fix: Replace in-memory auth with bcrypt, SQLite persistence, and JWT.

[Mayur-e]

Related Issue

Closes #914

Summary

The auth system was storing passwords as plaintext in a runtime object (const users = {}), which meant all accounts were lost on every restart and passwords were never hashed. This PR migrates auth to the existing SQLite database using bcrypt for password hashing and JWT for login tokens.

Also fixes a SyntaxError caused by a duplicate const calendarDownloadBtn declaration in app.js that was preventing the frontend from loading.

Changes Made

• database.js — Added users table with id, email, password_hash, created_at
• server.js — Removed const users = {}; passwords hashed with bcrypt (10 rounds) on signup; login verified with bcrypt.compare(); successful login returns a signed JWT (7d expiry); startup warning added if JWT_SECRET is missing
• .env.example — Added JWT_SECRET with a note on how to generate one
• package.json / package-lock.json — Added missing bcrypt and jsonwebtoken dependencies
• js/app.js — Removed duplicate const calendarDownloadBtn at line 89 that caused a module-level SyntaxError, crashing all frontend JS

Testing

Tested locally with node server.js against http://localhost:3000.

1. Signup returns 201 and account is created

2. Password stored as bcrypt hash in SQLite — not plaintext

3. Login returns a signed JWT token

4. Account survives server restart — login works after node server.js is stopped and restarted

Screenshots

See Testing section above.

Checklist

• Code follows project style
• Tested locally
• No unrelated changes included
• Documentation updated (if applicable)