Steps To Reproduce

curl 'https://design.penpot.app/api/rpc/command/login-with-password' \
  -H 'accept: application/transit json,text/event-stream,*/*' \
  -H 'content-type: application/transit json' \
  --data-raw '{"~:email":"aaaaaa","~:password":"coucou"}'

Expected behavior

If the email has an incorrect format, I think the password should be removed from the answer.

The risk surface is tiny because user cannot submit in the UI without the valid email format, but my use case is using your API, and having logs in case of errors (network error...).

Actual behavior

Response is:

{
  '~:type': '~:validation',
  '~:code': '~:params-validation',
  '~:explain': 'Schema: \n'  
    '[:map\n'  
    ' {:title "login-with-password"}\n'  
    ' [:email :app.common.schema/email]\n'  
    ' [:password [:app.common.schema/word-string {:max 500}]]\n'  
    ' [:invitation-token {:optional true} [:app.common.schema/word-string {:max 6000}]]]\n'  
    '\n'  
    'Errors:\n'  
    '[{:path [:email 0], :in [:email], :schema :app.common.schema/email, :value nil}]\n'  
    '\n'  
    'Value:\n'  
    '{:email nil, :password "coucou"}\n'  
    '\n'
}

Screenshots or video

No response

Desktop (please complete the following information)

No response

Smartphone (please complete the following information)

No response

Environment (please complete the following information)

No response

Frontend Stack Trace

No response

Backend Stack Trace

No response

Additional context

No response