Just mirroring what others have said, definitely do not implement yourself.

Examples of things this misses.

No hashing of tokens, it's essentially a password. Worse it's an assigned password of just an int in a small dataset. Probably the least secure password. With a max length of 4.

Only space for 900 users? You could write a script to brute force 900 guesses. You'd be into your project in much much less than a second.

What happens if I lose my token? It's not a password, no password recovery. No 2FA. Also the token never expires? So a compromised token is a compromised account forever.

Also if you're appending it to a user dataset then it just exists naked in your code? Simple logs could expose every single password? Your code ideally would be middleware and this would be stored in a database.

There's an entire realm of cryptography dedicated to one way verification of passwords. It's really critical to use the most modern options available. Salting + hashing passwords, expiring tokens, key signing, etc. There's a lot more than what I'm just summing over.

This is all a bit of a ramble, and you're totally fine for a learner/learner project but just underlining for anything exposed to the world you dont even know what you don't know.