pub async fn login(db: &Db, email: &str, password: &str) -> Result<String>Expand description
Verify credentials and create a session. Returns the session token to set in the cookie. A deliberately vague error on failure — we don’t want to leak whether the email was valid.