From 2b29938a64d507b35084abe5f1e40d8153e5455e Mon Sep 17 00:00:00 2001
From: Dmitrii Iurco <dmitrii.iurco@gmail.com>
Date: Sat, 6 Jun 2026 05:05:08 -0400
Subject: [PATCH] fix: set CSRF token in PicAPIClient after login

POST requests from PicAPIClient were failing with 403 (CSRF token missing)
because the login response csrf_token was not being applied to subsequent
request headers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 tests/e2e/helpers/api_client.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tests/e2e/helpers/api_client.py b/tests/e2e/helpers/api_client.py
index d7d31ef..fc28108 100644
--- a/tests/e2e/helpers/api_client.py
+++ b/tests/e2e/helpers/api_client.py
@@ -10,7 +10,11 @@ class PicAPIClient:
     def login(self, username: str, password: str) -> dict:
         r = self.s.post(f"{self.base}/api/auth/login", json={'username': username, 'password': password})
         r.raise_for_status()
-        return r.json()
+        data = r.json()
+        csrf = data.get('csrf_token', '')
+        if csrf:
+            self.s.headers['X-CSRF-Token'] = csrf
+        return data
 
     def logout(self):
         self.s.post(f"{self.base}/api/auth/logout")