From 14c68187f55dbb02afcb3b693cfcc41acfe87be5 Mon Sep 17 00:00:00 2001
From: Petru Paler <petru@paler.net>
Date: Thu, 1 Jan 2026 07:59:40 +0000
Subject: [PATCH] fix: resolve Starlette cookie deprecation warnings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Set cookies on client instance instead of passing per-request to avoid
the deprecation warning about ambiguous cookie persistence behavior.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 tests/test_user_defaults_integration.py | 4 ++--
 tests/test_web_app.py                   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/test_user_defaults_integration.py b/tests/test_user_defaults_integration.py
index 57019a7..7d737b0 100644
--- a/tests/test_user_defaults_integration.py
+++ b/tests/test_user_defaults_integration.py
@@ -94,6 +94,7 @@ class TestFeedUserDefaults:
     ):
         """Successful feed-given saves user defaults."""
         csrf_token = "test-csrf-token"
+        client.cookies.set("csrf_token", csrf_token)
         response = client.post(
             "/actions/feed-given",
             data={
@@ -105,7 +106,6 @@ class TestFeedUserDefaults:
                 "X-Oidc-Username": "ppetru",
                 **make_csrf_headers(csrf_token),
             },
-            cookies={"csrf_token": csrf_token},
         )
         assert response.status_code == 200
 
@@ -148,6 +148,7 @@ class TestFeedUserDefaults:
     ):
         """Unknown users are rejected by auth middleware."""
         csrf_token = "test-csrf-token"
+        client.cookies.set("csrf_token", csrf_token)
         response = client.post(
             "/actions/feed-given",
             data={
@@ -159,7 +160,6 @@ class TestFeedUserDefaults:
                 "X-Oidc-Username": "unknown_user",
                 **make_csrf_headers(csrf_token),
             },
-            cookies={"csrf_token": csrf_token},
         )
         # Unknown user is rejected by auth middleware
         assert response.status_code == 401
diff --git a/tests/test_web_app.py b/tests/test_web_app.py
index 5d37d07..be64ae1 100644
--- a/tests/test_web_app.py
+++ b/tests/test_web_app.py
@@ -127,6 +127,7 @@ class TestAppWithTestClient:
     def test_csrf_with_valid_tokens_succeeds(self, client):
         """POST with matching CSRF tokens proceeds."""
         csrf_token = "test-csrf-token-123"
+        client.cookies.set("csrf_token", csrf_token)
         resp = client.post(
             "/",
             headers={
@@ -134,7 +135,6 @@ class TestAppWithTestClient:
                 "X-CSRF-Token": csrf_token,
                 "Origin": "http://testserver",
             },
-            cookies={"csrf_token": csrf_token},
         )
         # Should get through CSRF check (200 or 405 if method not allowed)
         # The key is it shouldn't be 403 CSRF error