test: update all tests to include CSRF tokens

tests/test_auth_routes/test_last_credential_guard.py

@@ -4,6 +4,7 @@ from datetime import UTC, datetime
 from argon2 import PasswordHasher
 from httpx import AsyncClient
 
+from tests.conftest import get_csrf_token
 from porchlight.authn.password import PasswordService
 from porchlight.models import PasswordCredential, User, WebAuthnCredential
 
@@ -20,10 +21,11 @@ async def _create_user_and_login(client: AsyncClient) -> str:
     svc = PasswordService(hasher=PasswordHasher(time_cost=1, memory_cost=8192))
     await cred_repo.create_password(PasswordCredential(user_id=user.userid, password_hash=svc.hash("testpass")))
 
+    token = await get_csrf_token(client)
     await client.post(
         "/login/password",
         data={"username": "alice", "password": "testpass"},
-        headers={"HX-Request": "true"},
+        headers={"HX-Request": "true", "X-CSRF-Token": token},
     )
     return user.userid
 
@@ -32,9 +34,10 @@ async def test_cannot_delete_last_password_credential(client: AsyncClient) -> No
     """User has only a password — cannot delete it."""
     await _create_user_and_login(client)
 
+    token = await get_csrf_token(client)
     res = await client.delete(
         "/manage/credentials/password",
-        headers={"HX-Request": "true"},
+        headers={"HX-Request": "true", "X-CSRF-Token": token},
     )
     assert res.status_code == 200
     assert 'role="alert"' in res.text
@@ -57,9 +60,10 @@ async def test_cannot_delete_last_webauthn_credential(client: AsyncClient) -> No
     await cred_repo.delete_password(userid)
 
     cred_id_b64 = urlsafe_b64encode(b"cred1").decode().rstrip("=")
+    token = await get_csrf_token(client)
     res = await client.delete(
         f"/manage/credentials/webauthn/{cred_id_b64}",
-        headers={"HX-Request": "true"},
+        headers={"HX-Request": "true", "X-CSRF-Token": token},
     )
     assert res.status_code == 200
     assert 'role="alert"' in res.text