itsi 0.1.20 → 0.2.3

data/gems/server/lib/itsi/standard_headers.rb

@@ -1,86 +1,86 @@
 module Itsi
   module StandardHeaders
     ALL = [
-      ACCEPT = "accept",
-      ACCEPT_CHARSET = "accept-charset",
-      ACCEPT_ENCODING = "accept-encoding",
-      ACCEPT_LANGUAGE = "accept-language",
-      ACCEPT_RANGES = "accept-ranges",
-      ACCESS_CONTROL_ALLOW_CREDENTIALS = "access-control-allow-credentials",
-      ACCESS_CONTROL_ALLOW_HEADERS = "access-control-allow-headers",
-      ACCESS_CONTROL_ALLOW_METHODS = "access-control-allow-methods",
-      ACCESS_CONTROL_ALLOW_ORIGIN = "access-control-allow-origin",
-      ACCESS_CONTROL_EXPOSE_HEADERS = "access-control-expose-headers",
-      ACCESS_CONTROL_MAX_AGE = "access-control-max-age",
-      ACCESS_CONTROL_REQUEST_HEADERS = "access-control-request-headers",
-      ACCESS_CONTROL_REQUEST_METHOD = "access-control-request-method",
-      AGE = "age",
-      ALLOW = "allow",
-      ALT_SVC = "alt-svc",
-      AUTHORIZATION = "authorization",
-      CACHE_CONTROL = "cache-control",
-      CACHE_STATUS = "cache-status",
-      CDN_CACHE_CONTROL = "cdn-cache-control",
-      CONNECTION = "connection",
-      CONTENT_DISPOSITION = "content-disposition",
-      CONTENT_ENCODING = "content-encoding",
-      CONTENT_LANGUAGE = "content-language",
-      CONTENT_LENGTH = "content-length",
-      CONTENT_LOCATION = "content-location",
-      CONTENT_RANGE = "content-range",
-      CONTENT_SECURITY_POLICY_REPORT_ONLY = "content-security-policy-report-only",
-      CONTENT_TYPE = "content-type",
-      COOKIE = "cookie",
-      DNT = "dnt",
-      DATE = "date",
-      ETAG = "etag",
-      EXPECT = "expect",
-      EXPIRES = "expires",
-      FORWARDED = "forwarded",
-      FROM = "from",
-      HOST = "host",
-      IF_MATCH = "if-match",
-      IF_MODIFIED_SINCE = "if-modified-since",
-      IF_NONE_MATCH = "if-none-match",
-      IF_RANGE = "if-range",
-      IF_UNMODIFIED_SINCE = "if-unmodified-since",
-      LAST_MODIFIED = "last-modified",
-      LINK = "link",
-      LOCATION = "location",
-      MAX_FORWARDS = "max-forwards",
-      ORIGIN = "origin",
-      PRAGMA = "pragma",
-      PROXY_AUTHENTICATE = "proxy-authenticate",
-      PROXY_AUTHORIZATION = "proxy-authorization",
-      PUBLIC_KEY_PINS = "public-key-pins",
-      PUBLIC_KEY_PINS_REPORT_ONLY = "public-key-pins-report-only",
-      RANGE = "range",
-      REFERER = "referer",
-      REFERRER_POLICY = "referrer-policy",
-      REFRESH = "refresh",
-      RETRY_AFTER = "retry-after",
-      SEC_WEBSOCKET_ACCEPT = "sec-websocket-accept",
-      SEC_WEBSOCKET_EXTENSIONS = "sec-websocket-extensions",
-      SEC_WEBSOCKET_KEY = "sec-websocket-key",
-      SEC_WEBSOCKET_PROTOCOL = "sec-websocket-protocol",
-      SEC_WEBSOCKET_VERSION = "sec-websocket-version",
-      SERVER = "server",
-      SET_COOKIE = "set-cookie",
-      STRICT_TRANSPORT_SECURITY = "strict-transport-security",
-      TE = "te",
-      TRAILER = "trailer",
-      TRANSFER_ENCODING = "transfer-encoding",
-      USER_AGENT = "user-agent",
-      UPGRADE = "upgrade",
-      UPGRADE_INSECURE_REQUESTS = "upgrade-insecure-requests",
-      VARY = "vary",
-      VIA = "via",
-      WARNING = "warning",
-      WWW_AUTHENTICATE = "www-authenticate",
-      X_CONTENT_TYPE_OPTIONS = "x-content-type-options",
-      X_DNS_PREFETCH_CONTROL = "x-dns-prefetch-control",
-      X_FRAME_OPTIONS = "x-frame-options",
-      X_XSS_PROTECTION = "x-xss-protection",
+      ACCEPT = "accept".freeze,
+      ACCEPT_CHARSET = "accept-charset".freeze,
+      ACCEPT_ENCODING = "accept-encoding".freeze,
+      ACCEPT_LANGUAGE = "accept-language".freeze,
+      ACCEPT_RANGES = "accept-ranges".freeze,
+      ACCESS_CONTROL_ALLOW_CREDENTIALS = "access-control-allow-credentials".freeze,
+      ACCESS_CONTROL_ALLOW_HEADERS = "access-control-allow-headers".freeze,
+      ACCESS_CONTROL_ALLOW_METHODS = "access-control-allow-methods".freeze,
+      ACCESS_CONTROL_ALLOW_ORIGIN = "access-control-allow-origin".freeze,
+      ACCESS_CONTROL_EXPOSE_HEADERS = "access-control-expose-headers".freeze,
+      ACCESS_CONTROL_MAX_AGE = "access-control-max-age".freeze,
+      ACCESS_CONTROL_REQUEST_HEADERS = "access-control-request-headers".freeze,
+      ACCESS_CONTROL_REQUEST_METHOD = "access-control-request-method".freeze,
+      AGE = "age".freeze,
+      ALLOW = "allow".freeze,
+      ALT_SVC = "alt-svc".freeze,
+      AUTHORIZATION = "authorization".freeze,
+      CACHE_CONTROL = "cache-control".freeze,
+      CACHE_STATUS = "cache-status".freeze,
+      CDN_CACHE_CONTROL = "cdn-cache-control".freeze,
+      CONNECTION = "connection".freeze,
+      CONTENT_DISPOSITION = "content-disposition".freeze,
+      CONTENT_ENCODING = "content-encoding".freeze,
+      CONTENT_LANGUAGE = "content-language".freeze,
+      CONTENT_LENGTH = "content-length".freeze,
+      CONTENT_LOCATION = "content-location".freeze,
+      CONTENT_RANGE = "content-range".freeze,
+      CONTENT_SECURITY_POLICY_REPORT_ONLY = "content-security-policy-report-only".freeze,
+      CONTENT_TYPE = "content-type".freeze,
+      COOKIE = "cookie".freeze,
+      DNT = "dnt".freeze,
+      DATE = "date".freeze,
+      ETAG = "etag".freeze,
+      EXPECT = "expect".freeze,
+      EXPIRES = "expires".freeze,
+      FORWARDED = "forwarded".freeze,
+      FROM = "from".freeze,
+      HOST = "host".freeze,
+      IF_MATCH = "if-match".freeze,
+      IF_MODIFIED_SINCE = "if-modified-since".freeze,
+      IF_NONE_MATCH = "if-none-match".freeze,
+      IF_RANGE = "if-range".freeze,
+      IF_UNMODIFIED_SINCE = "if-unmodified-since".freeze,
+      LAST_MODIFIED = "last-modified".freeze,
+      LINK = "link".freeze,
+      LOCATION = "location".freeze,
+      MAX_FORWARDS = "max-forwards".freeze,
+      ORIGIN = "origin".freeze,
+      PRAGMA = "pragma".freeze,
+      PROXY_AUTHENTICATE = "proxy-authenticate".freeze,
+      PROXY_AUTHORIZATION = "proxy-authorization".freeze,
+      PUBLIC_KEY_PINS = "public-key-pins".freeze,
+      PUBLIC_KEY_PINS_REPORT_ONLY = "public-key-pins-report-only".freeze,
+      RANGE = "range".freeze,
+      REFERER = "referer".freeze,
+      REFERRER_POLICY = "referrer-policy".freeze,
+      REFRESH = "refresh".freeze,
+      RETRY_AFTER = "retry-after".freeze,
+      SEC_WEBSOCKET_ACCEPT = "sec-websocket-accept".freeze,
+      SEC_WEBSOCKET_EXTENSIONS = "sec-websocket-extensions".freeze,
+      SEC_WEBSOCKET_KEY = "sec-websocket-key".freeze,
+      SEC_WEBSOCKET_PROTOCOL = "sec-websocket-protocol".freeze,
+      SEC_WEBSOCKET_VERSION = "sec-websocket-version".freeze,
+      SERVER = "server".freeze,
+      SET_COOKIE = "set-cookie".freeze,
+      STRICT_TRANSPORT_SECURITY = "strict-transport-security".freeze,
+      TE = "te".freeze,
+      TRAILER = "trailer".freeze,
+      TRANSFER_ENCODING = "transfer-encoding".freeze,
+      USER_AGENT = "user-agent".freeze,
+      UPGRADE = "upgrade".freeze,
+      UPGRADE_INSECURE_REQUESTS = "upgrade-insecure-requests".freeze,
+      VARY = "vary".freeze,
+      VIA = "via".freeze,
+      WARNING = "warning".freeze,
+      WWW_AUTHENTICATE = "www-authenticate".freeze,
+      X_CONTENT_TYPE_OPTIONS = "x-content-type-options".freeze,
+      X_DNS_PREFETCH_CONTROL = "x-dns-prefetch-control".freeze,
+      X_FRAME_OPTIONS = "x-frame-options".freeze,
+      X_XSS_PROTECTION = "x-xss-protection".freeze
     ]
   end
 end

data/gems/server/lib/ruby_lsp/itsi/addon.rb

@@ -100,24 +100,26 @@ module RubyLsp
         end
 
         ::Itsi::Server::Config::Middleware.subclasses.each do |middleware|
-          completion_item = Interface::CompletionItem.new(
-            label: middleware.middleware_name,
-            kind: Constant::CompletionItemKind::METHOD,
-            label_details: Interface::CompletionItemLabelDetails.new(
-              detail: middleware.detail,
-              description: middleware.documentation
-            ),
-            documentation: Interface::MarkupContent.new(
-              kind: Constant::MarkupKind::MARKDOWN,
-              value: middleware.documentation
-            ),
-            insert_text: middleware.insert_text,
-            insert_text_format: Constant::InsertTextFormat::SNIPPET,
-            data: {
-              delegateCompletion: true
-            }
-          )
-          @response_builder << completion_item
+          Array(middleware.insert_text).zip(Array(middleware.detail)).each do |insert_text, detail|
+            completion_item = Interface::CompletionItem.new(
+              label: middleware.middleware_name,
+              kind: Constant::CompletionItemKind::METHOD,
+              label_details: Interface::CompletionItemLabelDetails.new(
+                detail: detail,
+                description: middleware.documentation
+              ),
+              documentation: Interface::MarkupContent.new(
+                kind: Constant::MarkupKind::MARKDOWN,
+                value: middleware.documentation
+              ),
+              insert_text: insert_text,
+              insert_text_format: Constant::InsertTextFormat::SNIPPET,
+              data: {
+                delegateCompletion: true
+              }
+            )
+            @response_builder << completion_item
+          end
         end
       end
 

data/gems/server/test/helpers/test_helper.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 ENV["ITSI_LOG"] = "off"
 
 require "minitest/reporters"
@@ -8,17 +9,22 @@ require "socket"
 require "net/http"
 require "minitest/autorun"
 
-
 Minitest::Reporters.use! Minitest::Reporters::SpecReporter.new
 
-def free_bind(protocol)
-  server = TCPServer.new("0.0.0.0", 0)
-  port = server.addr[1]
-  server.close
-  "#{protocol}://0.0.0.0:#{port}"
+def free_bind(protocol = "http", unix_socket: false)
+  if unix_socket
+    socket_path = "/tmp/itsi_socket_#{Process.pid}_#{rand(1000)}.sock"
+    UNIXServer.new(socket_path).close
+    protocol == "https" ? "tls://#{socket_path}" : "unix://#{socket_path}"
+  else
+    server = TCPServer.new("0.0.0.0", 0)
+    port = server.addr[1]
+    server.close
+    "#{protocol}://0.0.0.0:#{port}"
+  end
 end
 
-def server(app: nil, protocol: "http", bind: free_bind(protocol), itsi_rb: nil, &blk)
+def server(app: nil, protocol: "http", bind: free_bind(protocol), itsi_rb: nil, cleanup: true, timeout: 5, &blk)
   itsi_rb ||= lambda do
     # Inline Itsi.rb
     bind bind
@@ -31,17 +37,32 @@ def server(app: nil, protocol: "http", bind: free_bind(protocol), itsi_rb: nil,
   cli_params = {}
   cli_params[:binds] = [bind] if bind
 
+  sync = Queue.new
+  cli_params[:hooks] ||= {}
+  cli_params[:hooks]["after_start"] = lambda do
+    sync.push(true)
+  end
+
   Itsi::Server.start_in_background_thread(cli_params, &itsi_rb)
+
+  sync.pop
   uri = URI(bind)
+  # Timeout.timeout(timeout) do
   RequestContext.new(uri, self).instance_exec(uri, &blk)
+  # end
 rescue StandardError => e
   puts e
-  puts e.message
-  puts e.backtrace.join("\n")
+  # puts e.message
+  # puts e.backtrace.join("\n")
+  raise
 ensure
-  Itsi::Server.stop_background_thread
+  Itsi::Server.stop_background_threads if cleanup
 end
 
+require "net/http"
+require "net_http_unix"
+require "uri"
+
 class RequestContext
   def initialize(uri, binding)
     @uri = uri
@@ -52,39 +73,79 @@ class RequestContext
     @binding.send(method_name, *args, &block)
   end
 
-  def post(path, data)
-    Net::HTTP.post(@uri+path, data)
+  def post(path, data = "", headers = {})
+    client.post(uri_for(path), data, headers)
   end
 
-  def get(path)
-    Net::HTTP.get(@uri+path)
+  def get(path, headers = {})
+    request = Net::HTTP::Get.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request).body
   end
 
-  def get_resp(path)
-    Net::HTTP.get_response(@uri+path)
+  def get_resp(path, headers = {})
+    request = Net::HTTP::Get.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
   end
 
   def head(path)
-    Net::HTTP.start(@uri.host, @uri.port) {|http|
-      http.head(path)
-    }
+    request = Net::HTTP::Head.new(uri_for(path))
+    client.request(request)
   end
 
-  def options(path)
-    Net::HTTP.start(@uri.host, @uri.port) {|http|
-      http.options(path)
-    }
+  def options(path, headers = {})
+    request = Net::HTTP::Options.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
+  end
+
+  def put(path, data = "", headers = {})
+    request = Net::HTTP::Put.new(uri_for(path))
+    request.body = data
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
   end
 
-  def put(path, data)
-    Net::HTTP.put(@uri+path, data)
+  def delete(path, headers = {})
+    request = Net::HTTP::Delete.new(uri_for(path))
+    headers.each { |k, v| request[k] = v }
+    client.request(request)
   end
 
-  def delete(path)
-    Net::HTTP.delete(@uri+path)
+  def patch(path, data = "", headers = {})
+    request = Net::HTTP::Patch.new(uri_for(path))
+    request.body = data
+    client.request(request)
+  end
+
+  private
+
+  def client
+    opts = {
+      read_timeout: 1,
+      open_timeout: 1
+    }
+    if @uri.scheme == "unix"
+      NetX::HTTPUnix.new(
+        @uri.to_s,
+        **opts
+      )
+    else
+      Net::HTTP.start(
+        @uri.host,
+        @uri.port,
+        use_ssl: @uri.scheme == "https",
+        **opts
+      )
+    end
   end
 
-  def patch(path, data)
-    Net::HTTP.patch(@uri+path, data)
+  def uri_for(path)
+    if @uri.scheme == "unix"
+      URI::HTTP.build(path: path, host: "localhost")
+    else
+      URI.join(@uri.to_s, path)
+    end
   end
 end

data/gems/server/test/middleware/allow_list.rb

@@ -0,0 +1,128 @@
+# test_allow_list.rb
+require_relative "../helpers/test_helper"
+
+class TestAllowList < Minitest::Test
+  # 1. Single‐pattern: only localhost is allowed
+  def test_single_pattern_allows_and_denies
+    server(
+      itsi_rb: lambda do
+        allow_list allowed_patterns: ["^127\\.0\\.0\\.1$"]
+        get("/foo") { |r| r.ok "allowed" }
+      end
+    ) do
+      # Our test client always comes from 127.0.0.1
+      res1 = get_resp("/foo")
+      assert_equal "200", res1.code
+      assert_equal "allowed", res1.body
+
+      # If we change the pattern so it no longer matches, 127.0.0.1 is now forbidden
+      server(
+        itsi_rb: lambda do
+          allow_list allowed_patterns: ["^10\\.0\\."]
+          get("/foo") { |r| r.ok "never" }
+        end
+      ) do
+        res2 = get_resp("/foo")
+        assert_equal "403", res2.code
+      end
+    end
+  end
+
+  # 2. Multiple‐pattern: localhost or 192.168.x.x
+  def test_multiple_patterns
+    server(
+      itsi_rb: lambda do
+        allow_list allowed_patterns: ["^127\\.0\\.0\\.1$", "^192\\.168\\."]
+        get("/ping") { |r| r.ok "pong" }
+      end
+    ) do
+      # localhost matches first pattern
+      res1 = get_resp("/ping")
+      assert_equal "200", res1.code
+      assert_equal "pong", res1.body
+
+      # If we restrict to only 192.168.*, localhost becomes forbidden
+      server(
+        itsi_rb: lambda do
+          allow_list allowed_patterns: ["^192\\.168\\."]
+          get("/ping") { |r| r.ok "never" }
+        end
+      ) do
+        res2 = get_resp("/ping")
+        assert_equal "403", res2.code
+      end
+    end
+  end
+
+  # 3. Custom error_response
+  def test_custom_error_response
+    server(
+      itsi_rb: lambda do
+        allow_list \
+          allowed_patterns: ["^192\\.168\\."],  # localhost no longer matches
+          error_response: {
+            code: 403,
+            plaintext: { inline: "No access" },
+            default: "plaintext"
+          }
+        get("/x") { |r| r.ok "never" }
+      end
+    ) do
+      res = get_resp("/x")
+      assert_equal "403", res.code
+      assert_equal "No access", res.body
+    end
+  end
+
+  # 4. Trusted proxies: extract client IP from header if proxy is trusted
+   def test_trusted_proxy_allows_based_on_header
+     server(
+       itsi_rb: lambda do
+         allow_list \
+           allowed_patterns: ["^203\\.0\\.113\\.7$"],  # only allow this client IP
+           trusted_proxies: {
+             "127.0.0.1" => { header: { name: "X-Forwarded-For" } }
+           }
+         get("/trusted") { |r| r.ok "trusted" }
+       end
+     ) do
+       res = get_resp("/trusted", { "X-Forwarded-For" => "203.0.113.7" })
+       assert_equal "200", res.code
+       assert_equal "trusted", res.body
+     end
+   end
+
+   def test_trusted_proxy_denies_if_forwarded_ip_does_not_match
+     server(
+       itsi_rb: lambda do
+         allow_list \
+           allowed_patterns: ["^203\\.0\\.113\\.7$"],  # only allow this
+           trusted_proxies: {
+             "127.0.0.1" => { header: { name: "X-Forwarded-For" } }
+           }
+         get("/trusted") { |r| r.ok "nope" }
+       end
+     ) do
+       # Send a forwarded IP that doesn't match the allow list
+       res = get_resp("/trusted", { "X-Forwarded-For" => "192.0.2.55" })
+       assert_equal "403", res.code
+     end
+   end
+
+   def test_untrusted_proxy_ignores_forwarded_ip
+     server(
+       itsi_rb: lambda do
+         allow_list \
+           allowed_patterns: ["^203\\.0\\.113\\.7$"],  # client IP matches, but header is ignored
+           trusted_proxies: {
+             "10.0.0.1" => { header: { name: "X-Forwarded-For" } } # current proxy (127.0.0.1) is not trusted
+           }
+         get("/trusted") { |r| r.ok "never" }
+       end
+     ) do
+       res = get_resp("/trusted", { "X-Forwarded-For" => "203.0.113.7" })
+       # Since proxy is untrusted, header is ignored, and 127.0.0.1 is checked (not allowed)
+       assert_equal "403", res.code
+     end
+   end
+end

data/gems/server/test/middleware/auth_api_key.rb

@@ -0,0 +1,141 @@
+require_relative "../helpers/test_helper"
+
+class TestAuthApiKey < Minitest::Test
+
+  # 1. Anonymous inline keys: valid secret in Authorization header
+  def test_anonymous_inline_success
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: [
+          Itsi.create_password_hash("supersecret", "sha256")
+        ]
+        get("/foo") {|r| r.ok "ok" }
+      end
+    ) do
+      res = get_resp("/foo", { "Authorization" => "Bearer supersecret" })
+
+      assert_equal "200", res.code
+      assert_equal "ok", res.body
+    end
+  end
+
+  # 2. Anonymous inline: missing token → 401
+  def test_anonymous_inline_missing
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: [Itsi.create_password_hash("supersecret", "sha256")]
+        get("/foo") {|r| r.ok "never" }
+      end
+    ) do
+      res = get_resp("/foo")
+      assert_equal "401", res.code
+    end
+  end
+
+  # 3. Identified inline keys: need both ID header and Bearer token
+  def test_identified_inline_success
+    key_id = "Key-1"
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: { "#{key_id}" => Itsi.create_password_hash("supersecret", "sha256") }
+        get("/bar") {|r| r.ok "bar OK" }
+      end
+    ) do
+      headers = {
+        "X-Api-Key-Id" => key_id,
+        "Authorization" => "Bearer supersecret"
+      }
+      res = get_resp("/bar", headers)
+      assert_equal "200", res.code
+      assert_equal "bar OK", res.body
+    end
+  end
+
+  # 4. Identified inline: wrong ID → 401
+  def test_identified_inline_wrong_id
+    key_id = "Key-1"
+    server(
+      itsi_rb: lambda do
+        auth_api_key valid_keys: { "#{key_id}" => Itsi.create_password_hash("supersecret", "sha256") }
+        get("/bar") {|r| r.ok "never" }
+      end
+    ) do
+      headers = { "X-Api-Key-Id" => "bad", "Authorization" => "Bearer supersecret" }
+      res = get_resp("/bar", headers)
+      assert_equal "401", res.code
+    end
+  end
+
+  # 5. Custom token_source/query param
+  def test_custom_token_source_query
+    server(
+      itsi_rb: lambda do
+        auth_api_key \
+          valid_keys: [Itsi.create_password_hash("supersecret", "sha256")],
+          token_source: { query: "api_key" }
+        get("/q") {|r| r.ok "qok" }
+      end
+    ) do
+      res = get_resp("/q?api_key=supersecret")
+      assert_equal "200", res.code
+      assert_equal "qok", res.body
+    end
+  end
+
+  # 6. Custom key_id_source/query param
+  def test_custom_key_id_source_query
+    server(
+      itsi_rb: lambda do
+        auth_api_key \
+          valid_keys: { "#{@id1}" => Itsi.create_password_hash("supersecret", "sha256") },
+          key_id_source: { query: "kid" }
+        get("/q") {|r| r.ok "qok" }
+      end
+    ) do
+      res = get_resp("/q?kid=#{@id1}", { "Authorization" => "Bearer supersecret" })
+      assert_equal "200", res.code
+      assert_equal "qok", res.body
+    end
+  end
+
+  # 7. Custom error_response override
+  def test_custom_error_response
+    server(
+      itsi_rb: lambda do
+        auth_api_key \
+          valid_keys: [Itsi.create_password_hash("supersecret", "sha256") ],
+          error_response: { code: 403,
+                            plaintext: { inline: "nope" },
+                            default: "plaintext" }
+        get("/x") {|r| r.ok "never" }
+      end
+    ) do
+      res = get_resp("/x")
+      assert_equal "403", res.code
+      assert_equal "nope", res.body
+    end
+  end
+
+  # 8. Scoped to a location path
+  def test_scoped_to_location
+    server(
+      itsi_rb: lambda do
+        location "/admin/*" do
+          auth_api_key valid_keys: [Itsi.create_password_hash("supersecret", "sha256") ]
+        end
+        get("/admin/secret") {|r| r.ok "adm ok" }
+        get("/public") {|r| r.ok "pub ok" }
+      end
+    ) do
+      # Unprotected
+      r1 = get_resp("/public")
+      assert_equal "200", r1.code
+      # Protected
+      r2 = get_resp("/admin/secret")
+      assert_equal "401", r2.code
+      # Then with key
+      r3 = get_resp("/admin/secret", { "Authorization" => "Bearer supersecret" })
+      assert_equal "200", r3.code
+    end
+  end
+end