From e1edcf20543481adb3476e6c9b3e3dc71054caa4 Mon Sep 17 00:00:00 2001
From: tylrx404 <mrunalkolhe19@gmail.com>
Date: Tue, 23 Jun 2026 23:54:53 +0530
Subject: [PATCH] fix: hash passwords using bcrypt for secure authentication

---
 server.js | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/server.js b/server.js
index 13aab53..92d1211 100644
--- a/server.js
+++ b/server.js
@@ -1,6 +1,7 @@
 require('dotenv').config();
 const express = require('express');
 const cors = require('cors');
+const bcrypt = require('bcrypt');
 const { db, initDb } = require('./database');
 const { GoogleGenAI } = require('@google/genai');
 const path = require('path');
@@ -555,7 +556,7 @@ Text: "${text}"
 // ================= AUTH =================
 
 // SIGNUP
-app.post('/api/auth/signup', (req, res) => {
+app.post('/api/auth/signup', async(req, res) => {
   const { email, password } = req.body;
 
   if (!email || !password) {
@@ -566,10 +567,11 @@ app.post('/api/auth/signup', (req, res) => {
 
   const id = 'user_' + Date.now();
 
+  const hashedPassword = await bcrypt.hash(password, 10);
   db.run(
     `INSERT INTO users (id, email, password)
      VALUES (?, ?, ?)`,
-    [id, email, password],
+    [id, email, hashedPassword],
     function(err) {
 
       if (err) {
@@ -594,7 +596,7 @@ app.post('/api/auth/signup', (req, res) => {
 });
 
 // LOGIN
-app.post('/api/auth/login', (req, res) => {
+app.post('/api/auth/login',async (req, res) => {
   const { email, password } = req.body;
 
   if (!email || !password) {
@@ -606,7 +608,7 @@ app.post('/api/auth/login', (req, res) => {
   db.get(
     `SELECT * FROM users WHERE email = ?`,
     [email],
-    (err, user) => {
+    async (err, user) => {
 
       if (err) {
         return res.status(500).json({
@@ -614,12 +616,21 @@ app.post('/api/auth/login', (req, res) => {
         });
       }
 
-      if (!user || user.password !== password) {
+      if (!user) {
         return res.status(401).json({
           error: 'Invalid email or password'
         });
       }
+      const isValid = await bcrypt.compare(
+        password,
+        user.password
+      );
 
+      if (!isValid) {
+        return res.status(401).json({
+          error: 'Invalid email or password'
+        });
+      }
       res.json({
         success: true,
         email: user.email