An AI coding assistant generated this Node.js endpoint. You're reviewing the PR. What's the most severe issue?
app.post("/login", async (req, res) => {
const { email, password } = req.body;
const user = await db.query(
`SELECT * FROM users WHERE email = '${email}'`
);
if (user && await bcrypt.compare(password, user.password_hash)) {
const token = jwt.sign({ id: user.id }, "secret123");
return res.json({ token });
}
res.status(401).json({ error: "Invalid credentials" });
});