network.matrixhub

The current authentication system for the backend, as implemented in `backend/app/api/routes/auth.py`, uses in-memory storage with plain-text passwords for demo accounts and simple token generation. This is explicitly stated by the author as 'for demo purposes - replace with database in production' and is a critical vulnerability for actual production deployment without modification. The frontend uses `dangerouslySetInnerHTML` in `MessagesView.tsx` for JSON syntax highlighting; while the `highlightJSON` function appears controlled, `dangerouslySetInnerHTML` always carries an XSS risk if input is not meticulously sanitized. CORS configuration can default to `*` (all origins), which is insecure for production but configurable. On the positive side, the project uses SQLAlchemy ORM to prevent SQL injection, and the documentation clearly outlines security 'TODOs' for production, including password hashing (bcrypt) and JWT tokens.