fix(auth): send form-encoded body with camelCase fields on login

[Valyrian-Code]

Fix Login Failure Caused by Incorrect Token Request Format

Fixes #198

This change resolves the login failure originally reported in #198. Two issues combined to cause the 400 Bad Request response from POST /tokens:

1. sendRequest always sent Content-Type: application/json, while the /tokens endpoint requires application/x-www-form-urlencoded (as defined in the OpenAPI specification at /repo/api/v2/openapi).
2. auth.js used snake_case field names (token_name, token_scope, token_expire), but the TokenRequest schema defines the corresponding fields in camelCase (tokenName, tokenScope, tokenExpire).

Changes

• Added an isFormEncoded option to sendRequest

  • Sets the correct Content-Type
  • Encodes request bodies using URLSearchParams

• Updated fetchTokenApi to:

  • Pass isFormEncoded: true
  • Use camelCase field names matching the API schema

• Updated auth.test.js to reflect the corrected request payload

• Added test coverage for the isFormEncoded code path in sendRequest.test.js

How to Test

1. Start the development environment:

   docker compose -f docker-compose.dev.yml up

2. Open:

   http://localhost:3000
   

3. Log in using:

   • Username: fossy
   • Password: fossy

Expected Result

Successful login and redirect to the browse page.

Before this fix, every login attempt failed with:

400 Bad Request: Not all required parameters sent.

Closes #198.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds support for application/x-www-form-urlencoded request bodies in sendRequest, and updates the auth token API to use form-encoded parameters with camelCase keys.

Changes:

• Added isFormEncoded option to sendRequest that sets appropriate content-type header and URL-encodes the body.
• Updated fetchTokenApi to use isFormEncoded: true and renamed token body fields from snake_case to camelCase.
• Added corresponding test coverage for the new form-encoded path and updated the auth test expectations.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
src/api/sendRequest.js	Implements the isFormEncoded branch for headers and body serialization.
src/api/sendRequest.test.js	Adds a test verifying form-encoded body and headers.
src/api/auth.js	Switches token request to form-encoded and renames body keys to camelCase.
src/api/auth.test.js	Updates test to assert the new camelCase body keys.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Valyrian-Code]

~ cc @deo002

Could you please review this when you have a moment?
Thank you.

[github-actions]

This pull request has conflicts, please rebase to resolve those before we can evaluate the pull request.

[Valyrian-Code]

Rebased onto the latest main to resolve the merge conflicts.

Note on the current state of main: src/api/auth.js already uses the camelCase fields (tokenName/tokenScope/tokenExpire) and sets an isFormUrlEncoded: true flag — but src/api/sendRequest.js never reads that flag, so the request body is still JSON.stringify'd and POST /tokens still returns 400. This PR completes that fix by actually implementing form-encoding in sendRequest (sets content-type: application/x-www-form-urlencoded and serializes the body with URLSearchParams), wired via an isFormEncoded option, with body-encoding precedence documented (multipart > form-encoded > JSON).

Verified against the live v2 OpenAPI spec (/repo/api/v2/openapi): the TokenRequest schema uses camelCase and the endpoint requires application/x-www-form-urlencoded — snake_case/JSON returns 400 "Not all required parameters sent", the form-encoded camelCase body returns a valid JWT.

Happy to rename the option to isFormUrlEncoded to match the existing (currently unused) flag in auth.js if maintainers prefer that naming.