we may need a token route #2
Description
i think that we're asking our users route do 'to do too much'
i could be wrong but basically i'm building the auth into users and set-cookie there and that means either we tweak users route to also have get methods or we build a token route as well... hmmmmm