From bd4f101d163323d9533a6dfc9d258f72dcdcac43 Mon Sep 17 00:00:00 2001
From: oabrivard <olivier@abrivard.fr>
Date: Thu, 26 Mar 2026 10:54:35 +0100
Subject: [PATCH] fix: use invalid session token instead of no cookie for auth
 rejection tests

Unauthenticated requests (no Cookie header) hang with oneshot() in tests.
Using an invalid session token achieves the same 401 result without hanging.
---
 backend/tests/api_auth_test.rs      | 2 +-
 backend/tests/api_keys_test.rs      | 2 +-
 backend/tests/api_settings_test.rs  | 2 +-
 backend/tests/api_sources_test.rs   | 2 +-
 backend/tests/api_syntheses_test.rs | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/tests/api_auth_test.rs b/backend/tests/api_auth_test.rs
index f06b8f7..5ea7a78 100644
--- a/backend/tests/api_auth_test.rs
+++ b/backend/tests/api_auth_test.rs
@@ -367,7 +367,7 @@ async fn me_without_session_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/auth/me").await;
+    let (status, body) = app.get_with_session("/api/v1/auth/me", "invalid-session-token").await;
 
     assert_eq!(
         status,
diff --git a/backend/tests/api_keys_test.rs b/backend/tests/api_keys_test.rs
index 935beb6..8876102 100644
--- a/backend/tests/api_keys_test.rs
+++ b/backend/tests/api_keys_test.rs
@@ -32,7 +32,7 @@ async fn get_api_keys_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/user/api-keys").await;
+    let (status, body) = app.get_with_session("/api/v1/user/api-keys", "invalid-session-token").await;
 
     assert_eq!(
         status,
diff --git a/backend/tests/api_settings_test.rs b/backend/tests/api_settings_test.rs
index 7d78208..5d5b33a 100644
--- a/backend/tests/api_settings_test.rs
+++ b/backend/tests/api_settings_test.rs
@@ -23,7 +23,7 @@ async fn get_settings_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/settings").await;
+    let (status, body) = app.get_with_session("/api/v1/settings", "invalid-session-token").await;
 
     assert_eq!(
         status,
diff --git a/backend/tests/api_sources_test.rs b/backend/tests/api_sources_test.rs
index d669b12..5c85db9 100644
--- a/backend/tests/api_sources_test.rs
+++ b/backend/tests/api_sources_test.rs
@@ -34,7 +34,7 @@ async fn get_sources_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/sources").await;
+    let (status, body) = app.get_with_session("/api/v1/sources", "invalid-session-token").await;
 
     assert_eq!(
         status,
diff --git a/backend/tests/api_syntheses_test.rs b/backend/tests/api_syntheses_test.rs
index a6ee9ff..63c4e56 100644
--- a/backend/tests/api_syntheses_test.rs
+++ b/backend/tests/api_syntheses_test.rs
@@ -84,7 +84,7 @@ async fn get_syntheses_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/syntheses").await;
+    let (status, body) = app.get_with_session("/api/v1/syntheses", "invalid-session-token").await;
 
     assert_eq!(
         status,