flipper 0.16.0 → 1.4.0

data/spec/flipper/cloud/dsl_spec.rb

@@ -0,0 +1,90 @@
+require 'flipper/cloud/configuration'
+require 'flipper/cloud/dsl'
+require 'flipper/adapters/operation_logger'
+require 'flipper/adapters/instrumented'
+
+RSpec.describe Flipper::Cloud::DSL do
+  it 'delegates everything to flipper instance' do
+    # stub the initial sync of http to local
+    stub_request(:get, /flippercloud\.io/).to_return(status: 200, body: "{}")
+
+    cloud_configuration = Flipper::Cloud::Configuration.new({
+      token: "asdf",
+      sync_secret: "tasty",
+    })
+    dsl = described_class.new(cloud_configuration)
+    expect(dsl.features).to eq(Set.new)
+    expect(dsl.enabled?(:foo)).to be(false)
+  end
+
+  it 'delegates sync to cloud configuration' do
+    stub = stub_request(:get, "https://www.flippercloud.io/adapter/features?exclude_gate_names=true").
+      with({
+        headers: {
+          'flipper-cloud-token'=>'asdf',
+        },
+      }).to_return(status: 200, body: '{"features": {}}', headers: {})
+    cloud_configuration = Flipper::Cloud::Configuration.new({
+      token: "asdf",
+      sync_secret: "tasty",
+    })
+    dsl = described_class.new(cloud_configuration)
+    dsl.sync
+    expect(stub).to have_been_requested.at_least_once
+  end
+
+  it 'delegates sync_secret to cloud configuration' do
+    # stub the initial sync of http to local
+    stub_request(:get, /flippercloud\.io/).to_return(status: 200, body: "{}")
+
+    cloud_configuration = Flipper::Cloud::Configuration.new({
+      token: "asdf",
+      sync_secret: "tasty",
+    })
+    dsl = described_class.new(cloud_configuration)
+    expect(dsl.sync_secret).to eq("tasty")
+  end
+
+  context "when sync_method is webhook" do
+    let(:local_adapter) do
+      Flipper::Adapters::OperationLogger.new Flipper::Adapters::Memory.new
+    end
+
+    let(:cloud_configuration) do
+      Flipper::Cloud::Configuration.new({
+        token: "asdf",
+        sync_secret: "tasty",
+        local_adapter: local_adapter
+      })
+    end
+
+    subject do
+      # stub the initial sync of http to local
+      stub_request(:get, /flippercloud\.io/).to_return(status: 200, body: "{}")
+      described_class.new(cloud_configuration)
+    end
+
+    it "sends reads to local adapter" do
+      subject.features
+      subject.enabled?(:foo)
+      expect(local_adapter.count(:features)).to be(2)
+      expect(local_adapter.count(:get)).to be(1)
+    end
+
+    it "sends writes to cloud and local" do
+      add_stub = stub_request(:post, "https://www.flippercloud.io/adapter/features").
+        with({headers: {'flipper-cloud-token'=>'asdf'}}).
+        to_return(status: 200, body: '{}')
+      enable_stub = stub_request(:post, "https://www.flippercloud.io/adapter/features/foo/boolean").
+        with(headers: {'flipper-cloud-token'=>'asdf'}).
+        to_return(status: 200, body: '{}')
+
+      subject.enable(:foo)
+
+      expect(local_adapter.count(:add)).to be(1)
+      expect(local_adapter.count(:enable)).to be(1)
+      expect(add_stub).to have_been_requested
+      expect(enable_stub).to have_been_requested
+    end
+  end
+end

data/spec/flipper/cloud/message_verifier_spec.rb

@@ -0,0 +1,104 @@
+require 'flipper/cloud/message_verifier'
+
+RSpec.describe Flipper::Cloud::MessageVerifier do
+  let(:payload) { "some payload" }
+  let(:secret) { "secret" }
+  let(:timestamp) { Time.now }
+
+  describe "#generate" do
+    it "generates signature that can be verified" do
+      message_verifier = Flipper::Cloud::MessageVerifier.new(secret: secret)
+      signature = message_verifier.generate(payload, timestamp)
+      header = generate_header(timestamp: timestamp, signature: signature)
+      expect(message_verifier.verify(payload, header)).to be(true)
+    end
+  end
+
+  describe "#header" do
+    it "generates a header in valid format" do
+      version = "v1"
+      message_verifier = Flipper::Cloud::MessageVerifier.new(secret: secret, version: version)
+      signature = message_verifier.generate(payload, timestamp)
+      header = message_verifier.header(signature, timestamp)
+      expect(header).to eq("t=#{timestamp.to_i},#{version}=#{signature}")
+    end
+  end
+
+  describe ".header" do
+    it "generates a header in valid format" do
+      version = "v1"
+      message_verifier = Flipper::Cloud::MessageVerifier.new(secret: secret, version: version)
+      signature = message_verifier.generate(payload, timestamp)
+
+      header = Flipper::Cloud::MessageVerifier.header(signature, timestamp, version)
+      expect(header).to eq("t=#{timestamp.to_i},#{version}=#{signature}")
+    end
+  end
+
+  describe "#verify" do
+    it "raises a InvalidSignature when the header does not have the expected format" do
+      header = "i'm not even a real signature header"
+      expect {
+        message_verifier = Flipper::Cloud::MessageVerifier.new(secret: "secret")
+        message_verifier.verify(payload, header)
+      }.to raise_error(Flipper::Cloud::MessageVerifier::InvalidSignature, "Unable to extract timestamp and signatures from header")
+    end
+
+    it "raises a InvalidSignature when there are no signatures with the expected version" do
+      header = generate_header(version: "v0")
+      expect {
+        message_verifier = Flipper::Cloud::MessageVerifier.new(secret: "secret")
+        message_verifier.verify(payload, header)
+      }.to raise_error(Flipper::Cloud::MessageVerifier::InvalidSignature, /No signatures found with expected version/)
+    end
+
+    it "raises a InvalidSignature when there are no valid signatures for the payload" do
+      header = generate_header(signature: "bad_signature")
+      expect {
+        message_verifier = Flipper::Cloud::MessageVerifier.new(secret: "secret")
+        message_verifier.verify(payload, header)
+      }.to raise_error(Flipper::Cloud::MessageVerifier::InvalidSignature, "No signatures found matching the expected signature for payload")
+    end
+
+    it "raises a InvalidSignature when the timestamp is not within the tolerance" do
+      header = generate_header(timestamp: Time.now - 15)
+      expect {
+        message_verifier = Flipper::Cloud::MessageVerifier.new(secret: secret)
+        message_verifier.verify(payload, header, tolerance: 10)
+      }.to raise_error(Flipper::Cloud::MessageVerifier::InvalidSignature, /Timestamp outside the tolerance zone/)
+    end
+
+    it "returns true when the header contains a valid signature and the timestamp is within the tolerance" do
+      header = generate_header
+      message_verifier = Flipper::Cloud::MessageVerifier.new(secret: "secret")
+      expect(message_verifier.verify(payload, header, tolerance: 10)).to be(true)
+    end
+
+    it "returns true when the header contains at least one valid signature" do
+      header = generate_header + ",v1=bad_signature"
+      message_verifier = Flipper::Cloud::MessageVerifier.new(secret: secret)
+      expect(message_verifier.verify(payload, header, tolerance: 10)).to be(true)
+    end
+
+    it "returns true when the header contains a valid signature and the timestamp is off but no tolerance is provided" do
+      header = generate_header(timestamp: Time.at(12_345))
+      message_verifier = Flipper::Cloud::MessageVerifier.new(secret: secret)
+      expect(message_verifier.verify(payload, header)).to be(true)
+    end
+  end
+
+  private
+
+  def generate_header(options = {})
+    options[:secret] ||= secret
+    options[:version] ||= "v1"
+
+    message_verifier = Flipper::Cloud::MessageVerifier.new(secret: options[:secret], version: options[:version])
+
+    options[:timestamp] ||= timestamp
+    options[:payload] ||= payload
+    options[:signature] ||= message_verifier.generate(options[:payload], options[:timestamp])
+
+    Flipper::Cloud::MessageVerifier.header(options[:signature], options[:timestamp], options[:version])
+  end
+end

data/spec/flipper/cloud/middleware_spec.rb

@@ -0,0 +1,307 @@
+require 'securerandom'
+require 'flipper/cloud'
+require 'flipper/cloud/middleware'
+require 'flipper/adapters/operation_logger'
+
+RSpec.describe Flipper::Cloud::Middleware do
+  let(:flipper) {
+    Flipper::Cloud.new(token: "regular") do |config|
+      config.local_adapter = Flipper::Adapters::OperationLogger.new(Flipper::Adapters::Memory.new)
+      config.sync_secret = "regular_tasty"
+    end
+  }
+
+  let(:env_flipper) {
+    Flipper::Cloud.new(token: "env") do |config|
+      config.local_adapter = Flipper::Adapters::OperationLogger.new(Flipper::Adapters::Memory.new)
+      config.sync_secret = "env_tasty"
+    end
+  }
+
+  let(:app) { Flipper::Cloud.app(flipper) }
+  let(:response_body) { JSON.generate({features: {}}) }
+  let(:request_body) {
+    JSON.generate({
+      "environment_id" => 1,
+      "webhook_id" => 1,
+      "delivery_id" => SecureRandom.uuid,
+      "action" => "sync",
+    })
+  }
+  let(:timestamp) { Time.now }
+  let(:signature) {
+    Flipper::Cloud::MessageVerifier.new(secret: flipper.sync_secret).generate(request_body, timestamp)
+  }
+  let(:signature_header_value) {
+    Flipper::Cloud::MessageVerifier.new(secret: "").header(signature, timestamp)
+  }
+
+  context 'when initializing middleware with flipper instance' do
+    let(:app) { Flipper::Cloud.app(flipper) }
+
+    it 'uses instance to sync' do
+      Flipper.register(:admins) { |*args| false }
+      Flipper.register(:staff) { |*args| false }
+      Flipper.register(:basic) { |*args| false }
+      Flipper.register(:plus) { |*args| false }
+      Flipper.register(:premium) { |*args| false }
+
+      stub = stub_request_for_token('regular')
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(200)
+      expect(JSON.parse(last_response.body)).to eq({
+        "groups" => [
+          {"name" => "admins"},
+          {"name" => "staff"},
+          {"name" => "basic"},
+          {"name" => "plus"},
+          {"name" => "premium"},
+        ],
+      })
+      expect(stub).to have_been_made.at_least_once
+    end
+  end
+
+  context 'when signature is invalid' do
+    let(:app) { Flipper::Cloud.app(flipper) }
+    let(:signature) {
+      Flipper::Cloud::MessageVerifier.new(secret: "nope").generate(request_body, timestamp)
+    }
+
+    it 'does not perform webhook sync' do
+      webhook_regular_stub = stub_request_for_token('regular', from_webhook: true)
+      poll_regular_stub = stub_request_for_token('regular', from_webhook: false)
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(400)
+      expect(poll_regular_stub).to have_been_requested.at_least_once
+      expect(webhook_regular_stub).not_to have_been_requested
+    end
+  end
+
+  context "when flipper cloud responds with 402" do
+    let(:app) { Flipper::Cloud.app(flipper) }
+
+    it "results in 402" do
+      Flipper.register(:admins) { |*args| false }
+      Flipper.register(:staff) { |*args| false }
+      Flipper.register(:basic) { |*args| false }
+      Flipper.register(:plus) { |*args| false }
+      Flipper.register(:premium) { |*args| false }
+
+      stub = stub_request_for_token('regular', status: 402)
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(402)
+      expect(last_response.headers["flipper-cloud-response-error-class"]).to eq("Flipper::Adapters::Http::Error")
+      expect(last_response.headers["flipper-cloud-response-error-message"]).to include("Failed with status: 402")
+      expect(stub).to have_been_made.at_least_once
+    end
+  end
+
+  context "when flipper cloud responds with non-402 and non-2xx code" do
+    let(:app) { Flipper::Cloud.app(flipper) }
+
+    it "results in 500" do
+      Flipper.register(:admins) { |*args| false }
+      Flipper.register(:staff) { |*args| false }
+      Flipper.register(:basic) { |*args| false }
+      Flipper.register(:plus) { |*args| false }
+      Flipper.register(:premium) { |*args| false }
+
+      stub = stub_request_for_token('regular', status: 503)
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(500)
+      expect(last_response.headers["flipper-cloud-response-error-class"]).to eq("Flipper::Adapters::Http::Error")
+      expect(last_response.headers["flipper-cloud-response-error-message"]).to include("Failed with status: 503")
+      expect(stub).to have_been_made.at_least_once
+    end
+  end
+
+  context "when flipper cloud responds with timeout" do
+    let(:app) { Flipper::Cloud.app(flipper) }
+
+    it "results in 500" do
+      Flipper.register(:admins) { |*args| false }
+      Flipper.register(:staff) { |*args| false }
+      Flipper.register(:basic) { |*args| false }
+      Flipper.register(:plus) { |*args| false }
+      Flipper.register(:premium) { |*args| false }
+
+      stub = stub_request_for_token('regular', status: :timeout)
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(500)
+      expect(last_response.headers["flipper-cloud-response-error-class"]).to eq("Net::OpenTimeout")
+      expect(last_response.headers["flipper-cloud-response-error-message"]).to eq("execution expired")
+      expect(stub).to have_been_made.at_least_once
+    end
+  end
+
+  context 'when initialized with flipper instance and flipper instance in env' do
+    let(:app) { Flipper::Cloud.app(flipper) }
+    let(:signature) {
+      Flipper::Cloud::MessageVerifier.new(secret: env_flipper.sync_secret).generate(request_body, timestamp)
+    }
+
+    it 'uses env instance to sync' do
+      regular_stub = stub_request_for_token('regular')
+      env_stub = stub_request_for_token('env')
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+        'flipper' => env_flipper,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(200)
+      expect(regular_stub).to have_been_made.at_least_once
+      expect(env_stub).to have_been_made.at_least_once
+    end
+  end
+
+  context 'when initialized without flipper instance but flipper instance in env' do
+    let(:app) { Flipper::Cloud.app }
+    let(:signature) {
+      Flipper::Cloud::MessageVerifier.new(secret: env_flipper.sync_secret).generate(request_body, timestamp)
+    }
+
+    it 'uses env instance to sync' do
+      stub = stub_request_for_token('env')
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+        'flipper' => env_flipper,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(200)
+      expect(stub).to have_been_made.at_least_once
+    end
+  end
+
+  context 'when initialized with env_key' do
+    let(:app) { Flipper::Cloud.app(flipper, env_key: 'flipper_cloud') }
+    let(:signature) {
+      Flipper::Cloud::MessageVerifier.new(secret: env_flipper.sync_secret).generate(request_body, timestamp)
+    }
+
+    it 'uses provided env key instead of default' do
+      regular_poll_stub = stub_request_for_token('regular')
+      env_poll_stub = stub_request_for_token('env')
+      env_webhook_stub = stub_request_for_token('env', from_webhook: true)
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+        'flipper' => flipper,
+        'flipper_cloud' => env_flipper,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(200)
+      expect(regular_poll_stub).to have_been_made.at_least_once
+      expect(env_poll_stub).to have_been_made.at_least_once
+      expect(env_webhook_stub).not_to have_been_requested
+    end
+  end
+
+  context 'when initializing lazily with a block' do
+    let(:app) { Flipper::Cloud.app(-> { flipper }) }
+
+    it 'works' do
+      stub = stub_request_for_token('regular')
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+      }
+      post '/', request_body, env
+
+      expect(last_response.status).to eq(200)
+      expect(stub).to have_been_made.at_least_once
+    end
+  end
+
+  context 'when using older /webhooks path' do
+    let(:app) { Flipper::Cloud.app(flipper) }
+
+    it 'uses instance to sync' do
+      Flipper.register(:admins) { |*args| false }
+      Flipper.register(:staff) { |*args| false }
+      Flipper.register(:basic) { |*args| false }
+      Flipper.register(:plus) { |*args| false }
+      Flipper.register(:premium) { |*args| false }
+
+      stub = stub_request_for_token('regular')
+      env = {
+        "HTTP_FLIPPER_CLOUD_SIGNATURE" => signature_header_value,
+      }
+      post '/webhooks', request_body, env
+
+      expect(last_response.status).to eq(200)
+      expect(JSON.parse(last_response.body)).to eq({
+        "groups" => [
+          {"name" => "admins"},
+          {"name" => "staff"},
+          {"name" => "basic"},
+          {"name" => "plus"},
+          {"name" => "premium"},
+        ],
+      })
+      expect(stub).to have_been_made.at_least_once
+    end
+  end
+
+  describe 'Request method unsupported' do
+    it 'skips middleware' do
+      stub_request(:get, /flippercloud\.io/).to_return(status: 200, body: "{}")
+      get '/'
+      expect(last_response.status).to eq(404)
+      expect(last_response.content_type).to eq("application/json")
+      expect(last_response.body).to eq("{}")
+    end
+  end
+
+  describe 'Inspecting the built Rack app' do
+    it 'returns a String' do
+      stub_request(:get, /flippercloud\.io/).to_return(status: 200, body: "{}")
+      expect(Flipper::Cloud.app(flipper).inspect).to eq("Flipper::Cloud")
+    end
+  end
+
+  private
+
+  def stub_request_for_token(token, status: 200, from_webhook: false)
+    if from_webhook
+      # Match URL with both exclude_gate_names=true and _cb=integer
+      url_pattern = %r{https://www\.flippercloud\.io/adapter/features\?.*exclude_gate_names=true.*&_cb=\d+}
+    else
+      # Match URL with just exclude_gate_names=true
+      url_pattern = %r{https://www\.flippercloud\.io/adapter/features\?.*exclude_gate_names=true}
+    end
+
+    stub = stub_request(:get, url_pattern).
+      with({
+        headers: {
+          'flipper-cloud-token' => token,
+        },
+      })
+    if status == :timeout
+      stub.to_timeout
+    else
+      stub.to_return(status: status, body: response_body)
+    end
+  end
+end

data/spec/flipper/cloud/migrate_spec.rb

@@ -0,0 +1,160 @@
+require "flipper/cloud/migrate"
+require "flipper/typecast"
+require "webmock/rspec"
+
+RSpec.describe Flipper::Cloud, ".migrate" do
+  let(:flipper) { Flipper.new(Flipper::Adapters::Memory.new) }
+
+  before do
+    flipper.enable :search
+    flipper.disable :analytics
+    flipper.enable_percentage_of_actors :checkout, 50
+  end
+
+  around do |example|
+    original = ENV["FLIPPER_CLOUD_URL"]
+    ENV["FLIPPER_CLOUD_URL"] = "http://localhost:5555"
+    example.run
+  ensure
+    ENV["FLIPPER_CLOUD_URL"] = original
+  end
+
+  def decompress_request_body
+    raw = WebMock::RequestRegistry.instance.requested_signatures.hash.keys.last.body
+    JSON.parse(Flipper::Typecast.from_gzip(raw))
+  end
+
+  describe ".migrate" do
+    it "returns a MigrateResult with code and url on success" do
+      stub_request(:post, "http://localhost:5555/api/migrate")
+        .to_return(status: 200, body: '{"url":"http://localhost:5555/cloud/setup/abc123"}', headers: {"Content-Type" => "application/json"})
+
+      result = Flipper::Cloud.migrate(flipper)
+
+      expect(result).to be_a(Flipper::Cloud::MigrateResult)
+      expect(result.code).to eq(200)
+      expect(result.url).to eq("http://localhost:5555/cloud/setup/abc123")
+    end
+
+    it "sends export data and metadata in the request body" do
+      stub = stub_request(:post, "http://localhost:5555/api/migrate")
+        .to_return(status: 200, body: '{"url":"http://localhost:5555/cloud/setup/abc123"}')
+
+      Flipper::Cloud.migrate(flipper, app_name: "MyApp")
+
+      expect(stub).to have_been_requested
+      body = decompress_request_body
+      expect(body["metadata"]["app_name"]).to eq("MyApp")
+      expect(body["export"]["version"]).to eq(1)
+      expect(body["export"]["features"]).to have_key("search")
+    end
+
+    it "sends gzip-compressed request body" do
+      stub = stub_request(:post, "http://localhost:5555/api/migrate")
+        .with(headers: {"content-encoding" => "gzip"})
+        .to_return(status: 200, body: '{"url":"http://localhost:5555/cloud/setup/abc"}')
+
+      Flipper::Cloud.migrate(flipper)
+
+      expect(stub).to have_been_requested
+      body = decompress_request_body
+      expect(body["export"]["features"]).to have_key("search")
+    end
+
+    it "handles error responses" do
+      stub_request(:post, "http://localhost:5555/api/migrate")
+        .to_return(status: 500, body: '{"error":"Internal Server Error"}')
+
+      result = Flipper::Cloud.migrate(flipper)
+
+      expect(result.code).to eq(500)
+      expect(result.url).to be_nil
+    end
+
+    it "includes error message from response body" do
+      stub_request(:post, "http://localhost:5555/api/migrate")
+        .to_return(status: 422, body: '{"error":"Invalid export format"}')
+
+      result = Flipper::Cloud.migrate(flipper)
+
+      expect(result.code).to eq(422)
+      expect(result.message).to eq("Invalid export format")
+    end
+
+    it "uses FLIPPER_CLOUD_URL environment variable" do
+      stub = stub_request(:post, "http://localhost:5555/api/migrate")
+        .to_return(status: 200, body: '{"url":"http://localhost:5555/cloud/setup/abc"}')
+
+      Flipper::Cloud.migrate(flipper)
+
+      expect(stub).to have_been_requested
+    end
+
+    it "sends content-type and accept headers" do
+      stub = stub_request(:post, "http://localhost:5555/api/migrate")
+        .with(headers: {
+          "content-type" => "application/json",
+          "accept" => "application/json",
+        })
+        .to_return(status: 200, body: '{"url":"http://localhost:5555/cloud/setup/abc"}')
+
+      Flipper::Cloud.migrate(flipper)
+
+      expect(stub).to have_been_requested
+    end
+  end
+
+  describe ".push" do
+    it "returns a MigrateResult with code on success" do
+      stub_request(:post, "http://localhost:5555/adapter/import")
+        .to_return(status: 204, body: "")
+
+      result = Flipper::Cloud.push("test-token", flipper)
+
+      expect(result).to be_a(Flipper::Cloud::MigrateResult)
+      expect(result.code).to eq(204)
+    end
+
+    it "sends the token as a header" do
+      stub = stub_request(:post, "http://localhost:5555/adapter/import")
+        .with(headers: {"flipper-cloud-token" => "test-token"})
+        .to_return(status: 204, body: "")
+
+      Flipper::Cloud.push("test-token", flipper)
+
+      expect(stub).to have_been_requested
+    end
+
+    it "sends gzip-compressed export contents as the body" do
+      stub = stub_request(:post, "http://localhost:5555/adapter/import")
+        .with(headers: {"content-encoding" => "gzip"})
+        .to_return(status: 204, body: "")
+
+      Flipper::Cloud.push("test-token", flipper)
+
+      expect(stub).to have_been_requested
+      body = decompress_request_body
+      expect(body["version"]).to eq(1)
+      expect(body["features"]).to have_key("search")
+    end
+
+    it "handles error responses" do
+      stub_request(:post, "http://localhost:5555/adapter/import")
+        .to_return(status: 401, body: '{"error":"Unauthorized"}')
+
+      result = Flipper::Cloud.push("bad-token", flipper)
+
+      expect(result.code).to eq(401)
+    end
+
+    it "includes error message from response body" do
+      stub_request(:post, "http://localhost:5555/adapter/import")
+        .to_return(status: 401, body: '{"error":"Invalid token"}')
+
+      result = Flipper::Cloud.push("bad-token", flipper)
+
+      expect(result.code).to eq(401)
+      expect(result.message).to eq("Invalid token")
+    end
+  end
+end