Setup doesn't completely follow instructions as frontend is served by Render instead of Express. This is to avoid committing the build (dist dir) to git. This setup does however require CORS setup as well as having to pass backend's URL as env variable to frontend.
The approach I initially chose contradicts the note at the bottom of this task stating that frontend shouldn't be directly deployed. I can't come up with a reason why the embedded frontend approach would be better over separate deployments. However, in order to comply with the task, I changed the approach at this task and embedded the frontend's build in Git.
The instructions note that password restrictions shouldn't be handled by Mongoose validation, but in my approach it's possible as hashing is done in the pre-save hook.
All endpoints that modify the database require authentication.