Session
Email/password login, refresh, and logout.
Email + password login
Resolves the tenant from the email, calls Cognito `USER_PASSWORD_AUTH`, and either: (a) issues session cookies + returns the SPA redirect URL, or (b) returns a challenge envelope (`mfa_required`, `mfa_setup_required`, or `new_password_required`) to drive the next step.
Refresh Cognito access + ID tokens using the refresh cookie
Reads `sw_refresh` + `sw_state` cookies, runs Cognito `REFRESH_TOKEN_AUTH` against the user's tenant pool, and writes the new access + ID tokens back into `sw_access` / `sw_id`.
Clear session cookies (POST)
Clears all `sw_*` cookies and returns the Microsoft logout URL the SPA should redirect to.
Clear session cookies and 302 to Microsoft logout
GET variant of logout — clears all `sw_*` cookies and 302-redirects the browser straight to Microsoft's logout endpoint with `post_logout_redirect_uri` set to `return_to`.