P0 Security Breach: /api/auth/me Endpoint Exposes Critical deviceSecret Credential

A critical security flaw has been identified in a backend authentication endpoint, exposing a sensitive device credential to multiple attack vectors. The `/api/auth/me` API endpoint is returning the `deviceSecret` in its JSON response, a credential described as functionally equivalent to a session token for device-scoped operations. This exposure creates a direct path for credential theft, as the secret becomes accessible to client-side JavaScript, browser caches, CDN logs, and any potential Cross-Site Scripting (XSS) vulnerabilities present on the platform.

The impact is immediate and severe. The presence of the `deviceSecret` in the response means any XSS vulnerability would instantly leak this credential. Furthermore, the secret is vulnerable to capture by browser developer tools, extensions, and intermediary infrastructure logs. The flaw is located within the `backend/auth.js` file, specifically lines 755-776, where the endpoint's response logic is defined.

This exposure represents a fundamental authentication failure, placing all device-scoped operations at risk. The recommended remediation is to either completely remove the `deviceSecret` from the `/api/auth/me` response or to gate its inclusion behind a strict administrative role check. Until patched, the endpoint serves as a persistent leak of high-value credentials.