Broken Authentication : Login Without Signup & No Password Validation #15
Description
📝 Issue Description:
The current login system is not validating user credentials properly. A user can:
Login without ever signing up, meaning there's no check to confirm if the user exists in the database.
Login with any password, even if it’s different from the original one used during signup — the system does not verify or store passwords correctly.
This makes authentication unreliable and insecure, allowing anyone to gain access with any credentials.
✅ Expected Fix:
Implement a check to ensure that only registered users can log in. The login route should first verify if the user exists in the database.
Passwords must be securely stored during signup and then verified during login.
If a user attempts to log in with incorrect credentials (email or password), the system should return a proper error response (401 Unauthorized).
Add validation to both signup and login inputs .
🔐 Why It Matters:
Without proper checks:
Anyone can create unauthorized access.
There’s no guarantee that login credentials are accurate or secure.
It opens up serious security risks and data integrity issues.