Green phase: AuthController handles login (authenticate + create session + set cookie), logout (delete session + clear cookie), and me (return user from request attribute).
Green phase: AuthenticateUser validates credentials, throws BadRequestException for empty fields, UnauthorizedException for unknown email or wrong password.
