GitHub Issue: Backend Error Handler Leaks `err.message` in Production, Exposing Internal Data

A critical information disclosure vulnerability has been identified in a backend application's global error handler. The middleware in `backend/src/middleware/auth.ts` is configured to always include the raw `err.message` in HTTP 500 responses, regardless of whether the application is running in a production environment. This flaw creates a direct pipeline for internal system details—such as database errors, file paths, and stack traces—to be exposed to end-users and potential attackers.

The bug is located in the `errorHandler` function (lines 218-228), which unconditionally sends the error message in the JSON response. This oversight creates an inconsistency within the codebase, as other route handlers correctly check `process.env.NODE_ENV === 'development'` before including sensitive error details. The vulnerability allows malicious actors to probe the system and map internal infrastructure, significantly lowering the barrier for further exploitation.

The impact is a clear information security risk, transforming generic internal server errors into a source of intelligence about the application's backend architecture and state. This type of leak is a foundational security misconfiguration that must be patched to prevent data exposure and maintain a consistent security posture across all error-handling pathways.