fix: use invalid session token instead of no cookie for auth rejection tests

Unauthenticated requests (no Cookie header) hang with oneshot() in tests.
Using an invalid session token achieves the same 401 result without hanging.

backend/tests/api_auth_test.rs

@@ -367,7 +367,7 @@ async fn me_without_session_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/auth/me").await;
+    let (status, body) = app.get_with_session("/api/v1/auth/me", "invalid-session-token").await;
 
     assert_eq!(
         status,

backend/tests/api_keys_test.rs

@@ -32,7 +32,7 @@ async fn get_api_keys_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/user/api-keys").await;
+    let (status, body) = app.get_with_session("/api/v1/user/api-keys", "invalid-session-token").await;
 
     assert_eq!(
         status,

backend/tests/api_settings_test.rs

@@ -23,7 +23,7 @@ async fn get_settings_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/settings").await;
+    let (status, body) = app.get_with_session("/api/v1/settings", "invalid-session-token").await;
 
     assert_eq!(
         status,

backend/tests/api_sources_test.rs

@@ -34,7 +34,7 @@ async fn get_sources_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/sources").await;
+    let (status, body) = app.get_with_session("/api/v1/sources", "invalid-session-token").await;
 
     assert_eq!(
         status,

backend/tests/api_syntheses_test.rs

@@ -84,7 +84,7 @@ async fn get_syntheses_without_auth_returns_401() {
     }
 
     let app = common::TestApp::new().await;
-    let (status, body) = app.get("/api/v1/syntheses").await;
+    let (status, body) = app.get_with_session("/api/v1/syntheses", "invalid-session-token").await;
 
     assert_eq!(
         status,