Thanks for sharing your toughs on Authentication, but please don't role your own Authentication/Authorization, instead use battle proved solutions in the community.
Why, you may ask?
Because this are very security sensitive things that can easily go wrong, like you have just have done here in your solution.
What did I do wrong?
Well to start with you should NEVER return the user data like the password hash, this is a terribly bad thing to do from any perspective you may look into it, plus returning the _id is also not advisable.
Some other things are not quite ok as well, but I let that as an exercise for you to figure out. To help you with that I recommend you to read the OWASP API Security Top 10, and afterwards I hope that you will see that you are incurring in some of the top 10 security risks.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.