stitches 3.8.1 → 4.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ac1389298b9ccff356bb73c3e925501265eddb4d68932ac7bc6e41ab35535353
-  data.tar.gz: c800e4a091a67181e065cb0d42c45a7a730b710ce4a83fb513b6606ea7e6e47d
+  metadata.gz: 1224843bf19c711e4058e54025f2507fe4dd0085fb5afdd57d5d383bf8d1b03e
+  data.tar.gz: 8f2c1f7f053d711e6419b8e19c23cc123ce7164513b7cb3978091d081612001a
 SHA512:
-  metadata.gz: 439faf8691f51448dad6b45b35c77a63e5b31075181a55e6fe03ec1381bfe91841cc2a73172390d6e32b5f1f38f7fd3ea069b15c98d8086f4fd21b1c0842b241
-  data.tar.gz: 8c435dc519da97c5cc3aec267dffcb0ffb96e2479b98c14ac44217b5dd4de50afdd818c18063f7d126e7cb56a97f197bd592235591fe9e982243f12314b633d0
+  metadata.gz: f16b168bf89994f06816661fb0dda066c248a3c55a22bdeebebf32d4a0e784368b41a460f25a84c9e0c4a694b37d372a24cf739171191925f31df7df7a562be6
+  data.tar.gz: 053d0ae0e44945437218bc87206038029065b0ff8b6f8321bbad8b878024bddb16432b0f23136286e6019805a716d541a37a2d5382479b9216a9cde0104bf5d9

data/.circleci/config.yml

@@ -3,9 +3,33 @@
 ---
 version: 2
 jobs:
+  generate-and-push-docs:
+    docker:
+    - image: circleci/ruby:2.7.2
+      auth:
+        username: "$DOCKERHUB_USERNAME"
+        password: "$DOCKERHUB_PASSWORD"
+    steps:
+    - checkout
+    - run: bundle config stitchfix01.jfrog.io $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN
+    - run: bundle install --full-index
+    - run:
+        name: Generate documentation
+        command: ' if [[ $(bundle exec rake -T docs:generate:custom) ]]; then echo
+          "Generating docs using rake task docs:generate:custom" ; bundle exec rake
+          docs:generate:custom ; elif [[ $(bundle exec rake -T docs:generate) ]];
+          then echo "Generating docs using rake task docs:generate" ; bundle exec
+          rake docs:generate ; else echo "Skipping doc generation" ; exit 0 ; fi '
+    - run:
+        name: Push documentation to Unwritten
+        command: if [[ $(bundle exec rake -T docs:push) ]]; then bundle exec rake
+          docs:push; fi
   release:
     docker:
-    - image: circleci/ruby:2.6.4
+    - image: circleci/ruby:2.7.2
+      auth:
+        username: "$DOCKERHUB_USERNAME"
+        password: "$DOCKERHUB_PASSWORD"
     steps:
     - checkout
     - run: bundle config stitchfix01.jfrog.io $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN
@@ -17,14 +41,22 @@ jobs:
     - run:
         name: Build/release gem to artifactory
         command: bundle exec rake push_artifactory
-  ruby-2.6.4-rails-6.0:
+  ruby-2.7.2-rails-6.0:
     docker:
-    - image: circleci/ruby:2.6.4
+    - image: circleci/ruby:2.7.2
+      auth:
+        username: "$DOCKERHUB_USERNAME"
+        password: "$DOCKERHUB_PASSWORD"
       environment:
         BUNDLE_GEMFILE: Gemfile.rails-6.0
     working_directory: "~/stitches"
     steps:
     - checkout
+    - run:
+        name: Check for Gemfile.lock presence
+        command: ' if (test -f Gemfile.lock) then echo "Dont commit Gemfile.lock (see
+          https://github.com/stitchfix/eng-wiki/blob/master/architecture-decisions/0009-rubygem-dependencies-will-be-managed-more-explicitly.md)"
+          1>&2 ; exit 1 ; else exit 0 ; fi '
     - run: bundle config stitchfix01.jfrog.io $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN
     - run: bundle install --full-index
     - run: bundle exec rspec --format RspecJunitFormatter --out /tmp/test-results/rspec.xml
@@ -35,18 +67,26 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#eng-platform-alerts"
+        command: bundle exec y-notify "#devex-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
-  ruby-2.5.6-rails-6.0:
+  ruby-2.6.6-rails-6.0:
     docker:
-    - image: circleci/ruby:2.5.6
+    - image: circleci/ruby:2.6.6
+      auth:
+        username: "$DOCKERHUB_USERNAME"
+        password: "$DOCKERHUB_PASSWORD"
       environment:
         BUNDLE_GEMFILE: Gemfile.rails-6.0
     working_directory: "~/stitches"
     steps:
     - checkout
+    - run:
+        name: Check for Gemfile.lock presence
+        command: ' if (test -f Gemfile.lock) then echo "Dont commit Gemfile.lock (see
+          https://github.com/stitchfix/eng-wiki/blob/master/architecture-decisions/0009-rubygem-dependencies-will-be-managed-more-explicitly.md)"
+          1>&2 ; exit 1 ; else exit 0 ; fi '
     - run: bundle config stitchfix01.jfrog.io $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN
     - run: bundle install --full-index
     - run: bundle exec rspec --format RspecJunitFormatter --out /tmp/test-results/rspec.xml
@@ -57,18 +97,26 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#eng-platform-alerts"
+        command: bundle exec y-notify "#devex-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
-  ruby-2.6.4-rails-5.2:
+  ruby-2.7.2-rails-5.2:
     docker:
-    - image: circleci/ruby:2.6.4
+    - image: circleci/ruby:2.7.2
+      auth:
+        username: "$DOCKERHUB_USERNAME"
+        password: "$DOCKERHUB_PASSWORD"
       environment:
         BUNDLE_GEMFILE: Gemfile.rails-5.2
     working_directory: "~/stitches"
     steps:
     - checkout
+    - run:
+        name: Check for Gemfile.lock presence
+        command: ' if (test -f Gemfile.lock) then echo "Dont commit Gemfile.lock (see
+          https://github.com/stitchfix/eng-wiki/blob/master/architecture-decisions/0009-rubygem-dependencies-will-be-managed-more-explicitly.md)"
+          1>&2 ; exit 1 ; else exit 0 ; fi '
     - run: bundle config stitchfix01.jfrog.io $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN
     - run: bundle install --full-index
     - run: bundle exec rspec --format RspecJunitFormatter --out /tmp/test-results/rspec.xml
@@ -79,18 +127,26 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#eng-platform-alerts"
+        command: bundle exec y-notify "#devex-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
-  ruby-2.5.6-rails-5.2:
+  ruby-2.6.6-rails-5.2:
     docker:
-    - image: circleci/ruby:2.5.6
+    - image: circleci/ruby:2.6.6
+      auth:
+        username: "$DOCKERHUB_USERNAME"
+        password: "$DOCKERHUB_PASSWORD"
       environment:
         BUNDLE_GEMFILE: Gemfile.rails-5.2
     working_directory: "~/stitches"
     steps:
     - checkout
+    - run:
+        name: Check for Gemfile.lock presence
+        command: ' if (test -f Gemfile.lock) then echo "Dont commit Gemfile.lock (see
+          https://github.com/stitchfix/eng-wiki/blob/master/architecture-decisions/0009-rubygem-dependencies-will-be-managed-more-explicitly.md)"
+          1>&2 ; exit 1 ; else exit 0 ; fi '
     - run: bundle config stitchfix01.jfrog.io $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN
     - run: bundle install --full-index
     - run: bundle exec rspec --format RspecJunitFormatter --out /tmp/test-results/rspec.xml
@@ -101,7 +157,7 @@ jobs:
           fi
     - run:
         name: Notify Pager Duty
-        command: bundle exec y-notify "#eng-platform-alerts"
+        command: bundle exec y-notify "#devex-alerts"
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
@@ -112,31 +168,40 @@ workflows:
     - release:
         context: org-global
         requires:
-        - ruby-2.6.4-rails-6.0
-        - ruby-2.5.6-rails-6.0
-        - ruby-2.6.4-rails-5.2
-        - ruby-2.5.6-rails-5.2
+        - ruby-2.7.2-rails-6.0
+        - ruby-2.6.6-rails-6.0
+        - ruby-2.7.2-rails-5.2
+        - ruby-2.6.6-rails-5.2
+        filters:
+          tags:
+            only: /^[0-9]+\.[0-9]+\.[0-9]+(\.?(RC|rc)[-\.]?\w*)?$/
+          branches:
+            ignore: /.*/
+    - generate-and-push-docs:
+        context: org-global
+        requires:
+        - release
         filters:
           tags:
-            only: /^[0-9]+\.[0-9]+\.[0-9]+(\.?RC[-\.]?\d*)?$/
+            only: /^[0-9]+\.[0-9]+\.[0-9]+(\.?(RC|rc)[-\.]?\w*)?$/
           branches:
             ignore: /.*/
-    - ruby-2.6.4-rails-6.0:
+    - ruby-2.7.2-rails-6.0:
         context: org-global
         filters:
           tags:
             only: &1 /.*/
-    - ruby-2.5.6-rails-6.0:
+    - ruby-2.6.6-rails-6.0:
         context: org-global
         filters:
           tags:
             only: *1
-    - ruby-2.6.4-rails-5.2:
+    - ruby-2.7.2-rails-5.2:
         context: org-global
         filters:
           tags:
             only: *1
-    - ruby-2.5.6-rails-5.2:
+    - ruby-2.6.6-rails-5.2:
         context: org-global
         filters:
           tags:
@@ -150,11 +215,11 @@ workflows:
             only:
             - master
     jobs:
-    - ruby-2.6.4-rails-6.0:
+    - ruby-2.7.2-rails-6.0:
         context: org-global
-    - ruby-2.5.6-rails-6.0:
+    - ruby-2.6.6-rails-6.0:
         context: org-global
-    - ruby-2.6.4-rails-5.2:
+    - ruby-2.7.2-rails-5.2:
         context: org-global
-    - ruby-2.5.6-rails-5.2:
+    - ruby-2.6.6-rails-5.2:
         context: org-global

data/{CODEOWNERS → .github/CODEOWNERS}

@@ -8,4 +8,4 @@
 # This file uses the GitHub CODEOWNERS convention to assign PR reviewers:
 # https://help.github.com/articles/about-codeowners/
 
-* @brettfishman @bwebster
+* @brettfishman @bwebster @stitchfix/devex

data/.ruby-version

@@ -1 +1 @@
-2.6.3
+2.7.2

data/.travis.yml

@@ -1,7 +1,10 @@
 language: ruby
 rvm:
-  - 2.4.4
-  - 2.5.1
+  - 2.6
+  - 2.7
   - ruby-head
 notifications:
   email: false
+jobs:
+  allow_failures:
+    - rvm: ruby-head

data/README.md

@@ -4,13 +4,13 @@ Create Microservices in Rails by pretty much just writing regular Rails code.
 
 This gem provides:
 
-* transparent API key authentication.
-* router-level API version based on headers.
-* a way to document your microservice endpoints via acceptance tests.
-* structured errors, buildable from invalid Active Records, Exceptions, or by hand.
+- transparent API key authentication.
+- router-level API version based on headers.
+- a way to document your microservice endpoints via acceptance tests.
+- structured errors, buildable from invalid Active Records, Exceptions, or by hand.
 
 This, plus much of what you get from Rails already, means you can create a microservice Rails application by just writing the
-same Rails code you write today.  Instead of rendering web views, you render JSON (which is built into Rails).
+same Rails code you write today. Instead of rendering web views, you render JSON (which is built into Rails).
 
 ## To install
 
@@ -35,14 +35,26 @@ Then, set it up:
 
 ### Upgrading from an older version
 
-* If you have a version lower than 3.3.0, you need to run two generators, one of which creates a new database migration on your
-`api_clients` table:
+- When upgrading to version 4.0.0 you may now take advantage of an in-memory cache
+
+You can enabled it like so
+
+```ruby
+Stitches.configure do |config|
+  config.max_cache_ttl = 5  # seconds
+  config.max_cache_size = 100  # how many keys to cache
+end
+```
+
+- If you have a version lower than 3.3.0, you need to run two generators, one of which creates a new database migration on your
+  `api_clients` table:
 
   ```
   > bin/rails generate stitches:add_enabled_to_api_clients
   > bin/rails generate stitches:add_deprecation
   ```
-* If you have a version lower than 3.6.0, you need to run one generator:
+
+- If you have a version lower than 3.6.0, you need to run one generator:
 
   ```
   > bin/rails generate stitches:add_deprecation
@@ -59,8 +71,8 @@ class Api::V1::WidgetsController < ApiController
     if widget.valid?
       head 201
     else
-      render json: { 
-        errors: Stitches::Errors.from_active_record_object(widget) 
+      render json: {
+        errors: Stitches::Errors.from_active_record_object(widget)
       }, status: 422
     end
   end
@@ -73,44 +85,62 @@ private
 end
 ```
 
-If you think there's nothing special about this—you are correct.  This is the vanillaest of vanilla Rails controllers, with a few
+If you think there's nothing special about this—you are correct. This is the vanillaest of vanilla Rails controllers, with a few
 notable exceptions:
 
-* We aren't checking content type.  A stitches-based microservice always uses JSON and refuses to route requests for non-JSON to
-you, so there's zero need to use `respond_to` and friends.
-* The error-building is structured and reliable.
-* This is an authenticated request.  No request without proper authentication will be routed here, so you don't have to worry
-about it in your code.
-* This is a versioned request.  While the URL will *not* contain `v1` in it, the `Accept` header will require a version and get
-routed here.  If you make a V2, it's just a new controller and this concern is handled at the routing layer.
+- We aren't checking content type. A stitches-based microservice always uses JSON and refuses to route requests for non-JSON to
+  you, so there's zero need to use `respond_to` and friends.
+- The error-building is structured and reliable.
+- This is an authenticated request. No request without proper authentication will be routed here, so you don't have to worry
+  about it in your code.
+- This is a versioned request. While the URL will _not_ contain `v1` in it, the `Accept` header will require a version and get
+  routed here. If you make a V2, it's just a new controller and this concern is handled at the routing layer.
 
-All this means that the Rails skills of you and your team can be directly applied to building microservices.  You don't have to make a bunch of boring decisions about auth, versioning, or content-types.  It also means you can start deploying and creating microservices with little friction.  No need to deal with a complex DSL or new programming language to get yourselves going with Microservices.
+All this means that the Rails skills of you and your team can be directly applied to building microservices. You don't have to make a bunch of boring decisions about auth, versioning, or content-types. It also means you can start deploying and creating microservices with little friction. No need to deal with a complex DSL or new programming language to get yourselves going with Microservices.
 
 ## More Info
 
 See [the wiki](https://github.com/stitchfix/stitches/wiki/Setup) for how to setup stitches.
 
-* [Stitches Features](https://github.com/stitchfix/stitches/wiki/Features-of-Stitches) include:
+- [Stitches Features](https://github.com/stitchfix/stitches/wiki/Features-of-Stitches) include:
   - Authorization via API key
   - Versioned requests via HTTP content types
   - Structured Errors
   - ISO 8601-formatted dates
   - Deprecation using the `Sunset` header
-* The [Generator](https://github.com/stitchfix/stitches/wiki/Generator) sets up some code in your app, so you can start writing
-APIs using vanilla Rails idioms:
+  - An optional ApiKey cache to allow mostly DB free APIs
+- The [Generator](https://github.com/stitchfix/stitches/wiki/Generator) sets up some code in your app, so you can start writing
+  APIs using vanilla Rails idioms:
   - a "ping" controller that can validate your app is working
   - version routing based on content-type (requests for V2 use the same URL, but are serviced by a different controller)
   - An ApiClient Active Record
   - Acceptance tests that can produce API documentation as they test your app.
-* Stitches provides [testing support](https://github.com/stitchfix/stitches/wiki/Testing)
+- Stitches provides [testing support](https://github.com/stitchfix/stitches/wiki/Testing)
+
+## API Key Caching
+
+Since version 4.0.0, stitches now has the ability to cache API keys in
+memory for a configurable amount of time. This may be an improvement for
+some applications.
+
+You must configure the API Cache for it be used.
+
+```ruby
+Stitches.configure do |config|
+  config.max_cache_ttl = 5  # seconds
+  config.max_cache_size = 100  # how many keys to cache
+end
+```
 
+Your cache size should be
+larger then the number of consumer keys your service has.
 
 ## Developing
 
-Although `Stitches.configuration` is global, do not depend directly on that in your logic.  Instead, allow all classes to receive a configuration object in their constructor.  This makes the classes easier to deal with and change, without incurring much of a real cost to development.  Global symbols suck, but are convenient.  This is how you make the most of it.
+Although `Stitches.configuration` is global, do not depend directly on that in your logic. Instead, allow all classes to receive a configuration object in their constructor. This makes the classes easier to deal with and change, without incurring much of a real cost to development. Global symbols suck, but are convenient. This is how you make the most of it.
 
 Also, the integration test does a lot of "testing the implementation", but since Rails generators are notorious for silently
-failing with a successful result, we have to make sure that the various `inject_into_file` calls are actually working.  Do not do
+failing with a successful result, we have to make sure that the various `inject_into_file` calls are actually working. Do not do
 any fancy refactors here, just keep it up to date.
 
 ---

data/lib/stitches/allowlist_middleware.rb

@@ -2,7 +2,6 @@ module Stitches
   # A middleware that will skip its behavior if the path matches an allowed URL
   class AllowlistMiddleware
     def initialize(app, options={})
-
       @app           = app
       @configuration = options[:configuration] ||  Stitches.configuration
       @except        = options[:except]        || @configuration.allowlist_regexp

data/lib/stitches/api_client_access_wrapper.rb

@@ -0,0 +1,42 @@
+require 'lru_redux'
+
+module Stitches::ApiClientAccessWrapper
+
+  def self.fetch_for_key(key)
+    if cache_enabled
+      fetch_for_key_from_cache(key)
+    else
+      fetch_for_key_from_db(key)
+    end
+  end
+
+  def self.fetch_for_key_from_cache(key)
+    api_key_cache.getset(key) do
+      fetch_for_key_from_db(key)
+    end
+  end
+
+  def self.fetch_for_key_from_db(key)
+    if ::ApiClient.column_names.include?("enabled")
+      ::ApiClient.find_by(key: key, enabled: true)
+    else
+      ActiveSupport::Deprecation.warn('api_keys is missing "enabled" column.  Run "rails g stitches:add_enabled_to_api_clients"')
+      ::ApiClient.find_by(key: key)
+    end
+  end
+
+  def self.clear_api_cache
+    api_key_cache.clear if cache_enabled
+  end
+
+  def self.api_key_cache
+    @api_key_cache ||= LruRedux::TTL::ThreadSafeCache.new(
+      Stitches.configuration.max_cache_size,
+      Stitches.configuration.max_cache_ttl,
+    )
+  end
+
+  def self.cache_enabled
+    Stitches.configuration.max_cache_ttl.positive?
+  end
+end

data/lib/stitches/api_generator.rb

@@ -12,7 +12,6 @@ module Stitches
 
     desc "Bootstraps your API service with a basic ping controller and spec to ensure everything is setup properly"
     def bootstrap_api
-      gem "stitches"
       gem "apitome"
       gem_group :development, :test do
         gem "rspec"
@@ -20,7 +19,9 @@ module Stitches
         gem "rspec_api_documentation"
       end
 
-      run "bundle install"
+      Bundler.with_clean_env do
+        run "bundle install"
+      end
       generate "apitome:install"
       generate "rspec:install"
 

data/lib/stitches/api_key.rb

@@ -20,11 +20,6 @@ module Stitches
   # ApiClient that it maps to.
   class ApiKey < Stitches::AllowlistMiddleware
 
-    def initialize(app,options = {})
-      super(app,options)
-      @realm = rails_app_module
-    end
-
   protected
 
     def do_call(env)
@@ -32,26 +27,19 @@ module Stitches
       if authorization
         if authorization =~ /#{@configuration.custom_http_auth_scheme}\s+key=(.*)\s*$/
           key = $1
-
-          if ApiClient.column_names.include?("enabled")
-            client = ApiClient.where(key: key, enabled: true).first
-          else
-            ActiveSupport::Deprecation.warn('api_keys is missing "enabled" column.  Run "rails g stitches:add_enabled_to_api_clients"')
-            client = ApiClient.where(key: key).first
-          end
-
+          client = Stitches::ApiClientAccessWrapper.fetch_for_key(key)
           if client.present?
             env[@configuration.env_var_to_hold_api_client_primary_key] = client.id
             env[@configuration.env_var_to_hold_api_client] = client
             @app.call(env)
           else
-            UnauthorizedResponse.new("key invalid",@realm,@configuration.custom_http_auth_scheme)
+            unauthorized_response("key invalid")
           end
         else
-          UnauthorizedResponse.new("bad authorization type",@realm,@configuration.custom_http_auth_scheme)
+          unauthorized_response("bad authorization type")
         end
       else
-        UnauthorizedResponse.new("no authorization header",@realm,@configuration.custom_http_auth_scheme)
+        unauthorized_response("no authorization header")
       end
     end
 
@@ -68,10 +56,11 @@ module Stitches
       parent.to_s
     end
 
-    class UnauthorizedResponse < Rack::Response
-      def initialize(reason,realm,custom_http_auth_scheme)
-        super("Unauthorized - #{reason}", 401, { "WWW-Authenticate" => "#{custom_http_auth_scheme} realm=#{realm}" })
-      end
+    def unauthorized_response(reason)
+      status = 401
+      body = "Unauthorized - #{reason}"
+      header = { "WWW-Authenticate" => "#{@configuration.custom_http_auth_scheme} realm=#{rails_app_module}" }
+      Rack::Response.new(body, status, header).finish
     end
 
   end

data/lib/stitches/configuration.rb

@@ -13,6 +13,8 @@ class Stitches::Configuration
     @custom_http_auth_scheme = UnsetString.new("custom_http_auth_scheme")
     @env_var_to_hold_api_client_primary_key = NonNullString.new("env_var_to_hold_api_client_primary_key","STITCHES_API_CLIENT_ID")
     @env_var_to_hold_api_client= NonNullString.new("env_var_to_hold_api_client","STITCHES_API_CLIENT")
+    @max_cache_ttl = NonNullInteger.new("max_cache_ttl", 0)
+    @max_cache_size = NonNullInteger.new("max_cache_size", 0)
   end
 
   # A RegExp that allows URLS around the mime type and api key requirements.
@@ -25,11 +27,6 @@ class Stitches::Configuration
     @allowlist_regexp = new_allowlist_regexp
   end
 
-  def whitelist_regexp=(new_allowlist_regexp)
-    self.allowlist_regexp = new_allowlist_regexp
-    warn("⚠️ 'whitelist' is deprecated in stitches configuration, please use 'allowlist' or auto-update with:\n\n  bin/rails g stitches:update_configuration\n\n⚠️  'whitelist' will be removed in 4.0")
-  end
-
   # The name of your custom http auth scheme.  This must be set, and has no default
   def custom_http_auth_scheme
     @custom_http_auth_scheme.to_s
@@ -39,7 +36,7 @@ class Stitches::Configuration
     @custom_http_auth_scheme = NonNullString.new("custom_http_auth_scheme",new_custom_http_auth_scheme)
   end
 
-  # The name of the environment variable that the ApiKey middleware should use to 
+  # The name of the environment variable that the ApiKey middleware should use to
   # place the primary key of the authenticated ApiKey.  For example, if a user provides
   # the api key 1234-1234-1234-1234, and that maps to the primary key 42 in your database,
   # the environment will contain "42" in the key provided here.
@@ -59,8 +56,40 @@ class Stitches::Configuration
     @env_var_to_hold_api_client= NonNullString.new("env_var_to_hold_api_client",new_env_var_to_hold_api_client)
   end
 
+  def max_cache_ttl
+    @max_cache_ttl.to_i
+  end
+
+  def max_cache_ttl=(new_max_cache_ttl)
+    @max_cache_ttl = NonNullInteger.new("max_cache_ttl", new_max_cache_ttl)
+  end
+
+  def max_cache_size
+    @max_cache_size.to_i
+  end
+
+  def max_cache_size=(new_max_cache_size)
+    @max_cache_size = NonNullInteger.new("max_cache_size", new_max_cache_size)
+  end
+
 private
 
+  class NonNullInteger
+    def initialize(name, value)
+      unless value.is_a?(Integer)
+        raise "#{name} must be an Integer, not a #{value.class}"
+      end
+
+      @value = value
+    end
+
+    def to_i
+      @value
+    end
+
+    alias to_integer to_i
+  end
+
   class NonNullString
     def initialize(name,string)
       unless string.nil? || string.is_a?(String)

data/lib/stitches/generator_files/config/initializers/stitches.rb

@@ -11,4 +11,14 @@ Stitches.configure do |configuration|
   # Env var that gets the primary key of the authenticated ApiKey
   # for access in your controllers, so they don't need to re-parse the header
   # configuration.env_var_to_hold_api_client_primary_key = "YOUR_ENV_VAR"
+
+  # Configures how long to cache ApiKeys in memory (In Seconds)
+  # A value of 0 will disable the cache entierly
+  # Default is 0
+  # configuration.max_cache_ttl = 5
+
+  # Configures how many ApiKeys to cache at one time
+  # This should be larger then the number of clients
+  # Default is 0
+  # configuration.max_cache_size = 100
 end

data/lib/stitches/railtie.rb

@@ -1,9 +1,11 @@
 require 'stitches/api_key'
 require 'stitches/valid_mime_type'
+require 'stitches/api_client_access_wrapper'
 
 module Stitches
   class Railtie < Rails::Railtie
     config.app_middleware.use Stitches::ApiKey
     config.app_middleware.use Stitches::ValidMimeType
+
   end
 end

data/lib/stitches/valid_mime_type.rb

@@ -1,31 +1,39 @@
 require_relative 'allowlist_middleware'
 module Stitches
-  # A middleware that requires all API calls to be for versioned JSON.  This means that the Accept
-  # header (available to Rack apps as HTTP_ACCEPT) should be like so:
+  # A middleware that requires all API calls to be for versioned JSON or Protobuf.
+  #
+  # This means that the Accept header (available to Rack apps as HTTP_ACCEPT) should be like so:
   #
   #     application/json; version=1
   #
   # This just checks that you've specified some numeric version.  ApiVersionConstraint should be used
   # to "lock down" the versions you accept.
+  # 
+  # Or in the case of a protobuf encoded payload the header should be like so:
+  #
+  #     application/protobuf
+  #
+  # There isn't an accepted standard for protobuf encoded payloads but this form is common.
   class ValidMimeType < Stitches::AllowlistMiddleware
 
   protected
 
     def do_call(env)
       accept = String(env["HTTP_ACCEPT"])
-      if accept =~ %r{application/json} && accept =~ %r{version=\d+}
+      if (accept =~ %r{application/json} && accept =~ %r{version=\d+}) || accept =~ %r{application/protobuf}
         @app.call(env)
       else
-        NotAcceptableResponse.new(accept)
+        not_acceptable_response(accept)
       end
     end
 
     private
 
-    class NotAcceptableResponse < Rack::Response
-      def initialize(accept_header)
-        super("Not Acceptable - '#{accept_header}' didn't have the right mime type or version number. We only accept application/json with a version", 406)
-      end
+    def not_acceptable_response(accept_header)
+      status = 406
+      body = "Not Acceptable - '#{accept_header}' didn't have the right mime type or version number. We only accept application/json with a version or application/protobuf"
+      header = { "WWW-Authenticate" => accept_header }
+      Rack::Response.new(body, status, header).finish
     end
 
   end

data/lib/stitches/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Stitches
-  VERSION = '3.8.1'
+  VERSION = '4.0.1'
 end

data/lib/stitches_norailtie.rb

@@ -14,7 +14,6 @@ require 'stitches/errors'
 require 'stitches/api_generator'
 require 'stitches/add_deprecation_generator'
 require 'stitches/add_enabled_to_api_clients_generator'
-require 'stitches/update_configuration_generator'
 require 'stitches/api_version_constraint'
 require 'stitches/api_key'
 require 'stitches/deprecation'

data/owners.json

@@ -1,7 +1,7 @@
 {
   "owners": [
     {
-      "team": "platform"
+      "team": "devex"
     }
   ]
 }

data/spec/api_client_access_wrapper_spec.rb

@@ -0,0 +1,52 @@
+require 'spec_helper.rb'
+
+module MyApp
+  class Application
+  end
+end
+
+unless defined? ApiClient
+  class ApiClient
+    def self.column_names
+      ["enabled"]
+    end
+  end
+end
+
+describe Stitches::ApiClientAccessWrapper do
+  let(:api_client) {
+    double(ApiClient, id: 42)
+  }
+  before do
+    Stitches.configuration.reset_to_defaults!
+  end
+  describe '#fetch_by_key' do
+    context "cache is disabled" do
+      before do
+        expect(ApiClient).to receive(:find_by).and_return(api_client).twice
+      end
+
+      it "fetchs object from db twice" do
+        expect(described_class.fetch_for_key("123").id).to eq(42)
+        expect(described_class.fetch_for_key("123").id).to eq(42)
+      end
+    end
+
+    context "cache is configured" do
+      before do
+        Stitches.configure do |config|
+          config.max_cache_ttl  = 5
+          config.max_cache_size = 10
+        end
+
+        expect(ApiClient).to receive(:find_by).and_return(api_client).once
+      end
+
+      it "fetchs object from cache" do
+        expect(described_class.fetch_for_key("123").id).to eq(42)
+        # This should hit the cache
+        expect(described_class.fetch_for_key("123").id).to eq(42)
+      end
+    end
+  end
+end

data/spec/api_key_spec.rb

@@ -15,10 +15,8 @@ end
 
 describe Stitches::ApiKey do
   let(:app) { double("rack app") }
-  let(:api_clients) {
-    [
-      double(ApiClient, id: 42)
-    ]
+  let(:api_client) {
+    double(ApiClient, id: 42)
   }
 
   before do
@@ -27,23 +25,27 @@ describe Stitches::ApiKey do
     fake_rails_app = MyApp::Application.new
     allow(Rails).to receive(:application).and_return(fake_rails_app)
     allow(app).to receive(:call).with(env)
-    allow(ApiClient).to receive(:where).and_return(api_clients)
+    allow(ApiClient).to receive(:find_by).and_return(api_client)
+    Stitches::ApiClientAccessWrapper.clear_api_cache
   end
 
   subject(:middleware) { described_class.new(app, namespace: "/api") }
 
   shared_examples "an unauthorized response" do
     it "returns a 401" do
-      expect(@response.status).to eq(401)
+      status, _headers, _body = @response
+      expect(status).to eq(401)
     end
     it "sets the proper header" do
-      expect(@response.headers["WWW-Authenticate"]).to eq("MyAwesomeInternalScheme realm=MyApp")
+      _status, headers, _body = @response
+      expect(headers["WWW-Authenticate"]).to eq("MyAwesomeInternalScheme realm=MyApp")
     end
     it "stops the call chain preventing anything from happening" do
       expect(app).not_to have_received(:call)
     end
     it "sends a reasonable message" do
-      expect(@response.body).to eq([expected_body])
+      _status, _headers, body = @response
+      expect(body).to eq([expected_body])
     end
   end
 
@@ -155,18 +157,17 @@ describe Stitches::ApiKey do
       end
 
       it "sets the api_client's ID in the environment" do
-        expect(env[Stitches.configuration.env_var_to_hold_api_client_primary_key]).to eq(api_clients.first.id)
+        expect(env[Stitches.configuration.env_var_to_hold_api_client_primary_key]).to eq(api_client.id)
       end
 
       it "sets the api_client itself in the environment" do
-        expect(env[Stitches.configuration.env_var_to_hold_api_client]).to eq(api_clients.first)
+        expect(env[Stitches.configuration.env_var_to_hold_api_client]).to eq(api_client)
       end
     end
 
     context "unauthorized responses" do
       before do
         @response = middleware.call(env)
-        @response.finish
       end
       context "invalid key" do
         let(:env) {
@@ -175,7 +176,7 @@ describe Stitches::ApiKey do
             "HTTP_AUTHORIZATION" => "MyAwesomeInternalScheme key=foobar",
           }
         }
-        let(:api_clients) { [] }
+        let(:api_client) { nil }
 
         it_behaves_like "an unauthorized response" do
           let(:expected_body) { "Unauthorized - key invalid" }

data/spec/configuration_spec.rb

@@ -9,17 +9,23 @@ describe Stitches::Configuration do
     let(:allowlist_regexp) { %r{foo} }
     let(:custom_http_auth_scheme) { "Blah" }
     let(:env_var_to_hold_api_client_primary_key) { "FOOBAR" }
+    let(:max_cache_ttl) { 11 }
+    let(:max_cache_size) { 111 }
 
     it "can be configured globally" do
       Stitches.configure do |config|
         config.allowlist_regexp                       = allowlist_regexp
         config.custom_http_auth_scheme                = custom_http_auth_scheme
         config.env_var_to_hold_api_client_primary_key = env_var_to_hold_api_client_primary_key
+        config.max_cache_ttl                          = max_cache_ttl
+        config.max_cache_size                         = max_cache_size
       end
 
       expect(Stitches.configuration.allowlist_regexp).to                       eq(allowlist_regexp)
       expect(Stitches.configuration.custom_http_auth_scheme).to                eq(custom_http_auth_scheme)
       expect(Stitches.configuration.env_var_to_hold_api_client_primary_key).to eq(env_var_to_hold_api_client_primary_key)
+      expect(Stitches.configuration.max_cache_ttl).to                          eq(max_cache_ttl)
+      expect(Stitches.configuration.max_cache_size).to                         eq(max_cache_size)
     end
 
     it "defaults to nil for allowlist_regexp" do
@@ -30,6 +36,14 @@ describe Stitches::Configuration do
       expect(Stitches.configuration.env_var_to_hold_api_client_primary_key).to eq("STITCHES_API_CLIENT_ID")
     end
 
+    it "defaults to 0 for max_cache_ttl" do
+      expect(Stitches.configuration.max_cache_ttl).to eq(0)
+    end
+
+    it "sets a default for max_cache_size" do
+      expect(Stitches.configuration.max_cache_size).to eq(0)
+    end
+
     it "blows up if you try to use custom_http_auth_scheme without having set it" do
       expect {
         Stitches.configuration.custom_http_auth_scheme
@@ -102,19 +116,34 @@ describe Stitches::Configuration do
       }.not_to raise_error
     end
   end
-  context "deprecated options we want to support for backwards compatibility" do
 
-    let(:logger) { double("logger") }
-    before do
-      allow(Rails).to receive(:logger).and_return(logger)
-      allow(logger).to receive(:info)
+  describe "max_cache_ttl" do
+    let(:config) { Stitches::Configuration.new }
+    it "must be an integer" do
+      expect {
+        config.max_cache_ttl = ""
+      }.to raise_error(/max_cache_ttl must be an Integer, not a String/)
     end
 
-    it "'whitelist' still works for allowlist" do
-      Stitches.configure do |config|
-        config.whitelist_regexp = /foo/
-      end
-      expect(Stitches.configuration.allowlist_regexp).to eq(/foo/)
+    it "may not be nil" do
+      expect {
+        config.max_cache_ttl = nil
+      }.to raise_error(/max_cache_ttl must be an Integer, not a NilClass/)
+    end
+  end
+
+  describe "max_cache_size" do
+    let(:config) { Stitches::Configuration.new }
+    it "must be an integer" do
+      expect {
+        config.max_cache_size = ""
+      }.to raise_error(/max_cache_size must be an Integer, not a String/)
+    end
+
+    it "may not be nil" do
+      expect {
+        config.max_cache_size = nil
+      }.to raise_error(/max_cache_size must be an Integer, not a NilClass/)
     end
   end
 end

data/spec/integration/add_to_rails_app_spec.rb

@@ -109,35 +109,6 @@ RSpec.describe "Adding Stitches to a New Rails App", :integration do
     expect(include_line).to_not be_nil,lines.inspect
   end
 
-  it "inserts can update old configuration" do
-    run "bin/rails generate stitches:api"
-
-    initializer = rails_root / "config" / "initializers" / "stitches.rb"
-
-    initializer_contents = File.read(initializer).split(/\n/)
-    found_initializer = false
-    File.open(initializer,"w") do |file|
-      initializer_contents.each do |line|
-        if line =~ /allowlist/
-          line = line.gsub("allowlist","whitelist")
-          found_initializer = true
-        end
-        file.puts line
-      end
-    end
-
-    raise "Didn't find 'allowlist' in the initializer?!" if !found_initializer
-
-    run "bin/rails generate stitches:update_configuration"
-
-    lines =  File.read(initializer).split(/\n/)
-    include_line = lines.detect { |line|
-      line =~ /whitelist/
-    }
-
-    expect(include_line).to be_nil,lines.inspect
-  end
-
   class RoutesFileAnalysis
     attr_reader :routes_file
     def initialize(routes_file, namespace: nil, module_scope: nil, resource: nil, mounted_engine: nil)

data/spec/valid_mime_type_spec.rb

@@ -11,13 +11,15 @@ describe Stitches::ValidMimeType do
 
   shared_examples "an unacceptable response" do
     it "returns a 406" do
-      expect(@response.status).to eq(406)
+      status, _headers, _body = @response
+      expect(status).to eq(406)
     end
     it "stops the call chain preventing anything from happening" do
       expect(app).not_to have_received(:call)
     end
     it "sends a reasonable message" do
-      expect(@response.body.first).to match(/didn't have the right mime type or version number. We only accept application\/json/)
+      _status, _headers, body = @response
+      expect(body.first).to match(/didn't have the right mime type or version number. We only accept application\/json/)
     end
   end
 
@@ -130,10 +132,25 @@ describe Stitches::ValidMimeType do
       end
     end
 
+    context "protbuf mime type" do
+      let(:env) {
+        {
+          "PATH_INFO" => "/api/ping",
+          "HTTP_ACCEPT" => "application/protobuf",
+        }
+      }
+
+      before do
+        @response = middleware.call(env)
+      end
+      it "calls through to the rest of the chain" do
+        expect(app).to have_received(:call).with(env)
+      end
+    end
+
     context "unacceptable responses" do
       before do
         @response = middleware.call(env)
-        @response.finish
       end
       context "no header" do
         let(:env) {

data/stitches.gemspec

@@ -20,6 +20,7 @@ Gem::Specification.new do |s|
 
   s.add_runtime_dependency("rails")
   s.add_runtime_dependency("pg")
+  s.add_runtime_dependency("lru_redux")
 
   s.add_development_dependency("rspec", ">= 3")
   s.add_development_dependency("rake")

metadata

@@ -1,17 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: stitches
 version: !ruby/object:Gem::Version
-  version: 3.8.1
+  version: 4.0.1
 platform: ruby
 authors:
 - Stitch Fix Engineering
 - Andrew Peterson
 - Dave Copeland
 - Jonathan Dean
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-09-10 00:00:00.000000000 Z
+date: 2020-11-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -41,6 +41,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: lru_redux
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -95,11 +109,12 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".circleci/config.yml"
+- ".github/CODEOWNERS"
+- ".github/PULL_REQUEST_TEMPLATE.md"
 - ".gitignore"
 - ".ruby-gemset"
 - ".ruby-version"
 - ".travis.yml"
-- CODEOWNERS
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Gemfile
@@ -109,7 +124,6 @@ files:
 - Gemfile.rails-5.2
 - Gemfile.rails-6.0
 - LICENSE.txt
-- PULL_REQUEST_TEMPLATE.md
 - README.md
 - Rakefile
 - build-matrix.json
@@ -117,6 +131,7 @@ files:
 - lib/stitches/add_deprecation_generator.rb
 - lib/stitches/add_enabled_to_api_clients_generator.rb
 - lib/stitches/allowlist_middleware.rb
+- lib/stitches/api_client_access_wrapper.rb
 - lib/stitches/api_generator.rb
 - lib/stitches/api_key.rb
 - lib/stitches/api_version_constraint.rb
@@ -147,12 +162,11 @@ files:
 - lib/stitches/spec/have_api_error.rb
 - lib/stitches/spec/show_deprecation.rb
 - lib/stitches/spec/test_headers.rb
-- lib/stitches/update_configuration_generator.rb
 - lib/stitches/valid_mime_type.rb
 - lib/stitches/version.rb
-- lib/stitches/whitelisting_middleware.rb
 - lib/stitches_norailtie.rb
 - owners.json
+- spec/api_client_access_wrapper_spec.rb
 - spec/api_key_spec.rb
 - spec/api_version_constraint_spec.rb
 - spec/configuration_spec.rb
@@ -170,7 +184,7 @@ homepage: https://github.com/stitchfix/stitches
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -185,11 +199,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: You'll be in stitches at how easy it is to create a service at Stitch Fix
 test_files:
+- spec/api_client_access_wrapper_spec.rb
 - spec/api_key_spec.rb
 - spec/api_version_constraint_spec.rb
 - spec/configuration_spec.rb

data/lib/stitches/update_configuration_generator.rb

@@ -1,16 +0,0 @@
-require 'rails/generators'
-
-module Stitches
-  class UpdateConfigurationGenerator < Rails::Generators::Base
-    include Rails::Generators::Migration
-
-    source_root(File.expand_path(File.join(File.dirname(__FILE__),"generator_files")))
-
-    desc "Change your configuration to use 'allowlist' so you'll be ready for 4.x"
-    def update_to_allowlist
-      gsub_file "config/initializers/stitches.rb", /whitelist/, "allowlist"
-      puts "🎉 You are now good to go!"
-    end
-
-  end
-end

data/lib/stitches/whitelisting_middleware.rb

@@ -1,5 +0,0 @@
-require_relative "allowlist_middleware"
-
-module Stitches
-  WhitelistingMiddleware = AllowlistMiddleware
-end