fix(server): trim username whitespace on login like register does

register() strips leading/trailing whitespace from the username before
storing it; login() was not, so a user who typed " alice " at login
would get a 401 even though their account existed as "alice". Now both
handlers trim consistently.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

solitaire_server/src/auth.rs

@@ -173,10 +173,11 @@ pub async fn login(
     State(pool): State<SqlitePool>,
     Json(body): Json<AuthRequest>,
 ) -> Result<Json<AuthResponse>, AppError> {
+    let username = body.username.trim().to_string();
     let row = sqlx::query_as!(
         UserRow,
         "SELECT id, password_hash FROM users WHERE username = ?",
-        body.username
+        username
     )
     .fetch_optional(&pool)
     .await?;

solitaire_server/tests/server_tests.rs

@@ -873,3 +873,26 @@ async fn opt_out_hides_then_opt_in_restores() {
         "re-opted-in user must appear again"
     );
 }
+
+/// Login with leading/trailing whitespace in the username still succeeds.
+#[tokio::test]
+async fn login_trims_whitespace_from_username() {
+    set_jwt_secret();
+    let app = build_test_router(test_pool().await);
+
+    let _ = register_user(app.clone(), "trimtest", "password1!").await;
+
+    // Login with surrounding whitespace — should still authenticate.
+    let resp = post_json(
+        app,
+        "/api/auth/login",
+        serde_json::json!({ "username": "  trimtest  ", "password": "password1!" }),
+    )
+    .await;
+
+    assert_eq!(
+        resp.status(),
+        StatusCode::OK,
+        "login with whitespace-padded username must succeed"
+    );
+}