test: update all tests to include CSRF tokens

tests/test_auth_routes/test_webauthn_login.py

@@ -6,6 +6,7 @@ from fido2.cose import ES256
 from fido2.webauthn import Aaguid, AttestedCredentialData
 from httpx import AsyncClient
 
+from tests.conftest import get_csrf_token
 from porchlight.models import User, WebAuthnCredential
 
 RP_ID = "localhost"
@@ -66,9 +67,11 @@ async def test_webauthn_login_begin_has_user_verification_preferred(client: Asyn
 
 async def test_webauthn_login_complete_without_state_returns_400(client: AsyncClient) -> None:
     """Complete without prior begin should fail."""
+    token = await get_csrf_token(client)
     res = await client.post(
         "/login/webauthn/complete",
         json={"id": "fake", "rawId": "fake", "type": "public-key", "response": {}},
+        headers={"X-CSRF-Token": token},
     )
     assert res.status_code == 400
 
@@ -81,11 +84,13 @@ async def test_webauthn_login_complete_returns_json_redirect(client: AsyncClient
     res1 = await client.get("/login/webauthn/begin")
     assert res1.status_code == 200
 
+    token = await get_csrf_token(client)
     # We can't easily complete the full assertion without browser interaction,
     # but we verify the endpoint returns 400 JSON (not HTML) for bad assertions
     res2 = await client.post(
         "/login/webauthn/complete",
         json={"id": "fake", "rawId": "fake", "type": "public-key", "response": {}},
+        headers={"X-CSRF-Token": token},
     )
     # Should fail verification but not crash — returns error HTML for now
     assert res2.status_code in (200, 400)