Fix user login: seed script for sample_mflix passwords

[devin-ai-integration]

Summary

The sample_mflix.users collection had bcrypt-hashed passwords from MongoDB's sample dataset with unknown plaintext values, making login impossible.

Fix:

1. Updated buildScripts/seedPasswords.js to generate a unique random 16-character password per user using crypto.randomBytes() (CSPRNG), hash it with bcrypt (12 rounds), and store only the hash in the database
2. The seed script outputs credentials in CSV format to stdout (email,name,password) — redirect to a file to save them
3. Updated README.md with:
   • Password seeding instructions (step 3 in Getting Started)
   • Login credentials section explaining how to find passwords in the CSV output
   • Full Password Hashing Methodology section documenting: algorithm choice (bcrypt), cost factor (12 rounds), salt generation, CSPRNG usage, and why bcrypt is preferred over SHA-256/MD5
4. Already ran the seed script against the remote database — all 186 users now have unique random passwords

Review & Testing Checklist for Human

• Run MONGODB_URI=... npx babel-node buildScripts/seedPasswords.js > credentials.csv to generate fresh passwords
• Open credentials.csv and pick a user — log in at /login with their email and password
• Review the Password Hashing Methodology section in README.md for accuracy
• Verify the seed script is idempotent (run it again, old passwords stop working, new ones work)

Notes

• Passwords are 16 characters from base64-encoded crypto.randomBytes(12) — high entropy
• bcrypt cost factor of 12 provides strong brute-force resistance (~250ms per hash on modern hardware)
• The seed script uses console.log for CSV data (stdout) and console.error for status messages (stderr), so > credentials.csv captures only the credentials

Link to Devin session: https://app.devin.ai/sessions/0d833d4d3ece4b3eb062814e69f69c0d
Requested by: @abalaster

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Test Results: Random Password Seeding & Login

Tested by: Devin — ran the app locally against the remote MongoDB Atlas database, tested login flow end-to-end with unique random passwords from credentials.csv.

---

Test 1: Login with correct random password — PASSED

• Email: sean_bean@gameofthron.es, Password: from credentials.csv
• URL changed to /profile, page shows "Name: Ned Stark"

Login Form	Profile After Login

Test 2: Old shared password "password" rejected — PASSED

• Email: sean_bean@gameofthron.es, Password: password
• Red "Invalid email or password" error displayed, stays on /login

Test 3: Another user's password rejected (proves uniqueness) — PASSED

• Email: mark_addy@gameofthron.es with Ned Stark's password → rejected
• Same email with Robert Baratheon's own password → accepted, profile shows "Name: Robert Baratheon"

Wrong Password Rejected	Correct Password Accepted

---

Summary: All 3 tests passed. Each user has a unique random password. Old shared password rejected. Bcrypt (12 rounds) working correctly.