test isses fixes

src/server/middleware/auth.py

@@ -12,9 +12,9 @@ a proper token revocation store.
 from __future__ import annotations
 
 import time
-from typing import Callable, Dict, Optional
+from typing import Callable, Dict
 
-from fastapi import HTTPException, Request, status
+from fastapi import Request, status
 from fastapi.responses import JSONResponse
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.types import ASGIApp
@@ -76,7 +76,17 @@ class AuthMiddleware(BaseHTTPMiddleware):
                 # For public/auth endpoints let the dependency system handle
                 # optional auth and return None.
                 if path.startswith("/api/") and not path.startswith("/api/auth"):
-                    raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
+                    return JSONResponse(
+                        status_code=status.HTTP_401_UNAUTHORIZED,
+                        content={"detail": "Invalid token"}
+                    )
+        else:
+            # No authorization header: check if this is a protected endpoint
+            if path.startswith("/api/") and not path.startswith("/api/auth"):
+                return JSONResponse(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    content={"detail": "Missing authorization credentials"}
+                )
 
         return await call_next(request)