Issue
The starter template currently saves passwords in plaintext and authenticates by matching raw values in the database. This is unsafe even for a template and should be switched to hashed passwords.
Why
- Plaintext passwords are insecure if anyone uses this template as-is.
- Login should verify with a hash, not raw text.
- JWT payload currently includes the full user object (including password).
Fix
- Use Argon2id and hash passwords on signup.
- On login: find by email and use
argon2.verify().
- Never include the password in API responses or JWT payloads.
Issue
The starter template currently saves passwords in plaintext and authenticates by matching raw values in the database. This is unsafe even for a template and should be switched to hashed passwords.
Why
Fix
argon2.verify().