Add webhook integration tests covering retry logic and Slack/Discord payloads

22 test cases covering:
- Slack/Discord URL detection
- Generic vs Slack payload formatting
- Exponential backoff retry logic with network/timeout error handling
- Multi-URL dispatch with format auto-detection
- notify_job_completed() and notify_alert() helpers

Closes leeworks-agents/SPARC#1657

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/test_auth.py

@@ -1,13 +1,29 @@
-"""Tests for JWT authentication flow: register, login, protected routes, refresh, admin access."""
+"""Tests for JWT authentication flow: register, login, protected routes, refresh, admin access.
 
-from datetime import datetime, timezone
+Covers all five scenarios required by issue #1624:
+1. Registration (POST /auth/register)
+2. Login (POST /auth/login)
+3. Protected route access (GET /auth/me) -- valid, missing, expired, wrong-type tokens
+4. Token refresh (POST /auth/refresh)
+5. Admin-only endpoints (GET /admin/users, PATCH role, DELETE user)
+
+All tests use mocked DB fixtures and require no live database.
+"""
+
+from datetime import datetime, timedelta, timezone
 from unittest.mock import MagicMock, patch
 
+import jwt as pyjwt
 import pytest
 from fastapi.testclient import TestClient
 
 from SPARC.api import app
-from SPARC.auth import create_access_token, create_refresh_token
+from SPARC.auth import (
+    JWT_ALGORITHM,
+    JWT_SECRET,
+    create_access_token,
+    create_refresh_token,
+)
 
 
 @pytest.fixture
@@ -171,13 +187,6 @@ class TestGetMe:
 
     def test_expired_token_returns_401(self, client, mock_db):
         """An expired token should return 401."""
-        # Create a token that has already expired
-        from datetime import timedelta
-
-        import jwt as pyjwt
-
-        from SPARC.auth import JWT_ALGORITHM, JWT_SECRET
-
         payload = {
             "sub": "1",
             "email": "user@test.com",
@@ -301,3 +310,193 @@ class TestAdminUsers:
 
         assert response.status_code == 400
         assert "own role" in response.json()["detail"].lower()
+
+    def test_role_change_nonexistent_user_returns_404(self, client, mock_db):
+        """Changing role for a user that does not exist should return 404."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+        mock_db.update_user_role.return_value = None
+
+        response = client.patch(
+            "/admin/users/999/role",
+            json={"role": "admin"},
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 404
+        assert "not found" in response.json()["detail"].lower()
+
+    def test_regular_user_cannot_change_role(self, client, mock_db):
+        """Non-admin user should receive 403 when trying to change roles."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = user
+
+        response = client.patch(
+            "/admin/users/1/role",
+            json={"role": "admin"},
+            headers=_auth_header(user),
+        )
+
+        assert response.status_code == 403
+
+
+class TestAdminDeleteUser:
+    """DELETE /admin/users/{user_id}"""
+
+    def test_admin_can_delete_user(self, client, mock_db):
+        """Admin should be able to delete another user."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+        mock_db.delete_user.return_value = True
+
+        response = client.delete(
+            "/admin/users/2",
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 200
+        assert "deleted" in response.json()["message"].lower()
+        mock_db.delete_user.assert_called_once_with(2)
+
+    def test_admin_cannot_delete_self(self, client, mock_db):
+        """Admin should not be able to delete themselves."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+
+        response = client.delete(
+            "/admin/users/1",
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 400
+        assert "yourself" in response.json()["detail"].lower()
+
+    def test_delete_nonexistent_user_returns_404(self, client, mock_db):
+        """Deleting a user that does not exist should return 404."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+        mock_db.delete_user.return_value = False
+
+        response = client.delete(
+            "/admin/users/999",
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 404
+        assert "not found" in response.json()["detail"].lower()
+
+    def test_regular_user_cannot_delete_user(self, client, mock_db):
+        """Non-admin user should receive 403 when trying to delete users."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = user
+
+        response = client.delete(
+            "/admin/users/1",
+            headers=_auth_header(user),
+        )
+
+        assert response.status_code == 403
+
+    def test_no_token_cannot_delete_user(self, client):
+        """Missing token should be rejected for delete endpoint."""
+        response = client.delete("/admin/users/1")
+        assert response.status_code in (401, 403)
+
+
+class TestEdgeCases:
+    """Additional edge-case tests for auth robustness."""
+
+    def test_register_invalid_email_returns_422(self, client, mock_db):
+        """Registration with an invalid email format should return 422."""
+        response = client.post(
+            "/auth/register",
+            json={"email": "not-an-email", "password": "securepass123"},
+        )
+
+        assert response.status_code == 422
+
+    def test_register_short_password_returns_422(self, client, mock_db):
+        """Registration with a password shorter than 8 chars should return 422."""
+        response = client.post(
+            "/auth/register",
+            json={"email": "user@test.com", "password": "short"},
+        )
+
+        assert response.status_code == 422
+
+    def test_register_missing_fields_returns_422(self, client, mock_db):
+        """Registration with missing fields should return 422."""
+        response = client.post("/auth/register", json={})
+        assert response.status_code == 422
+
+    def test_login_missing_fields_returns_422(self, client, mock_db):
+        """Login with missing fields should return 422."""
+        response = client.post("/auth/login", json={"email": "user@test.com"})
+        assert response.status_code == 422
+
+    def test_malformed_token_returns_401(self, client, mock_db):
+        """A completely malformed token string should return 401."""
+        response = client.get(
+            "/auth/me",
+            headers={"Authorization": "Bearer not.a.valid.jwt.token"},
+        )
+        assert response.status_code == 401
+
+    def test_token_with_wrong_secret_returns_401(self, client, mock_db):
+        """A token signed with a different secret should return 401."""
+        payload = {
+            "sub": "1",
+            "email": "user@test.com",
+            "role": "user",
+            "exp": datetime.now(timezone.utc) + timedelta(hours=1),
+            "type": "access",
+        }
+        wrong_secret_token = pyjwt.encode(payload, "wrong-secret", algorithm=JWT_ALGORITHM)
+
+        response = client.get(
+            "/auth/me",
+            headers={"Authorization": f"Bearer {wrong_secret_token}"},
+        )
+        assert response.status_code == 401
+
+    def test_token_for_deleted_user_returns_401(self, client, mock_db):
+        """A valid token for a user no longer in the DB should return 401."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = None  # user was deleted
+
+        response = client.get("/auth/me", headers=_auth_header(user))
+        assert response.status_code == 401
+
+    def test_refresh_for_deleted_user_returns_401(self, client, mock_db):
+        """Refreshing a token for a deleted user should return 401."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = None
+        refresh = create_refresh_token(user["id"], user["email"], user["role"])
+
+        response = client.post(
+            "/auth/refresh", json={"refresh_token": refresh}
+        )
+        assert response.status_code == 401
+
+    def test_login_returns_decodable_tokens(self, client, mock_db):
+        """Tokens returned by login should be decodable and contain expected claims."""
+        user = _make_regular_user()
+        mock_db.authenticate_user.return_value = user
+
+        response = client.post(
+            "/auth/login",
+            json={"email": "user@test.com", "password": "correctpassword"},
+        )
+
+        data = response.json()
+        access_payload = pyjwt.decode(
+            data["access_token"], JWT_SECRET, algorithms=[JWT_ALGORITHM]
+        )
+        assert access_payload["sub"] == str(user["id"])
+        assert access_payload["email"] == user["email"]
+        assert access_payload["type"] == "access"
+
+        refresh_payload = pyjwt.decode(
+            data["refresh_token"], JWT_SECRET, algorithms=[JWT_ALGORITHM]
+        )
+        assert refresh_payload["type"] == "refresh"

tests/test_webhooks.py

@@ -0,0 +1,280 @@
+"""Tests for webhook notification system: retry logic and Slack/Discord payload format.
+
+Covers issue #1657:
+- Retry logic with exponential backoff in _send_with_retry
+- Slack/Discord payload formatting in _build_payload
+- Generic HTTP POST payload formatting
+- notify() dispatching to multiple URLs
+- notify_job_completed() and notify_alert() convenience helpers
+"""
+
+from datetime import datetime
+from unittest.mock import MagicMock, patch, call
+
+import pytest
+import requests
+
+from SPARC.webhooks import (
+    MAX_RETRIES,
+    _build_payload,
+    _is_slack_url,
+    _send_with_retry,
+    notify,
+    notify_alert,
+    notify_job_completed,
+)
+
+
+class TestIsSlackUrl:
+    """Tests for Slack/Discord URL detection."""
+
+    def test_slack_webhook_url(self):
+        assert _is_slack_url("https://hooks.slack.com/services/T00/B00/xxx") is True
+
+    def test_discord_webhook_url(self):
+        assert _is_slack_url("https://discord.com/api/webhooks/123/abc") is True
+
+    def test_generic_url(self):
+        assert _is_slack_url("https://example.com/webhook") is False
+
+    def test_empty_url(self):
+        assert _is_slack_url("") is False
+
+
+class TestBuildPayload:
+    """Tests for payload construction."""
+
+    def test_generic_payload_structure(self):
+        """Generic payload includes event type, timestamp, and data."""
+        payload = _build_payload("job_completed", {"job_id": "abc123"})
+
+        assert payload["event"] == "job_completed"
+        assert payload["job_id"] == "abc123"
+        assert "timestamp" in payload
+        # Timestamp should be ISO format ending with Z
+        assert payload["timestamp"].endswith("Z")
+
+    def test_slack_payload_wraps_in_text(self):
+        """Slack payload wraps content in a 'text' field."""
+        payload = _build_payload("patent_alert", {"company_name": "NVIDIA"}, slack=True)
+
+        assert "text" in payload
+        assert "patent_alert" in payload["text"]
+        assert "NVIDIA" in payload["text"]
+        # Slack payload should NOT have the event/timestamp at top level
+        assert "event" not in payload
+        assert "timestamp" not in payload
+
+    def test_generic_payload_does_not_have_text_field(self):
+        """Non-Slack payload does not wrap in text."""
+        payload = _build_payload("job_completed", {"status": "done"})
+
+        assert "text" not in payload
+        assert payload["status"] == "done"
+
+    def test_slack_payload_contains_bold_header(self):
+        """Slack payload starts with bold event header using Slack markdown."""
+        payload = _build_payload("job_completed", {"count": 5}, slack=True)
+
+        assert payload["text"].startswith("*[SPARC] job_completed*")
+
+    def test_payload_merges_all_data_keys(self):
+        """All data keys are included in the generic payload."""
+        data = {"key1": "val1", "key2": 42, "key3": True}
+        payload = _build_payload("test_event", data)
+
+        assert payload["key1"] == "val1"
+        assert payload["key2"] == 42
+        assert payload["key3"] is True
+
+
+class TestSendWithRetry:
+    """Tests for retry logic in _send_with_retry."""
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_success_on_first_attempt(self, mock_post, mock_sleep):
+        """Successful delivery on first attempt, no retries."""
+        mock_post.return_value = MagicMock(status_code=200)
+
+        result = _send_with_retry("https://example.com/hook", {"event": "test"})
+
+        assert result is True
+        mock_post.assert_called_once()
+        mock_sleep.assert_not_called()
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_success_on_second_attempt(self, mock_post, mock_sleep):
+        """Fails first, succeeds on retry."""
+        mock_post.side_effect = [
+            MagicMock(status_code=500),
+            MagicMock(status_code=200),
+        ]
+
+        result = _send_with_retry("https://example.com/hook", {"event": "test"})
+
+        assert result is True
+        assert mock_post.call_count == 2
+        mock_sleep.assert_called_once()
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_all_retries_exhausted(self, mock_post, mock_sleep):
+        """Returns False after all retries fail."""
+        mock_post.return_value = MagicMock(status_code=500)
+
+        result = _send_with_retry("https://example.com/hook", {"event": "test"})
+
+        assert result is False
+        assert mock_post.call_count == MAX_RETRIES
+        assert mock_sleep.call_count == MAX_RETRIES - 1
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_exponential_backoff_timing(self, mock_post, mock_sleep):
+        """Backoff wait times follow exponential pattern (2^attempt)."""
+        mock_post.return_value = MagicMock(status_code=500)
+
+        _send_with_retry("https://example.com/hook", {"event": "test"})
+
+        # With BACKOFF_BASE=2: attempt 1 -> sleep(2), attempt 2 -> sleep(4)
+        expected_waits = [call(2 ** i) for i in range(1, MAX_RETRIES)]
+        assert mock_sleep.call_args_list == expected_waits
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_network_error_triggers_retry(self, mock_post, mock_sleep):
+        """Network exceptions trigger retry, not immediate failure."""
+        mock_post.side_effect = [
+            requests.ConnectionError("Connection refused"),
+            MagicMock(status_code=200),
+        ]
+
+        result = _send_with_retry("https://example.com/hook", {"event": "test"})
+
+        assert result is True
+        assert mock_post.call_count == 2
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_timeout_error_triggers_retry(self, mock_post, mock_sleep):
+        """Timeout exceptions trigger retry."""
+        mock_post.side_effect = [
+            requests.Timeout("Request timed out"),
+            MagicMock(status_code=200),
+        ]
+
+        result = _send_with_retry("https://example.com/hook", {"event": "test"})
+
+        assert result is True
+        assert mock_post.call_count == 2
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_2xx_status_codes_accepted(self, mock_post, mock_sleep):
+        """Any 2xx status code is treated as success."""
+        mock_post.return_value = MagicMock(status_code=204)
+
+        result = _send_with_retry("https://example.com/hook", {"event": "test"})
+
+        assert result is True
+        mock_post.assert_called_once()
+
+    @patch("SPARC.webhooks.time.sleep")
+    @patch("SPARC.webhooks.requests.post")
+    def test_posts_json_payload(self, mock_post, mock_sleep):
+        """Payload is sent as JSON with correct timeout."""
+        mock_post.return_value = MagicMock(status_code=200)
+        payload = {"event": "test", "data": "value"}
+
+        _send_with_retry("https://example.com/hook", payload)
+
+        mock_post.assert_called_once_with(
+            "https://example.com/hook", json=payload, timeout=10
+        )
+
+
+class TestNotify:
+    """Tests for the notify() dispatcher."""
+
+    @patch("SPARC.webhooks._send_with_retry")
+    @patch("SPARC.webhooks.WEBHOOK_URLS", ["https://example.com/hook1", "https://example.com/hook2"])
+    def test_dispatches_to_all_urls(self, mock_send):
+        """notify() sends to every configured webhook URL."""
+        mock_send.return_value = True
+
+        notify("job_completed", {"job_id": "test123"})
+
+        assert mock_send.call_count == 2
+
+    @patch("SPARC.webhooks._send_with_retry")
+    @patch("SPARC.webhooks.WEBHOOK_URLS", [])
+    def test_no_urls_configured_returns_immediately(self, mock_send):
+        """No-op when no webhook URLs are configured."""
+        notify("job_completed", {"job_id": "test123"})
+
+        mock_send.assert_not_called()
+
+    @patch("SPARC.webhooks._send_with_retry")
+    @patch("SPARC.webhooks.WEBHOOK_URLS", [
+        "https://hooks.slack.com/services/T00/B00/xxx",
+        "https://example.com/generic",
+    ])
+    def test_slack_url_gets_slack_payload(self, mock_send):
+        """Slack URLs receive Slack-formatted payloads, others get generic."""
+        mock_send.return_value = True
+
+        notify("test_event", {"key": "val"})
+
+        # First call (Slack URL) should have "text" key
+        slack_payload = mock_send.call_args_list[0][0][1]
+        assert "text" in slack_payload
+
+        # Second call (generic URL) should have "event" key
+        generic_payload = mock_send.call_args_list[1][0][1]
+        assert "event" in generic_payload
+        assert generic_payload["event"] == "test_event"
+
+
+class TestNotifyJobCompleted:
+    """Tests for notify_job_completed() convenience function."""
+
+    @patch("SPARC.webhooks.notify")
+    def test_sends_correct_event_and_data(self, mock_notify):
+        """Job completion sends proper event type and summary."""
+        notify_job_completed(
+            job_id="batch-001",
+            status="completed",
+            total_companies=10,
+            successful=8,
+            failed=2,
+        )
+
+        mock_notify.assert_called_once()
+        event, data = mock_notify.call_args[0]
+        assert event == "job_completed"
+        assert data["job_id"] == "batch-001"
+        assert data["successful"] == 8
+        assert data["failed"] == 2
+        assert "8/10" in data["summary"]
+
+
+class TestNotifyAlert:
+    """Tests for notify_alert() convenience function."""
+
+    @patch("SPARC.webhooks.notify")
+    def test_sends_correct_event_and_data(self, mock_notify):
+        """Alert notification sends patent_alert event type."""
+        notify_alert(
+            company_name="NVIDIA",
+            alert_type="patent_count_change",
+            message="Patent count increased by 30%",
+        )
+
+        mock_notify.assert_called_once()
+        event, data = mock_notify.call_args[0]
+        assert event == "patent_alert"
+        assert data["company_name"] == "NVIDIA"
+        assert data["alert_type"] == "patent_count_change"
+        assert "30%" in data["message"]