Remove unused response bodies from a number of API endpoints.

This removes the response body from the following methods:

* `POST /api/setup`
* `POST /api/auth/login`
* `POST /api/invite/:id`
* `POST /api/password`

The bodies returned from these methods were something of a rough guess as to what might be useful. Actual client development has shown that we don't use _any_ of the data from any of these API responses, so let's not tie ourselves to future compatibility by continuing to send them. We can add a body to a bodyless method a _lot_ more easily than we can change the body of a method that already returns one, after all.

These changes are not backwards compatible for clients which care about the existing bodies. To my knowledge, there are no such clients; the included client definitely doesn't care.

## Internals

Not only does this change stop returning bodies at the API surface, but it also stops retrieving and returning values used internally to construct those responses, simplifying the code a bit in the process.

One side effect of this is that tests that need to log in a user now need to manually verify the returned token secret, to convert it back into a user, whereas the previous versions returned both a token secret and a user during password login. I don't love the increase in the size of the tests, but I think it's the right tradeoff (and this change is code net-negative anyways).

Merges no-content into main.

3 files changed, 19 insertions, 21 deletions

diff --git a/src/setup/app.rs b/src/setup/app.rs
index 1210175..1856519 100644
--- a/src/setup/app.rs
+++ b/src/setup/app.rs
@@ -7,10 +7,7 @@ use crate::{
     name::Name,
     password::Password,
     token::{Secret, repo::Provider as _},
-    user::{
-        User,
-        create::{self, Create},
-    },
+    user::create::{self, Create},
 };
 
 pub struct Setup<'a> {
@@ -28,7 +25,7 @@ impl<'a> Setup<'a> {
         name: &Name,
         password: &Password,
         created_at: &DateTime,
-    ) -> Result<(User, Secret), Error> {
+    ) -> Result<Secret, Error> {
         let create = Create::begin(name, password, created_at);
 
         let validated = create.validate()?;
@@ -42,9 +39,9 @@ impl<'a> Setup<'a> {
         let secret = tx.tokens().issue(stored.user(), created_at).await?;
         tx.commit().await?;
 
-        let user = stored.publish(self.events);
+        stored.publish(self.events);
 
-        Ok((user.as_created(), secret))
+        Ok(secret)
     }
 
     pub async fn completed(&self) -> Result<bool, sqlx::Error> {
diff --git a/src/setup/handlers/setup/mod.rs b/src/setup/handlers/setup/mod.rs
index 9e31282..fe24798 100644
--- a/src/setup/handlers/setup/mod.rs
+++ b/src/setup/handlers/setup/mod.rs
@@ -5,8 +5,8 @@ use axum::{
 };
 
 use crate::{
-    app::App, clock::RequestedAt, error::Internal, name::Name, password::Password, setup::app,
-    token::extract::IdentityCookie, user::User,
+    app::App, clock::RequestedAt, empty::Empty, error::Internal, name::Name, password::Password,
+    setup::app, token::extract::IdentityCookie,
 };
 
 #[cfg(test)]
@@ -17,14 +17,14 @@ pub async fn handler(
     RequestedAt(setup_at): RequestedAt,
     identity: IdentityCookie,
     Json(request): Json<Request>,
-) -> Result<(IdentityCookie, Json<User>), Error> {
-    let (user, secret) = app
+) -> Result<(IdentityCookie, Empty), Error> {
+    let secret = app
         .setup()
         .initial(&request.name, &request.password, &setup_at)
         .await
         .map_err(Error)?;
     let identity = identity.set(secret);
-    Ok((identity, Json(user)))
+    Ok((identity, Empty))
 }
 
 #[derive(serde::Deserialize)]
diff --git a/src/setup/handlers/setup/test.rs b/src/setup/handlers/setup/test.rs
index 8243ac3..4a37690 100644
--- a/src/setup/handlers/setup/test.rs
+++ b/src/setup/handlers/setup/test.rs
@@ -1,6 +1,6 @@
 use axum::extract::{Json, State};
 
-use crate::{setup::app, test::fixtures};
+use crate::{empty::Empty, setup::app, test::fixtures};
 
 #[tokio::test]
 async fn fresh_instance() {
@@ -15,15 +15,11 @@ async fn fresh_instance() {
         name: name.clone(),
         password: password.clone(),
     };
-    let (identity, Json(response)) =
+    let (identity, Empty) =
         super::handler(State(app.clone()), fixtures::now(), identity, Json(request))
             .await
             .expect("setup in a fresh app succeeds");
 
-    // Verify the response
-
-    assert_eq!(name, response.name);
-
     // Verify that the issued token is valid
 
     let secret = identity
@@ -34,16 +30,21 @@ async fn fresh_instance() {
         .validate(&secret, &fixtures::now())
         .await
         .expect("newly-issued identity cookie is valid");
-    assert_eq!(response, login);
+    assert_eq!(name, login.name);
 
     // Verify that the given credentials can log in
 
-    let (login, _) = app
+    let secret = app
         .tokens()
         .login(&name, &password, &fixtures::now())
         .await
         .expect("credentials given on signup are valid");
-    assert_eq!(response, login);
+    let (_, login) = app
+        .tokens()
+        .validate(&secret, &fixtures::now())
+        .await
+        .expect("validating a newly-issued token secret succeeds");
+    assert_eq!(name, login.name);
 }
 
 #[tokio::test]