Fix auth session persistence with HttpOnly cookies and CSRF

backend/app/schemas/auth.py

@@ -38,8 +38,9 @@ class AuthSessionResponse(BaseModel):
 class AuthLoginResponse(AuthSessionResponse):
     """Represents one newly issued bearer token and associated user context."""
 
-    access_token: str
+    access_token: str | None = None
     token_type: str = "bearer"
+    csrf_token: str | None = None
 
 
 class AuthLogoutResponse(BaseModel):