update function login

tests/test_api_integration.py

@@ -26,6 +26,16 @@ def resolve_mission_id(api: requests.Session) -> str:
     return ids[0]
 
 
+def login_admin(api: requests.Session) -> None:
+    r = api.post(
+        f"{BASE}/api/auth/login",
+        json={"username": "Admin", "password": "admin"},
+        timeout=TIMEOUT,
+    )
+    assert r.status_code == 200, r.text
+    assert r.json().get("user", {}).get("username") == "Admin"
+
+
 @pytest.fixture(scope="module")
 def api():
     session = requests.Session()
@@ -41,6 +51,7 @@ def api():
         time.sleep(0.2)
     else:
         pytest.fail(f"Server not ready at {BASE}")
+    login_admin(session)
     return session
 
 
@@ -78,6 +89,38 @@ def test_health(api):
     assert r.json()["ok"] is True
 
 
+def test_auth_me(api):
+    r = api.get(f"{BASE}/api/auth/me", timeout=TIMEOUT)
+    assert r.status_code == 200
+    user = r.json().get("user", {})
+    assert user.get("username") == "Admin"
+    assert user.get("permissions", {}).get("missions") == "write"
+
+
+def test_auth_unauthorized_without_session():
+    session = requests.Session()
+    r = session.get(f"{BASE}/api/missions", timeout=TIMEOUT)
+    assert r.status_code == 401
+
+
+def test_auth_user_read_only_missions():
+    session = requests.Session()
+    login = session.post(
+        f"{BASE}/api/auth/login",
+        json={"username": "User", "password": "user"},
+        timeout=TIMEOUT,
+    )
+    assert login.status_code == 200
+    listed = session.get(f"{BASE}/api/missions", timeout=TIMEOUT)
+    assert listed.status_code == 200
+    created = session.post(
+        f"{BASE}/api/triggers",
+        json={"name": "deny-trigger", "coil_id": 1009, "mission_id": "testmission00001"},
+        timeout=TIMEOUT,
+    )
+    assert created.status_code == 403
+
+
 def test_missions_available(api, mission_id):
     r = api.get(f"{BASE}/api/missions", timeout=TIMEOUT)
     assert r.status_code == 200