extension running in the user's browser could potentially intercept this credential.

The implications are immediate and severe for any application handling financial data via Akahu. An exposed access token grants an attacker the same level of access to a user's connected bank account data as the legitimate user, bypassing all other authentication layers. This finding necessitates an urgent code review and remediation of the token handling flow to ensure tokens are kept strictly server-side, aligning with financial data security standards and contractual obligations with Akahu.