Add API tests for export endpoints (CSV and PDF)

Covers GET /export/{company_name} and /export/{company_name}/pdf with
13 test cases: successful export, 404 on missing data, auth enforcement,
filename sanitization, XML-special character handling in PDF, and
multi-row output validation.

Closes leeworks-agents/SPARC#1655

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/test_auth.py

@@ -1,13 +1,29 @@
-"""Tests for JWT authentication flow: register, login, protected routes, refresh, admin access."""
+"""Tests for JWT authentication flow: register, login, protected routes, refresh, admin access.
 
-from datetime import datetime, timezone
+Covers all five scenarios required by issue #1624:
+1. Registration (POST /auth/register)
+2. Login (POST /auth/login)
+3. Protected route access (GET /auth/me) -- valid, missing, expired, wrong-type tokens
+4. Token refresh (POST /auth/refresh)
+5. Admin-only endpoints (GET /admin/users, PATCH role, DELETE user)
+
+All tests use mocked DB fixtures and require no live database.
+"""
+
+from datetime import datetime, timedelta, timezone
 from unittest.mock import MagicMock, patch
 
+import jwt as pyjwt
 import pytest
 from fastapi.testclient import TestClient
 
 from SPARC.api import app
-from SPARC.auth import create_access_token, create_refresh_token
+from SPARC.auth import (
+    JWT_ALGORITHM,
+    JWT_SECRET,
+    create_access_token,
+    create_refresh_token,
+)
 
 
 @pytest.fixture
@@ -171,13 +187,6 @@ class TestGetMe:
 
     def test_expired_token_returns_401(self, client, mock_db):
         """An expired token should return 401."""
-        # Create a token that has already expired
-        from datetime import timedelta
-
-        import jwt as pyjwt
-
-        from SPARC.auth import JWT_ALGORITHM, JWT_SECRET
-
         payload = {
             "sub": "1",
             "email": "user@test.com",
@@ -301,3 +310,193 @@ class TestAdminUsers:
 
         assert response.status_code == 400
         assert "own role" in response.json()["detail"].lower()
+
+    def test_role_change_nonexistent_user_returns_404(self, client, mock_db):
+        """Changing role for a user that does not exist should return 404."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+        mock_db.update_user_role.return_value = None
+
+        response = client.patch(
+            "/admin/users/999/role",
+            json={"role": "admin"},
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 404
+        assert "not found" in response.json()["detail"].lower()
+
+    def test_regular_user_cannot_change_role(self, client, mock_db):
+        """Non-admin user should receive 403 when trying to change roles."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = user
+
+        response = client.patch(
+            "/admin/users/1/role",
+            json={"role": "admin"},
+            headers=_auth_header(user),
+        )
+
+        assert response.status_code == 403
+
+
+class TestAdminDeleteUser:
+    """DELETE /admin/users/{user_id}"""
+
+    def test_admin_can_delete_user(self, client, mock_db):
+        """Admin should be able to delete another user."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+        mock_db.delete_user.return_value = True
+
+        response = client.delete(
+            "/admin/users/2",
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 200
+        assert "deleted" in response.json()["message"].lower()
+        mock_db.delete_user.assert_called_once_with(2)
+
+    def test_admin_cannot_delete_self(self, client, mock_db):
+        """Admin should not be able to delete themselves."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+
+        response = client.delete(
+            "/admin/users/1",
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 400
+        assert "yourself" in response.json()["detail"].lower()
+
+    def test_delete_nonexistent_user_returns_404(self, client, mock_db):
+        """Deleting a user that does not exist should return 404."""
+        admin = _make_admin_user()
+        mock_db.get_user_by_id.return_value = admin
+        mock_db.delete_user.return_value = False
+
+        response = client.delete(
+            "/admin/users/999",
+            headers=_auth_header(admin),
+        )
+
+        assert response.status_code == 404
+        assert "not found" in response.json()["detail"].lower()
+
+    def test_regular_user_cannot_delete_user(self, client, mock_db):
+        """Non-admin user should receive 403 when trying to delete users."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = user
+
+        response = client.delete(
+            "/admin/users/1",
+            headers=_auth_header(user),
+        )
+
+        assert response.status_code == 403
+
+    def test_no_token_cannot_delete_user(self, client):
+        """Missing token should be rejected for delete endpoint."""
+        response = client.delete("/admin/users/1")
+        assert response.status_code in (401, 403)
+
+
+class TestEdgeCases:
+    """Additional edge-case tests for auth robustness."""
+
+    def test_register_invalid_email_returns_422(self, client, mock_db):
+        """Registration with an invalid email format should return 422."""
+        response = client.post(
+            "/auth/register",
+            json={"email": "not-an-email", "password": "securepass123"},
+        )
+
+        assert response.status_code == 422
+
+    def test_register_short_password_returns_422(self, client, mock_db):
+        """Registration with a password shorter than 8 chars should return 422."""
+        response = client.post(
+            "/auth/register",
+            json={"email": "user@test.com", "password": "short"},
+        )
+
+        assert response.status_code == 422
+
+    def test_register_missing_fields_returns_422(self, client, mock_db):
+        """Registration with missing fields should return 422."""
+        response = client.post("/auth/register", json={})
+        assert response.status_code == 422
+
+    def test_login_missing_fields_returns_422(self, client, mock_db):
+        """Login with missing fields should return 422."""
+        response = client.post("/auth/login", json={"email": "user@test.com"})
+        assert response.status_code == 422
+
+    def test_malformed_token_returns_401(self, client, mock_db):
+        """A completely malformed token string should return 401."""
+        response = client.get(
+            "/auth/me",
+            headers={"Authorization": "Bearer not.a.valid.jwt.token"},
+        )
+        assert response.status_code == 401
+
+    def test_token_with_wrong_secret_returns_401(self, client, mock_db):
+        """A token signed with a different secret should return 401."""
+        payload = {
+            "sub": "1",
+            "email": "user@test.com",
+            "role": "user",
+            "exp": datetime.now(timezone.utc) + timedelta(hours=1),
+            "type": "access",
+        }
+        wrong_secret_token = pyjwt.encode(payload, "wrong-secret", algorithm=JWT_ALGORITHM)
+
+        response = client.get(
+            "/auth/me",
+            headers={"Authorization": f"Bearer {wrong_secret_token}"},
+        )
+        assert response.status_code == 401
+
+    def test_token_for_deleted_user_returns_401(self, client, mock_db):
+        """A valid token for a user no longer in the DB should return 401."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = None  # user was deleted
+
+        response = client.get("/auth/me", headers=_auth_header(user))
+        assert response.status_code == 401
+
+    def test_refresh_for_deleted_user_returns_401(self, client, mock_db):
+        """Refreshing a token for a deleted user should return 401."""
+        user = _make_regular_user()
+        mock_db.get_user_by_id.return_value = None
+        refresh = create_refresh_token(user["id"], user["email"], user["role"])
+
+        response = client.post(
+            "/auth/refresh", json={"refresh_token": refresh}
+        )
+        assert response.status_code == 401
+
+    def test_login_returns_decodable_tokens(self, client, mock_db):
+        """Tokens returned by login should be decodable and contain expected claims."""
+        user = _make_regular_user()
+        mock_db.authenticate_user.return_value = user
+
+        response = client.post(
+            "/auth/login",
+            json={"email": "user@test.com", "password": "correctpassword"},
+        )
+
+        data = response.json()
+        access_payload = pyjwt.decode(
+            data["access_token"], JWT_SECRET, algorithms=[JWT_ALGORITHM]
+        )
+        assert access_payload["sub"] == str(user["id"])
+        assert access_payload["email"] == user["email"]
+        assert access_payload["type"] == "access"
+
+        refresh_payload = pyjwt.decode(
+            data["refresh_token"], JWT_SECRET, algorithms=[JWT_ALGORITHM]
+        )
+        assert refresh_payload["type"] == "refresh"

tests/test_export.py

@@ -0,0 +1,224 @@
+"""Tests for export endpoints: CSV and PDF export of analysis results.
+
+Covers issue #1655:
+- GET /export/{company_name} (CSV export)
+- GET /export/{company_name}/pdf (PDF export)
+
+All tests mock the database layer and use JWT auth fixtures from test_auth patterns.
+"""
+
+from datetime import datetime, timezone
+from unittest.mock import MagicMock, patch
+
+import pytest
+from fastapi.testclient import TestClient
+
+from SPARC.api import app
+from SPARC.auth import create_access_token
+
+
+@pytest.fixture
+def client():
+    """Create test client."""
+    return TestClient(app)
+
+
+@pytest.fixture(autouse=True)
+def mock_db():
+    """Mock the database client used by export and auth endpoints."""
+    db = MagicMock()
+
+    # Default: user exists for auth
+    db.get_user_by_id.return_value = {
+        "id": 1,
+        "email": "user@test.com",
+        "role": "user",
+        "created_at": datetime(2025, 1, 1, tzinfo=timezone.utc),
+    }
+
+    # Mock get_conn for export queries
+    mock_cursor = MagicMock()
+    mock_conn = MagicMock()
+    mock_conn.cursor.return_value.__enter__ = MagicMock(return_value=mock_cursor)
+    mock_conn.cursor.return_value.__exit__ = MagicMock(return_value=False)
+    db.get_conn.return_value.__enter__ = MagicMock(return_value=mock_conn)
+    db.get_conn.return_value.__exit__ = MagicMock(return_value=False)
+    db._mock_cursor = mock_cursor
+
+    with patch("SPARC.api.get_db_client", return_value=db), \
+         patch("SPARC.auth.get_db_client", return_value=db):
+        yield db
+
+
+def _auth_header():
+    """Create an Authorization header with a valid access token."""
+    token = create_access_token(1, "user@test.com", "user")
+    return {"Authorization": f"Bearer {token}"}
+
+
+def _sample_rows():
+    """Return sample llm_messages rows as tuples (matching cursor.fetchall format)."""
+    return [
+        (
+            "NVIDIA",
+            "company_analysis",
+            "anthropic/claude-3.5-sonnet",
+            "Strong AI patent portfolio with focus on GPU architectures.",
+            datetime(2025, 6, 15, 10, 30, 0),
+        ),
+        (
+            "NVIDIA",
+            "patent_analysis",
+            "openai/gpt-4o",
+            "Patent US-12345678-B2 covers novel tensor core design.",
+            datetime(2025, 6, 14, 9, 0, 0),
+        ),
+    ]
+
+
+class TestCSVExport:
+    """GET /export/{company_name} -- CSV export."""
+
+    def test_csv_export_success(self, client, mock_db):
+        """Valid company with results returns a CSV file."""
+        mock_db._mock_cursor.fetchall.return_value = _sample_rows()
+
+        response = client.get("/export/NVIDIA", headers=_auth_header())
+
+        assert response.status_code == 200
+        assert response.headers["content-type"].startswith("text/csv")
+        assert "attachment" in response.headers.get("content-disposition", "")
+        assert "sparc_nvidia_export.csv" in response.headers["content-disposition"]
+
+        # Verify CSV content (CSV uses \r\n line endings)
+        lines = response.text.strip().split("\n")
+        assert len(lines) == 3  # header + 2 data rows
+        assert lines[0].strip() == "company_name,analysis_type,model,analysis,timestamp"
+        assert "NVIDIA" in lines[1]
+        assert "company_analysis" in lines[1]
+
+    def test_csv_export_no_results_returns_404(self, client, mock_db):
+        """Unknown company returns 404."""
+        mock_db._mock_cursor.fetchall.return_value = []
+
+        response = client.get("/export/nonexistent", headers=_auth_header())
+
+        assert response.status_code == 404
+        assert "No analysis results found" in response.json()["detail"]
+
+    def test_csv_export_unauthenticated_returns_401(self, client):
+        """Request without token returns 401."""
+        response = client.get("/export/NVIDIA")
+        assert response.status_code == 401
+
+    def test_csv_export_invalid_token_returns_401(self, client):
+        """Request with invalid token returns 401."""
+        response = client.get(
+            "/export/NVIDIA",
+            headers={"Authorization": "Bearer invalid.token.here"},
+        )
+        assert response.status_code == 401
+
+    def test_csv_export_filename_sanitization(self, client, mock_db):
+        """Company names with spaces get sanitized in the filename."""
+        mock_db._mock_cursor.fetchall.return_value = [
+            (
+                "Tesla Motors",
+                "company_analysis",
+                "anthropic/claude-3.5-sonnet",
+                "EV patent portfolio analysis.",
+                datetime(2025, 6, 15, 10, 0, 0),
+            ),
+        ]
+
+        response = client.get("/export/Tesla Motors", headers=_auth_header())
+
+        assert response.status_code == 200
+        assert "tesla_motors" in response.headers["content-disposition"]
+
+    def test_csv_export_single_row(self, client, mock_db):
+        """Single analysis result produces valid CSV with one data row."""
+        mock_db._mock_cursor.fetchall.return_value = [_sample_rows()[0]]
+
+        response = client.get("/export/NVIDIA", headers=_auth_header())
+
+        assert response.status_code == 200
+        lines = response.text.strip().split("\n")
+        assert len(lines) == 2  # header + 1 data row
+
+
+class TestPDFExport:
+    """GET /export/{company_name}/pdf -- PDF report export."""
+
+    def test_pdf_export_success(self, client, mock_db):
+        """Valid company with results returns a PDF file."""
+        mock_db._mock_cursor.fetchall.return_value = _sample_rows()
+
+        response = client.get("/export/NVIDIA/pdf", headers=_auth_header())
+
+        assert response.status_code == 200
+        assert response.headers["content-type"] == "application/pdf"
+        assert "attachment" in response.headers.get("content-disposition", "")
+        # PDF files start with %PDF
+        assert response.content[:4] == b"%PDF"
+
+    def test_pdf_export_no_results_returns_404(self, client, mock_db):
+        """Unknown company returns 404."""
+        mock_db._mock_cursor.fetchall.return_value = []
+
+        response = client.get("/export/nonexistent/pdf", headers=_auth_header())
+
+        assert response.status_code == 404
+        assert "No analysis results found" in response.json()["detail"]
+
+    def test_pdf_export_unauthenticated_returns_401(self, client):
+        """Request without token returns 401."""
+        response = client.get("/export/NVIDIA/pdf")
+        assert response.status_code == 401
+
+    def test_pdf_export_invalid_token_returns_401(self, client):
+        """Request with invalid token returns 401."""
+        response = client.get(
+            "/export/NVIDIA/pdf",
+            headers={"Authorization": "Bearer invalid.token.here"},
+        )
+        assert response.status_code == 401
+
+    def test_pdf_export_filename_contains_date(self, client, mock_db):
+        """PDF filename includes the analysis date."""
+        mock_db._mock_cursor.fetchall.return_value = _sample_rows()
+
+        response = client.get("/export/NVIDIA/pdf", headers=_auth_header())
+
+        assert response.status_code == 200
+        disposition = response.headers["content-disposition"]
+        assert "nvidia-analysis-" in disposition
+        assert ".pdf" in disposition
+
+    def test_pdf_export_special_chars_in_response(self, client, mock_db):
+        """Analysis text with XML-special chars (<, >, &) does not break PDF generation."""
+        rows = [
+            (
+                "TestCo",
+                "company_analysis",
+                "anthropic/claude-3.5-sonnet",
+                "Revenue > $1B & growth <20% for Q4. Test <html> escaping.",
+                datetime(2025, 6, 15, 10, 0, 0),
+            ),
+        ]
+        mock_db._mock_cursor.fetchall.return_value = rows
+
+        response = client.get("/export/TestCo/pdf", headers=_auth_header())
+
+        assert response.status_code == 200
+        assert response.content[:4] == b"%PDF"
+
+    def test_pdf_export_multiple_analyses(self, client, mock_db):
+        """Multiple analysis records produce a valid PDF with content."""
+        mock_db._mock_cursor.fetchall.return_value = _sample_rows()
+
+        response = client.get("/export/NVIDIA/pdf", headers=_auth_header())
+
+        assert response.status_code == 200
+        # PDF should have reasonable size (more than just headers)
+        assert len(response.content) > 500