SHA-256 is not suited to derive key material from weak input data, you should use PBKDF2 or another key derivation function for that. The authentication method also seems pretty wonky, that's not how to do zero-knowledge password verification, you should look at methods like PAKE for that. As usual, just don't roll your own crypto if you don't know what you're doing.
Thanks for the feedback! The hash is actually used to derive an actual key using PBKDF2 -- the library used is https://cryptojs.gitbook.io/docs/
Also, I'm interested if you see an attack vector on the authentication method. One thing to note is that even if an attacker can authenticate successfully they still have no access to the user private data without brute forcing the master password.
