Fix integration tests authentication for CI environments

- Make integration_client fixture session-scoped (single login per test run)
- Add configurable credentials via ORCHARD_TEST_USERNAME/PASSWORD env vars
- Fail fast with clear error message if authentication fails
- Add cookie verification after login
- Remove silent failure mode that hid auth issues

CHANGELOG.md

@@ -81,6 +81,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Improved pod naming: Orchard pods now named `orchard-{env}-server-*` for clarity (#51)
 
 ### Fixed
+- Fixed integration tests auth: session-scoped client, configurable credentials via env vars, fail-fast on auth errors
 - Fixed Content-Disposition header encoding for non-ASCII filenames using RFC 5987 (#38)
 - Fixed deploy jobs running even when tests or security scans fail (changed rules from `when: always` to `when: on_success`) (#63)
 - Fixed python_tests job not using internal PyPI proxy (#63)

backend/tests/conftest.py

@@ -181,29 +181,44 @@ def test_app():
 # =============================================================================
 
 
-@pytest.fixture
+@pytest.fixture(scope="session")
 def integration_client():
     """
     Create an authenticated test client for integration tests.
 
-    Uses the real database and MinIO from docker-compose.local.yml.
-    Authenticates as admin for write operations.
+    Uses the real database and MinIO from docker-compose.local.yml or deployed environment.
+    Authenticates as admin for write operations. Session-scoped to reuse login across tests.
+
+    Environment variables:
+        ORCHARD_TEST_URL: Base URL of the Orchard server (default: http://localhost:8080)
+        ORCHARD_TEST_USERNAME: Admin username for authentication (default: admin)
+        ORCHARD_TEST_PASSWORD: Admin password for authentication (default: changeme123)
     """
-    from httpx import Client
+    import httpx
 
-    # Connect to the running orchard-server container
+    # Connect to the running orchard-server container or deployed environment
     base_url = os.environ.get("ORCHARD_TEST_URL", "http://localhost:8080")
+    username = os.environ.get("ORCHARD_TEST_USERNAME", "admin")
+    password = os.environ.get("ORCHARD_TEST_PASSWORD", "changeme123")
 
-    with Client(base_url=base_url, timeout=30.0) as client:
+    with httpx.Client(base_url=base_url, timeout=30.0) as client:
         # Login as admin to enable write operations
         login_response = client.post(
             "/api/v1/auth/login",
-            json={"username": "admin", "password": "changeme123"},
+            json={"username": username, "password": password},
         )
-        # If login fails, tests will fail - that's expected if auth is broken
         if login_response.status_code != 200:
-            # Try to continue without auth for backward compatibility
-            pass
+            pytest.fail(
+                f"Authentication failed against {base_url}: {login_response.status_code} - {login_response.text}. "
+                f"Set ORCHARD_TEST_USERNAME and ORCHARD_TEST_PASSWORD environment variables if using non-default credentials."
+            )
+
+        # Verify cookie was set
+        if not client.cookies:
+            pytest.fail(
+                f"Login succeeded but no session cookie was set. Response headers: {login_response.headers}"
+            )
+
         yield client