Stop sending `{}` to the `/api/auth/login` endpoint when the login form hasn't been touched.

Steps to reproduce:

**Note**: You will need to watch the traffic in a DOM inspector; this has no user-observable symptoms because there's presently no error reporting for the login form.

1. In a new private tab, visit the `/login` page of a Pilcrow instance.
2. **Without touching the username or password fields**, click `sign in`.

The client _should_ send a request to `/api/auth/login` with the following payload:

```json
{
  "name": "",
  "password": ""
}
```

However, it instead sends an empty payload, leading to a 422 Unprocessable Content response as the request is missing required fields. Subsequent requests, or any request after the user enters data in the input fields, are correctly serialized.

Merges login-form-nulls into main.

2 files changed, 9 insertions, 2 deletions

diff --git a/ui/lib/components/LogIn.svelte b/ui/lib/components/LogIn.svelte
index c49ea3b..b491583 100644
--- a/ui/lib/components/LogIn.svelte
+++ b/ui/lib/components/LogIn.svelte
@@ -1,8 +1,8 @@
 <script>
   let { legend = 'sign in', logIn = async (username, password) => {} } = $props();
 
-  let username = $state();
-  let password = $state();
+  let username = $state('');
+  let password = $state('');
   let disabled = $state(false);
 
   async function onsubmit(event) {
diff --git a/ui/tests/lib/components/LogIn.svelte.test.js b/ui/tests/lib/components/LogIn.svelte.test.js
index 00abb5c..0835870 100644
--- a/ui/tests/lib/components/LogIn.svelte.test.js
+++ b/ui/tests/lib/components/LogIn.svelte.test.js
@@ -31,4 +31,11 @@ describe('LogIn', async () => {
       'my very creative and long password',
     );
   });
+
+  it('sends empty strings before being populated', async () => {
+    const signIn = screen.getByRole('button');
+    await user.click(signIn);
+
+    expect(mocks.logIn).toHaveBeenCalledExactlyOnceWith('', '');
+  });
 });