fix: Remove API Tokens from User APIs (#4985)

mealie/routes/users/api_tokens.py

@@ -5,14 +5,20 @@ from fastapi import HTTPException, status
 from mealie.core.security import create_access_token
 from mealie.routes._base import BaseUserController, controller
 from mealie.routes._base.routers import UserAPIRouter
-from mealie.schema.user import CreateToken, DeleteTokenResponse, LongLiveTokenIn, LongLiveTokenInDB, LongLiveTokenOut
+from mealie.schema.user import (
+    CreateToken,
+    DeleteTokenResponse,
+    LongLiveTokenCreateResponse,
+    LongLiveTokenIn,
+    LongLiveTokenInDB,
+)
 
 router = UserAPIRouter(prefix="/users", tags=["Users: Tokens"])
 
 
 @controller(router)
 class UserApiTokensController(BaseUserController):
-    @router.post("/api-tokens", status_code=status.HTTP_201_CREATED, response_model=LongLiveTokenOut)
+    @router.post("/api-tokens", status_code=status.HTTP_201_CREATED, response_model=LongLiveTokenCreateResponse)
     def create_api_token(
         self,
         token_params: LongLiveTokenIn,

mealie/schema/user/__init__.py

@@ -10,6 +10,7 @@ from .user import (
     GroupInDB,
     GroupPagination,
     GroupSummary,
+    LongLiveTokenCreateResponse,
     LongLiveTokenIn,
     LongLiveTokenInDB,
     LongLiveTokenOut,
@@ -57,6 +58,7 @@ __all__ = [
     "GroupInDB",
     "GroupPagination",
     "GroupSummary",
+    "LongLiveTokenCreateResponse",
     "LongLiveTokenIn",
     "LongLiveTokenInDB",
     "LongLiveTokenOut",

mealie/schema/user/user.py

@@ -31,7 +31,6 @@ class LongLiveTokenIn(MealieModel):
 
 
 class LongLiveTokenOut(MealieModel):
-    token: str
     name: str
     id: int
     created_at: datetime | None = None
@@ -42,6 +41,12 @@ class LongLiveTokenOut(MealieModel):
         return [joinedload(LongLiveToken.user)]
 
 
+class LongLiveTokenCreateResponse(LongLiveTokenOut):
+    """Should ONLY be used when creating a new token, as the token field is sensitive"""
+
+    token: str
+
+
 class CreateToken(LongLiveTokenIn):
     user_id: UUID4
     token: str