Edit in JSFiddle

// Example request: https://mynodejsurl.com/myusername?pass=mypassword123
// sends back the user information if the hashed query parameter for `pass` (password) is the right one for the user
  // sends back object with database information as well as a field called `correctPassword` which is either true or false
  app.get("/:user", (req, res) => {
    collection.find({ user: req.params.user }).toArray((err, docs) => {
      if (err) {
        res.send({ response: "An error occured in getting the user info." });
      } else {
        if (docs.length > 0) { // if there were matches (there are users with that username)
          // get the first users password (each user should have a unique username)
          let hashedPassword = docs[0].pass;
          // get the salt
          const salt = docs[0].salt;

          // if there was no password sent in the query of the url (after the `?` in the req url)
          if (!req.query.pass) {
            res.send("There was no password associated with the GET req.");

          // The password sent in the GET req.
          // Enclose in template to make sure it is a string (so if a password is a number, it treats it as a string).
          // Prepend the salt to the sent passcode.
          const hashedQueryPassword = hash(`${salt}${req.query.pass}`); 

          // if the password that was sent with the get request matches the user's password
          if (hashedPassword === hashedQueryPassword) {
            // send back the user's information
            res.send({ ...docs[0] });
          } else {
            // otherwise, the password was wrong. Send back a generic error message.
            res.send("There was an error with either the username or passcode.");
        } else {
          res.send("There were no users with that name found. ");