Update tests to verify session middleware is actually applied

Changed auth callbacks from 'fn ($request) => true' to session
checks that verify hasSession() and isStarted(). This ensures
tests validate that session middleware is properly applied, not
just that auth callbacks are invoked.

Updated tests:
- authentication works when APP_URL matches request domain
- localhost requests work by default regardless of APP_URL
- 127.0.0.1 requests work by default regardless of APP_URL
- custom stateful domains override APP_URL behavior

Verified test fails (403) when session middleware not applied.

Author: arukompas

tests/Feature/Authorization/ApiAuthenticationTest.php

@@ -49,7 +49,14 @@
 test('authentication works when APP_URL matches request domain', function () {
     config(['app.url' => 'http://example.com']);
 
-    LogViewer::auth(fn ($request) => true);
+    // Auth callback that requires session to be started (proving session middleware was applied)
+    LogViewer::auth(function ($request) {
+        if (! $request->hasSession() || ! $request->session()->isStarted()) {
+            return false;
+        }
+
+        return true;
+    });
 
     $response = getJson('http://example.com/log-viewer/api/folders', [
         'referer' => 'http://example.com/',
@@ -164,7 +171,14 @@
 test('localhost requests work by default regardless of APP_URL', function () {
     config(['app.url' => 'http://production.com']);
 
-    LogViewer::auth(fn ($request) => true);
+    // Auth callback that requires session to be started (proving session middleware was applied)
+    LogViewer::auth(function ($request) {
+        if (! $request->hasSession() || ! $request->session()->isStarted()) {
+            return false;
+        }
+
+        return true;
+    });
 
     // Localhost is in the default stateful domains
     $response = getJson('http://localhost/log-viewer/api/folders', [
@@ -177,7 +191,14 @@
 test('127.0.0.1 requests work by default regardless of APP_URL', function () {
     config(['app.url' => 'http://production.com']);
 
-    LogViewer::auth(fn ($request) => true);
+    // Auth callback that requires session to be started (proving session middleware was applied)
+    LogViewer::auth(function ($request) {
+        if (! $request->hasSession() || ! $request->session()->isStarted()) {
+            return false;
+        }
+
+        return true;
+    });
 
     // 127.0.0.1 is in the default stateful domains
     $response = getJson('http://127.0.0.1/log-viewer/api/folders', [
@@ -193,7 +214,14 @@
         'log-viewer.api_stateful_domains' => ['custom-domain.com'],
     ]);
 
-    LogViewer::auth(fn ($request) => true);
+    // Auth callback that requires session to be started (proving session middleware was applied)
+    LogViewer::auth(function ($request) {
+        if (! $request->hasSession() || ! $request->session()->isStarted()) {
+            return false;
+        }
+
+        return true;
+    });
 
     // Custom domain should work
     $response = getJson('http://custom-domain.com/log-viewer/api/folders', [