feat: do not allow user_id_only login for admins (#2904)

tests/api/test_admin_api.py

@@ -1,6 +1,6 @@
 import pytest
+from httpx import AsyncClient
 
-from lnbits.core.models import User
 from lnbits.settings import Settings
 
 
@@ -11,19 +11,25 @@ async def test_admin_get_settings_permission_denied(client, from_user):
 
 
 @pytest.mark.anyio
-async def test_admin_get_settings(client, superuser):
-    response = await client.get(f"/admin/api/v1/settings?usr={superuser.id}")
+async def test_admin_get_settings(client: AsyncClient, superuser_token: str):
+    response = await client.get(
+        "/admin/api/v1/settings",
+        headers={"Authorization": f"Bearer {superuser_token}"},
+    )
     assert response.status_code == 200
     result = response.json()
     assert "super_user" not in result
 
 
 @pytest.mark.anyio
-async def test_admin_update_settings(client, superuser: User, settings: Settings):
+async def test_admin_update_settings(
+    client: AsyncClient, superuser_token: str, settings: Settings
+):
     new_site_title = "UPDATED SITETITLE"
     response = await client.put(
-        f"/admin/api/v1/settings?usr={superuser.id}",
+        "/admin/api/v1/settings",
         json={"lnbits_site_title": new_site_title},
+        headers={"Authorization": f"Bearer {superuser_token}"},
     )
     assert response.status_code == 200
     result = response.json()
@@ -33,9 +39,13 @@ async def test_admin_update_settings(client, superuser: User, settings: Settings
 
 
 @pytest.mark.anyio
-async def test_admin_update_noneditable_settings(client, superuser):
+async def test_admin_update_noneditable_settings(
+    client: AsyncClient,
+    superuser_token: str,
+):
     response = await client.put(
-        f"/admin/api/v1/settings?usr={superuser.id}",
+        "/admin/api/v1/settings",
         json={"super_user": "UPDATED"},
+        headers={"Authorization": f"Bearer {superuser_token}"},
     )
     assert response.status_code == 400