add description for login API

README.md

     **username** : must be email  
     **password** : 4-40 chars
 
-output
+output: always json
 
-```json
+```json5
 {
-  "login": true,
-  "Biukop-Session": "biukop session id",
-  "Biukop-Mid": "biukop machine id"
+  "login": true, //true = login ,false = failed.
+  "Biukop-Session": "3c88be7a-552a-474f-8e4b-92ff22fa0e1c", //session id, for each session
+  "Biukop-Mid": "a0acd59c-ffa5-439f-b415-7313b7cb1d34", //machine id, never change
+  "sessionExpire": 1646338110, //unix timestamp
+  "sessionExpireHuman": "Fri, 04 Mar 2022 07:08:30 +1100," // same as unix timestamp
 }
 ```
 
-1. /signup
-2. /logout
+1. **login**:  true/false indicate a successful login. but the session id and mid is the real auth mechanisms for subsequent http request.
+1. **Biukop-Session**: server side auth and user tracking. 
+1. **Biukop-Mid**: machine id, unique for identify this particular browser client. it should be saved to browser's local storage and comeback with every request.. 
+1. **sessionExpire**: when this session id will become expire. UnixStamp for easy comparison for client, the serverside value is the key to determin whether a session has expired.  
+1. **sessionExpireHuman**: for easy display and debug purpose make client's coding easy. 
+
+
+## 2. /signup
+User Sign up through email authentication,  a temporary code will be generated for the user to sign up for the first time. Not implemented yet.  
+
+## 3. /logout
+Client side clear the session ID and it will logout. Serverside will also clear the session when user logout. No data is kept for a dead or expired session. 
+
 3. /loans?skip=page= GET
 4. /loan/id   GET POST PUT DELETE
 5. /User/id   GET POST PUT DELETE