It looks like your login route never validates the password matched, it appears to simply find a match for the user email that was entered, meaning anyone that knows a valid user email would be able to login as that user regardless of what password they provide?
Passionate full-stack developer with 2 years of experience, with working experience in Javascript, NodeJs, React, and Next.JS. Gaining experience in building powerful and efficient backend in NodeJS.
It looks like your login route never validates the password matched, it appears to simply find a match for the user email that was entered, meaning anyone that knows a valid user email would be able to login as that user regardless of what password they provide?
Oh yes. While writing this article I forgot to mention the password match and password verification in the login route. Thanks for pointing it out.