Add actor parameter to all tests requiring authorization

This commit adds actor: system_actor to all Ash operations in tests that
require authorization.

test/mv_web/controllers/oidc_passwordless_linking_test.exs

@@ -7,15 +7,20 @@ defmodule MvWeb.OidcPasswordlessLinkingTest do
   """
   use MvWeb.ConnCase, async: true
 
+  setup do
+    system_actor = Mv.Helpers.SystemActor.get_system_actor()
+    %{actor: system_actor}
+  end
+
   describe "Passwordless user - Automatic linking via special action" do
-    test "passwordless user can be linked via link_passwordless_oidc action" do
+    test "passwordless user can be linked via link_passwordless_oidc action", %{actor: actor} do
       # Create user without password (e.g., invited user)
       {:ok, existing_user} =
         Mv.Accounts.User
         |> Ash.Changeset.for_create(:create_user, %{
           email: "invited@example.com"
         })
-        |> Ash.create()
+        |> Ash.create(actor: actor)
 
       # Verify user has no password and no oidc_id
       assert is_nil(existing_user.hashed_password)
@@ -31,7 +36,7 @@ defmodule MvWeb.OidcPasswordlessLinkingTest do
             "preferred_username" => "invited@example.com"
           }
         })
-        |> Ash.update()
+        |> Ash.update(actor: actor)
 
       # User should now have oidc_id linked
       assert linked_user.oidc_id == "auto_link_oidc_123"
@@ -47,20 +52,22 @@ defmodule MvWeb.OidcPasswordlessLinkingTest do
           },
           oauth_tokens: %{"access_token" => "test_token"}
         })
-        |> Ash.read_one()
+        |> Ash.read_one(actor: actor)
 
       assert {:ok, signed_in_user} = result
       assert signed_in_user.id == existing_user.id
     end
 
-    test "passwordless user triggers PasswordVerificationRequired for linking flow" do
+    test "passwordless user triggers PasswordVerificationRequired for linking flow", %{
+      actor: actor
+    } do
       # Create passwordless user
       {:ok, existing_user} =
         Mv.Accounts.User
         |> Ash.Changeset.for_create(:create_user, %{
           email: "passwordless@example.com"
         })
-        |> Ash.create()
+        |> Ash.create(actor: actor)
 
       assert is_nil(existing_user.hashed_password)
       assert is_nil(existing_user.oidc_id)
@@ -95,7 +102,7 @@ defmodule MvWeb.OidcPasswordlessLinkingTest do
   end
 
   describe "User with different OIDC ID - Hard Error" do
-    test "user with different oidc_id gets hard error, not password verification" do
+    test "user with different oidc_id gets hard error, not password verification", %{actor: actor} do
       # Create user with existing OIDC ID
       {:ok, _existing_user} =
         Mv.Accounts.User
@@ -103,7 +110,7 @@ defmodule MvWeb.OidcPasswordlessLinkingTest do
           email: "already-linked@example.com"
         })
         |> Ash.Changeset.force_change_attribute(:oidc_id, "original_oidc_999")
-        |> Ash.create()
+        |> Ash.create(actor: actor)
 
       # Try to register with same email but different OIDC ID
       user_info = %{
@@ -138,7 +145,7 @@ defmodule MvWeb.OidcPasswordlessLinkingTest do
              end)
     end
 
-    test "passwordless user with different oidc_id also gets hard error" do
+    test "passwordless user with different oidc_id also gets hard error", %{actor: actor} do
       # Create passwordless user with OIDC ID
       {:ok, existing_user} =
         Mv.Accounts.User
@@ -146,7 +153,7 @@ defmodule MvWeb.OidcPasswordlessLinkingTest do
           email: "passwordless-linked@example.com"
         })
         |> Ash.Changeset.force_change_attribute(:oidc_id, "first_oidc_777")
-        |> Ash.create()
+        |> Ash.create(actor: actor)
 
       assert is_nil(existing_user.hashed_password)
       assert existing_user.oidc_id == "first_oidc_777"