- Add secure: true to cookies.set() in login and signup actions
- Add tests verifying JSESSIONID is forwarded to browser on successful
login and signup
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add response object to mockSuccess() in login and signup tests so
response.headers.get() no longer throws
- Validate ?redirect= param: must start with / and not // to prevent
redirecting users to external domains
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
POSTs to /v1/auth/login, validates email/password server-side,
redirects to ?redirect param or /planner on success.
Returns generic error on bad credentials to prevent enumeration.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
