bonamin
5dbb775308
Token creation/decoding/blacklisting was split across auth.py and deps.py causing a circular import. Consolidate make_token, decode_token, and blacklist_token in deps.py; auth.py now imports from there. Also switches /login to accept JSON body (username+pin) instead of form-encoded, and returns a proper user object in the response. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>