[Bug]: login endpoint returns HTTP 200 for invalid credentials instead of HTTP 401

[anshul23102]

Bug Summary

In backend/controllers/auth.controller.js, the login function returns res.json({ loginStatus: false, Error: 'Invalid Credentials' }) with the default HTTP 200 status code when authentication fails:

if (!match) {
    return res.json({ loginStatus: false, Error: 'Invalid Credentials' });
}

This is an HTTP anti-pattern. Security middleware, CDN caches, analytics tools, and client-side interceptors that inspect status codes will treat a failed login as a successful (200 OK) request.

Steps to Reproduce

1. Send POST /api/auth/login with a valid email and an incorrect password.
2. Inspect the HTTP response status code.
3. Observe 200 OK instead of 401 Unauthorized.

Expected Behavior

Authentication failures should return HTTP 401:

return res.status(401).json({ loginStatus: false, Error: 'Invalid Credentials' });

The same fix applies to the user not found branch above it.

Actual Behavior

Failed login returns 200 OK with a JSON body indicating failure. Security tools that monitor for unauthorized access patterns cannot detect brute-force attempts based on HTTP status codes alone.

Environment

• Backend: Node.js / Express
• File: backend/controllers/auth.controller.js, function: login

Additional Context

Expected NSOC points: NSOC'26 level1 (beginner - incorrect HTTP status code with security implications)

Suggested labels: bug, NSOC'26, level1

Checklist:

• Searched existing issues - not a duplicate
• Read CONTRIBUTING.md and project rules
• No AI/Claude mentions
• No em dashes or double hyphens
• Repository verified as NSOC

[anshul23102]

@omkarhole Could you please /assign this issue to me? I'd like to work on it under NSOC '26.