# Module: Azaion.Common.Requests.LoginRequest

## Purpose
Request DTO for the `/login` endpoint.

> **Cycle 2 (2026-05-14) note** — the `/login` response shape changed (AZ-531 added refresh tokens; AZ-534 added the MFA two-step branch), but the **request** body is unchanged. The new response DTOs live in companion files: see `common_requests_login_response.md` (`LoginResponse`, `RefreshTokenRequest`) and `common_requests_mfa_requests.md` (`MfaRequiredResponse`, `MfaLoginRequest`). The `Token` legacy single-token response is preserved via `LoginResponse.Token` for backward compatibility.

## Public Interface

| Property | Type | Description |
|----------|------|-------------|
| `Email` | `string` | User's email address |
| `Password` | `string` | User's plaintext password |

## Internal Logic
None — pure data class. No FluentValidation validator defined for this request.

## Dependencies
None.

## Consumers
- `Program.cs` `/login` endpoint — receives as request body; the response is either `LoginResponse` (no MFA) or `MfaRequiredResponse` (MFA enabled)
- `UserService.ValidateUser` — accepts as parameter; throws lockout/rate-limit/wrong-password/disabled exceptions per AZ-537 + AZ-536

## Data Models
None.

## Configuration
None.

## External Integrations
None.

## Security
Carries plaintext password; must only be transmitted over HTTPS.

## Tests
None.