Bug
The REST API docs and OpenAPI spec describe POST /api/auth/login as returning tokens under session.access_token / session.refresh_token, but the route currently returns access_token and refresh_token at the top level.
This makes a client following the published docs read the wrong path and then send an invalid bearer token to authenticated endpoints.
Reproduction
- Call
POST /api/auth/login with valid credentials.
- Compare the response shape with
/docs/api or /api/openapi.json.
- The implementation returns top-level token fields, while the docs/spec still show a nested
session object.
Expected
The docs and OpenAPI schema should match the current route response shape.
I have a small PR ready that updates the docs/spec and adds a route test assertion for the top-level token fields.
Bug
The REST API docs and OpenAPI spec describe
POST /api/auth/loginas returning tokens undersession.access_token/session.refresh_token, but the route currently returnsaccess_tokenandrefresh_tokenat the top level.This makes a client following the published docs read the wrong path and then send an invalid bearer token to authenticated endpoints.
Reproduction
POST /api/auth/loginwith valid credentials./docs/apior/api/openapi.json.sessionobject.Expected
The docs and OpenAPI schema should match the current route response shape.
I have a small PR ready that updates the docs/spec and adds a route test assertion for the top-level token fields.