Afolabi In your application, user password is sent as plaintext in POST request.
Check my screen record : https://cl.ly/444751656e49
... they are hashed before sending to server ...
You're not hashing the password before it is reach to the server. You can hash the password in your backend (server) but it doesn't mean it is safely hashed because you have plaintext version of it when it is sent to server for first time. You can log this plaintext password and can use it to reach user's private key. The screen record is proof of that.
I assuming you're using PHP
// you have plaintext version of password and getting it by POST request from the user
$password = $_POST['password'];
// think we have an abstract logPassword function which is saving given data into a file
// $password is plaintext password of the user from POST request
// we're sending $password into this function and tadaaa you have user's password now you can use it to decrypt
// now you can claim you're hashing the password for 1000000000000000 times
// but it doesnt matter because you have plaintext version of it when it is reach to the server
$very_secure_version_password = hashPasswordFor100000000Times($password);
I hope this simple example will help you understand that there is no security you claim.