a login form mapped to GET /login. probably two forms on one page. The first would as for a username, and on submission I'll send the user a magic link. The second would be for pasting a code in as an alternative to using the magic link. email/slack/etc. would send both.
submitting the first form doesn't need to change the page - instead it can just display a message like "If you entered a valid username, then that user has been sent login instructions." Form submission can be behind-the-scenes. Perhaps reasonable to make this a POST /login the returns a jsend structure, and you just display the message or error? (maybe other niceties like "resend" if you haven't received it, or a timeout to clear the message or highlight the "resend" if not logged in after some period of time?)
submitting the second form would also be a POST /login but the field would be access_code instead of username (or something along those lines). This would navigate away from the login form, so it's a straight POST (nothing behind the scenes). This allows me to redirect the user to where they originally tried to go if the login screen was interstitial.
the main application should have a logout action (GET from /logout that will end the session and bring up the login screen again)
I'll need a list of resources/paths that need to be accessible without authentication. Could be specified by path (/styles/* for example) or just an exhaustive list (/vue.js, etc.).
the second post will write a token as a permanent cookie that can be used in future sessions? until the /logout API is called, which would delete the cookie
the second post will write a token as a permanent cookie that can be used in future sessions? until the /logout API is called, which would delete the cookie