Remove hardcoded authentication bypass

[Copilot]

The login function contained a hardcoded credential bypass (admin/cert123) that allowed unauthorized access regardless of the stored user credentials.

Changes

• login.js: Removed if(username == "admin" && password == "cert123") bypass logic. All authentication now validates against bcrypt-hashed credentials from environment.

• README.md: Removed default credential references. Added setup instructions and security notes on password hashing and .env management.

Before:

if(username == "admin" && password == "cert123") {
    return true;
} else {
    const match = await bcrypt.compare(password, hash);
    // ...
}

After:

const match = await bcrypt.compare(password, hash);
if (!match) {
    return false;
}
return true;

Original prompt

Problem:

The login.js file contains a hardcoded username (admin) and password (cert123) which is a potential security vulnerability. This allows unauthorized access if these credentials are not updated or removed during production.

if (username == 'admin' && password == 'cert123') {
  return true;
}

Resolution:

1. Remove this hardcoded authentication bypass logic from login.js.
2. Rely solely on the users' credentials managed securely (via a hash stored in the dotenv file).
3. Update the README if necessary to remove references to the default username and password, ensuring users are aware of best practices for managing their credentials.
4. Modify server.js and any related files if needed to ensure consistent behavior after removing this logic.

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.