[Bug] DEBUG log statements at INFO/ERROR level left in production code, one leaks auth tokens

[rohansx]

Bug

15 log statements prefixed with "DEBUG:" are left at INFO, WARNING, and ERROR log levels in production code:

• app/modules/users/user_service.py — 8 instances (lines 123, 128, 132, 135, 155, 160, 163, 166)
• app/modules/auth/auth_service.py — 7 instances (lines 80, 81, 82, 87, 95, 104, 122)

Security concern

Line 104 in auth_service.py logs the first 20 characters of the Firebase auth token at INFO level:

logging.info("DEBUG: Verifying Firebase token: %s...", credential.credentials[:20])

This leaks credential data into log files and log aggregators.

Impact

• Credential leakage: Partial auth tokens written to logs at INFO level
• Log noise: 15 debug statements pollute production logs since they run at INFO/WARNING/ERROR level instead of DEBUG
• PII exposure: User emails logged at INFO level in user_service.py

Expected behavior

These debug statements should be removed entirely. The auth flow and user lookups are standard operations that don't need verbose logging in production.

[arnavp27]

Hi, I've removed the 15 DEBUG: log statements mentioned in the issue across user_service.py and auth_service.py (including the token leak on line 104).

While fixing those, I searched the rest of the codebase and found 3 more instances of the exact same bug in app/modules/conversations/conversation/conversation_service.py:

Line 621: logger.info(f"DEBUG: store_message called with message.attachment_ids: {message.attachment_ids}")
Line 1282: logger.info(f"DEBUG: Retrieved attachment {attachment_id}: type=..., mime_type=...")
Line 1302: logger.info(f"DEBUG: Skipping attachment {attachment_id} - not an image or attachment not found")
Same pattern — debug content logged at INFO level, bypassing log level filtering in production.

Should I remove these as well in the same PR, or would you prefer I just raise the PR with the fix for what's described in the issue?