Those endpoints use extensive amount of user-provided properties
and will be frequently used by third party developers. With Node
15, unhandled promise rejections directly crash the server, as
such, it is safer to schema validate the request before processing
it.
This change also prepares the code paths for later change that adds
destination fallbacks.
Token is already sent by Set-Cookie. It is unneccessary and
insecure to include them in JSON response. Doing so also
introduce the token into Javascript VM which is not protected
as well as the httpOnly cookies.
