**[CRITICAL] SQL injection vulnerability**\n\nUser input `req.params.id` is concatenated directly into the SQL query. This allows attackers to manipulate query logic or exfiltrate data. Use parameterized queries.\n\n```js\n// Fix: use $1 parameter\nconst result = await pool.query('SELECT * FROM users WHERE id = $1', [req.params.id]);\n```

**[HIGH] Password stored in plain text**\n\nThe `password` column is compared using `===` against plain text. Use bcrypt to hash passwords before storage and comparison.

**[MEDIUM] Missing rate limiting on auth endpoint**\n\nThis endpoint has no rate limit. An attacker can brute-force credentials without restriction. Add per-IP rate limiting (e.g., 5 attempts/minute).

**[LOW] Session token has no expiry**\n\nSessions are created without an expiration time. Tokens may remain valid indefinitely if the user does not log out. Set `expiresIn` on the JWT.

**[MEDIUM] CORS allows all origins**\n\n`Access-Control-Allow-Origin: *` is overly permissive for an authenticated endpoint. Restrict to known origins only.