Security: Insecure PIN Hashing (Unsalted SHA-256)

[windoze95]

File: app/api/auth.py
Lines: 19-20 (in _hash_pin)

Description:
The authentication PIN is currently hashed using a fast, unsalted SHA-256 algorithm:

def _hash_pin(pin: str) -> str:
    return hashlib.sha256(pin.encode()).hexdigest()

Since users are likely using 4-6 digit numeric PINs, this can be trivially broken using precomputed rainbow tables or brute-force dictionaries in milliseconds.

Impact:
If the SQLite database is leaked or accessed by an unauthorized entity, they can reverse all user PINs instantaneously.

Suggested Fix:
Migrate to a standard key derivation function such as bcrypt or argon2 using a library like passlib or Python's native hashlib.scrypt/hashlib.pbkdf2_hmac with a secure random salt.

# Example using passlib
from passlib.context import CryptContext
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")

def _hash_pin(pin: str) -> str:
    return pwd_context.hash(pin)

[zhifu349-debug]

Accepting this bounty - I'll fix the insecure PIN hashing