When i POST auth/login with correct user name and password it returns http status 200 with header ‘Set-Cookie: CAKEPHP=ephvljg3afl4bju5d6n7m59fpj; path=/; HttpOnly’ and not expected csrfToken. To get csrfToken i should call auth/checkSession and this is not documented in https://help.passbolt.com/tech/auth schema description.
I think that this is bug and Login POST as a result should return CAKEPHP and csrfToken.
Also it is not clear what to do when token is near expiration end. What should be token renewal procedure?