refactor(api): deduplicate HTTP test helpers and allow session cookie access (#9977)

These refactorizations were made in [PR #9175][1] to accommodate a few
new variants of authentication method and body content. On request from
reviewers, this PR extracts it as a smaller refactorization to review in
isolation.

### Purpose

This extracts a shared `httpRequest` base function from `httpGet` and
`httpPost`, which will be used in PR #9175 for new helper functions
`httpGetCsrf` (hiding all optional parameters except the CSRF token),
`httpPostCsrf` (same) and `httpPostCsrfAuth` (hiding basic auth
parameters). A `getSessionCookie` function is also extracted from
`hasSessionCookie` and will be used to test that concurrent WebAuthn
authentications result in separate sessions (indicated by different
session cookies).

lib/api/api_test.go

@@ -492,13 +492,18 @@ func testHTTPRequest(t *testing.T, baseURL string, tc httpTestCase, apikey strin
 	}
 }
 
-func hasSessionCookie(cookies []*http.Cookie) bool {
+func getSessionCookie(cookies []*http.Cookie) (*http.Cookie, bool) {
 	for _, cookie := range cookies {
 		if cookie.MaxAge >= 0 && strings.HasPrefix(cookie.Name, "sessionid") {
-			return true
+			return cookie, true
 		}
 	}
-	return false
+	return nil, false
+}
+
+func hasSessionCookie(cookies []*http.Cookie) bool {
+	_, ok := getSessionCookie(cookies)
+	return ok
 }
 
 func hasDeleteSessionCookie(cookies []*http.Cookie) bool {
@@ -510,11 +515,19 @@ func hasDeleteSessionCookie(cookies []*http.Cookie) bool {
 	return false
 }
 
-func httpGet(url string, basicAuthUsername string, basicAuthPassword string, xapikeyHeader string, authorizationBearer string, cookies []*http.Cookie, t *testing.T) *http.Response {
-	req, err := http.NewRequest("GET", url, nil)
-	for _, cookie := range cookies {
-		req.AddCookie(cookie)
+func httpRequest(method string, url string, body any, basicAuthUsername, basicAuthPassword, xapikeyHeader, authorizationBearer, csrfTokenName, csrfTokenValue string, cookies []*http.Cookie, t *testing.T) *http.Response {
+	t.Helper()
+
+	var bodyReader io.Reader = nil
+	if body != nil {
+		bodyBytes, err := json.Marshal(body)
+		if err != nil {
+			t.Fatal(err)
+		}
+		bodyReader = bytes.NewReader(bodyBytes)
 	}
+
+	req, err := http.NewRequest(method, url, bodyReader)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -531,30 +544,16 @@ func httpGet(url string, basicAuthUsername string, basicAuthPassword string, xap
 		req.Header.Set("Authorization", "Bearer "+authorizationBearer)
 	}
 
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	return resp
-}
-
-func httpPost(url string, body map[string]string, cookies []*http.Cookie, t *testing.T) *http.Response {
-	bodyBytes, err := json.Marshal(body)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	req, err := http.NewRequest("POST", url, bytes.NewReader(bodyBytes))
-	if err != nil {
-		t.Fatal(err)
+	if csrfTokenName != "" && csrfTokenValue != "" {
+		req.Header.Set("X-"+csrfTokenName, csrfTokenValue)
 	}
 
 	for _, cookie := range cookies {
 		req.AddCookie(cookie)
 	}
 
-	resp, err := http.DefaultClient.Do(req)
+	client := http.Client{Timeout: 15 * time.Second}
+	resp, err := client.Do(req)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -562,18 +561,31 @@ func httpPost(url string, body map[string]string, cookies []*http.Cookie, t *tes
 	return resp
 }
 
+func httpGet(url string, basicAuthUsername, basicAuthPassword, xapikeyHeader, authorizationBearer string, cookies []*http.Cookie, t *testing.T) *http.Response {
+	t.Helper()
+	return httpRequest(http.MethodGet, url, nil, basicAuthUsername, basicAuthPassword, xapikeyHeader, authorizationBearer, "", "", cookies, t)
+}
+
+func httpPost(url string, body map[string]string, cookies []*http.Cookie, t *testing.T) *http.Response {
+	t.Helper()
+	return httpRequest(http.MethodPost, url, body, "", "", "", "", "", "", cookies, t)
+}
+
 func TestHTTPLogin(t *testing.T) {
 	t.Parallel()
 
 	httpGetBasicAuth := func(url string, username string, password string) *http.Response {
+		t.Helper()
 		return httpGet(url, username, password, "", "", nil, t)
 	}
 
 	httpGetXapikey := func(url string, xapikeyHeader string) *http.Response {
+		t.Helper()
 		return httpGet(url, "", "", xapikeyHeader, "", nil, t)
 	}
 
 	httpGetAuthorizationBearer := func(url string, bearer string) *http.Response {
+		t.Helper()
 		return httpGet(url, "", "", "", bearer, nil, t)
 	}
 
@@ -761,10 +773,12 @@ func TestHtmlFormLogin(t *testing.T) {
 	resourceUrl404 := baseURL + "/any-path/that/does/nooooooot/match-any/noauth-pattern"
 
 	performLogin := func(username string, password string) *http.Response {
+		t.Helper()
 		return httpPost(loginUrl, map[string]string{"username": username, "password": password}, nil, t)
 	}
 
 	performResourceRequest := func(url string, cookies []*http.Cookie) *http.Response {
+		t.Helper()
 		return httpGet(url, "", "", "", "", cookies, t)
 	}