fix(security): remove JWT role extraction without signature, add OTP replay protection, fix user enumeration

backend/auth/login.php

@@ -54,14 +54,12 @@ if ($count > 0) {
         ]);
         // jsonError("Incorrect password.");
     }
-} else {
-    // The user does not exist
-    echo json_encode([
-            "status" => "Failure",
-            "data" => "User does not exist."
-        ]);
-    // jsonError("User does not exist.");
-}
-$conn->close();
+    } else {
+        echo json_encode([
+                "status" => "Failure",
+                "data" => "Invalid credentials."
+            ]);
+    }
+$con = null;
 
 ?>