Fix auth handling for empty login token responses

[dannolan]

Summary

• avoid logging the Apple ID password in verbose auth logs
• treat empty successful login responses as an auth-code requirement before 2FA
• return a clearer error if the response is still missing session fields after an auth code

Testing

• go generate ./... && go test ./...

---

Summary by cubic

Improves App Store login handling by treating empty 200 OK responses as an auth-code requirement, and returns a clear error if session fields are still missing after 2FA. Also removes raw password logging in verbose mode.

• Bug Fixes
  • Replace password value logging with passwordProvided boolean in cmd/auth.go.
  • In pkg/appstore, return ErrAuthCodeRequired when a 200 OK lacks session tokens before 2FA; after 2FA, return a clear “login response did not include an App Store session token” error.
  • Add tests for both pre- and post-2FA empty session token cases.

^{Written for commit 074d246. Summary will update on new commits.}

[cryzet]

Current response with these changes:

1:14PM DBG error="request failed: request failed: Post "": failed to make round trip: unsupported protocol scheme """
1:14PM ERR error="request failed: request failed: Post "": failed to make round trip: unsupported protocol scheme """ success=false