[Security Alert] Requesting the image generation queue exposes users external node API tokens

### Custom Node Testing

- [x] I have tried disabling custom nodes and the issue persists (see [how to disable custom nodes](https://docs.comfy.org/troubleshooting/custom-node-issues#step-1%3A-test-with-all-custom-nodes-disabled) if you need help)

### Expected Behavior

Requesting the `/api/queue` endpoint should only return basic information about the pending image generation requests.

### Actual Behavior

It returns the users API key or JWT token if they are signed into ComfyUI's paid external node provider. This could result in monetary losses against publicly exposed ComfyUI instances, as a malicious actor could replay a legitimate users token against a paid node provider.

### Steps to Reproduce

1. Sign in to your comfyUI account
2. Generate an image that will take a significant amount of time to generate
3. Load http://comfyui-ip-address/api/queue in a new tab
4. Note that your API key or JWT token is exposed depending on how you signed in

### Debug Logs

```powershell
N/A
```

### Other

<img width="1551" height="471" alt="Image" src="https://github.com/user-attachments/assets/30ac75df-07e5-4cc0-8eae-aa00010c785b" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security Alert] Requesting the image generation queue exposes users external node API tokens #10494

Custom Node Testing

Expected Behavior

Actual Behavior

Steps to Reproduce

Debug Logs

Other

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Security Alert] Requesting the image generation queue exposes users external node API tokens #10494

Description

Custom Node Testing

Expected Behavior

Actual Behavior

Steps to Reproduce

Debug Logs

Other

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions