fix(auth): enforce POST body credentials and generic auth errors

index.js

@@ -75,9 +75,8 @@ const { signup, login, logout, resetPassword } = require('./auth/authEmail.js');
  *       400:
  *         description: Bad request.
  */
-// SECURITY PLAN (point #2):
-// Make signup/login POST-only once clients are aligned.
-app.route('/signup').get(signup).post(signup);
+// SECURITY FIX (#2): POST-only signup to avoid query-string credential leakage.
+app.post('/signup', signup);
 /**
  * @swagger
  * /login:
@@ -110,7 +109,8 @@ app.route('/signup').get(signup).post(signup);
  *       401:
  *         description: Invalid credentials.
  */
-app.route('/login').get(login).post(login);
+// SECURITY FIX (#2): POST-only login to avoid query-string credential leakage.
+app.post('/login', login);
 /**
  * @swagger
  * /logout: