stitches 4.1.0RC2 → 4.2.0.RC1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 181e2199d9e7f15ef933d3c3b87262f83894e02c25821d53aa23191db16c6a7a
-  data.tar.gz: 8f90ed0f8e39e94715f77f2708f1fe87da31318f97708dfd50692f8408ec9d71
+  metadata.gz: ff331a78189008795f3789617197c5bf4ac77fb9b2db8fe036256903668656ba
+  data.tar.gz: 2757ff4ef4739e826b60406726547b225693f44846d811c0c8fd0afa093eb55a
 SHA512:
-  metadata.gz: f4043849fc0c7da16cd1a87216897a6bf696b0cf82adf18d5a2d0e0277fd8ba7881e6af75e1c6451ee9fece50902bb1088166ac46c40eddc74cc4b3c01f5ecc5
-  data.tar.gz: 2e2310a95b713fe859ce309cac4d03552fd094ac03d2526045095980f488204a27a04da5c459b90719af9f947af13f1d70301b9eddb21f90a742470198760bd2
+  metadata.gz: c6a9e99b2f0410ba3e1bff9c851fde7ec923154388667ea86c7a080354eb3943a2188e33336cc23e5ea530a98851e1fdf00ceb750cd246ebc95a3f43f2ecb95e
+  data.tar.gz: ed1f7f688b16629940ccd0f7b201ad6b47e9fcfdc005969dd3fdff7264fb45bd7c31d572a1dda5a962386bf567e07bb1823dbab66ccea40e8bed9650d67b59c9

data/.circleci/config.yml

@@ -161,36 +161,6 @@ jobs:
         when: on_fail
     - store_test_results:
         path: "/tmp/test-results"
-  ruby-2.7.2-rails-5.2:
-    docker:
-    - image: circleci/ruby:2.7.2
-      auth:
-        username: "$DOCKERHUB_USERNAME"
-        password: "$DOCKERHUB_PASSWORD"
-      environment:
-        BUNDLE_GEMFILE: Gemfile.rails-5.2
-    working_directory: "~/stitches"
-    steps:
-    - checkout
-    - run:
-        name: Check for Gemfile.lock presence
-        command: ' if (test -f Gemfile.lock) then echo "Dont commit Gemfile.lock (see
-          https://github.com/stitchfix/eng-wiki/blob/master/architecture-decisions/0009-rubygem-dependencies-will-be-managed-more-explicitly.md)"
-          1>&2 ; exit 1 ; else exit 0 ; fi '
-    - run: bundle config stitchfix01.jfrog.io $ARTIFACTORY_USER:$ARTIFACTORY_TOKEN
-    - run: bundle install --full-index
-    - run: bundle exec rspec --format RspecJunitFormatter --out /tmp/test-results/rspec.xml
-        --format=doc
-    - run:
-        name: Run Additional CI Steps
-        command: if [ -e bin/additional-ci-steps ]; then bin/additional-ci-steps;
-          fi
-    - run:
-        name: Notify Pager Duty
-        command: bundle exec y-notify "#eng-runtime-alerts"
-        when: on_fail
-    - store_test_results:
-        path: "/tmp/test-results"
 workflows:
   version: 2
   on-commit:
@@ -202,7 +172,6 @@ workflows:
         - ruby-2.7.2-rails-6.1
         - ruby-3.0.0-rails-6.0
         - ruby-2.7.2-rails-6.0
-        - ruby-2.7.2-rails-5.2
         filters:
           tags:
             only: /^[0-9]+\.[0-9]+\.[0-9]+(\.?(RC|rc)[-\.]?\w*)?$/
@@ -237,11 +206,6 @@ workflows:
         filters:
           tags:
             only: *1
-    - ruby-2.7.2-rails-5.2:
-        context: org-global
-        filters:
-          tags:
-            only: *1
   scheduled:
     triggers:
     - schedule:
@@ -259,5 +223,3 @@ workflows:
         context: org-global
     - ruby-2.7.2-rails-6.0:
         context: org-global
-    - ruby-2.7.2-rails-5.2:
-        context: org-global

data/.gitignore

@@ -1,5 +1,6 @@
 pkg
 spec/reports
+spec/fake_app/log/
 .vimrc
 *.sw?
 .idea/

data/README.md

@@ -35,7 +35,7 @@ Then, set it up:
 
 ### Upgrading from an older version
 
-- When upgrading to version 4.0.0 you may now take advantage of an in-memory cache
+- When upgrading to version 4.0.0 and above you may now take advantage of an in-memory cache
 
 You can enabled it like so
 
@@ -46,18 +46,46 @@ Stitches.configure do |config|
 end
 ```
 
-- If you have a version lower than 3.3.0, you need to run two generators, one of which creates a new database migration on your
-  `api_clients` table:
+You can also set a leniency for disabled API keys, which will allow old API keys to continue to be used if they have a
+`disabled_at` field set as long as the leniency is not exceeded. Note that if the `disabled_at` field is not populated
+the behavior will remain the same as it always was, and the request will be denied when the `enabled` field is set to
+`true`. If Stitches allows a call due to leniency settings, a log message will be generated with a severity depending on
+how long ago the API key was disabled.
+
+```ruby
+Stitches.configure do |config|
+  config.disabled_key_leniency_in_seconds = 3 * 24 * 60 * 60 # Time in seconds, defaults to three days 
+  config.disabled_key_leniency_error_log_threshold_in_seconds = 2 * 24 * 60 * 60 # Time in seconds, defaults to two days 
+end
+```
+
+If a disabled key is used within the `disabled_key_leniency_in_seconds`, it will be allowed. 
+
+Anytime a disabled key is used a log will be generated. If it is before the 
+`disabled_key_leniency_error_log_threshold_in_seconds` it will be a warning log message, if it is after that, it will be
+an error message. `disabled_key_leniency_error_log_threshold_in_seconds` should never be a greater number than 
+`disabled_key_leniency_in_seconds`, as this provides an escallating series of warnings before finally disabling access.
+
+- If you are upgrading from a version older than 3.3.0 you need to run three generators, two of which create database
+  migrations on your `api_clients` table:
 
   ```
   > bin/rails generate stitches:add_enabled_to_api_clients
   > bin/rails generate stitches:add_deprecation
+  > bin/rails generate stitches:add_disabled_at_to_api_clients
   ```
 
-- If you have a version lower than 3.6.0, you need to run one generator:
+- If you are upgrading from a version between 3.3.0 and 3.5.0 you need to run two generators:
 
   ```
   > bin/rails generate stitches:add_deprecation
+  > bin/rails generate stitches:add_disabled_at_to_api_clients
+  ```
+
+- If you are upgrading from a version between 3.6.0 and 4.0.2 you need to run one generator:
+
+  ```
+  > bin/rails generate stitches:add_disabled_at_to_api_clients
   ```
 
 ## Example Microservice Endpoint
@@ -143,6 +171,10 @@ Also, the integration test does a lot of "testing the implementation", but since
 failing with a successful result, we have to make sure that the various `inject_into_file` calls are actually working. Do not do
 any fancy refactors here, just keep it up to date.
 
+## Releases
+
+See the release process for open source gems in the Stitch Fix engineering wiki under technical topics.
+
 ---
 
 Provided with love by your friends at [Stitch Fix Engineering](http://technology.stitchfix.com)

data/lib/stitches/add_disabled_at_to_api_clients_generator.rb

@@ -0,0 +1,18 @@
+require 'rails/generators'
+
+module Stitches
+  class AddDisabledAtToApiClientsGenerator < Rails::Generators::Base
+    include Rails::Generators::Migration
+
+    source_root(File.expand_path(File.join(File.dirname(__FILE__),"generator_files")))
+
+    def self.next_migration_number(path)
+      Time.now.utc.strftime("%Y%m%d%H%M%S")
+    end
+
+    desc "Upgrade your api_clients table so it includes the `disabled_at` field"
+    def update_api_clients_table
+      migration_template "db/migrate/add_disabled_at_to_api_clients.rb", "db/migrate/add_disabled_at_to_api_clients.rb"
+    end
+  end
+end

data/lib/stitches/allowlist_middleware.rb

@@ -3,15 +3,14 @@ module Stitches
   class AllowlistMiddleware
     def initialize(app, options={})
       @app           = app
-      @configuration = options[:configuration] ||  Stitches.configuration
-      @except        = options[:except]        || @configuration.allowlist_regexp
+      @configuration = options[:configuration]
+      @except        = options[:except]
 
-      unless @except.nil? || @except.is_a?(Regexp)
-        raise ":except must be a Regexp"
-      end
+      allowlist_regex
     end
+
     def call(env)
-      if @except && @except.match(env["PATH_INFO"])
+      if allowlist_regex && allowlist_regex.match(env["PATH_INFO"])
         @app.call(env)
       else
         do_call(env)
@@ -24,5 +23,20 @@ module Stitches
       raise 'subclass must implement'
     end
 
+    def configuration
+      @configuration || Stitches.configuration
+    end
+
+  private
+
+    def allowlist_regex
+      regex = @except || configuration.allowlist_regexp
+
+      if !regex.nil? && !regex.is_a?(Regexp)
+        raise ":except must be a Regexp"
+      end
+
+      regex
+    end
   end
 end

data/lib/stitches/api_client_access_wrapper.rb

@@ -2,26 +2,57 @@ require 'lru_redux'
 
 module Stitches::ApiClientAccessWrapper
 
-  def self.fetch_for_key(key)
+  def self.fetch_for_key(key, configuration)
     if cache_enabled
-      fetch_for_key_from_cache(key)
+      fetch_for_key_from_cache(key, configuration)
     else
-      fetch_for_key_from_db(key)
+      fetch_for_key_from_db(key, configuration)
     end
   end
 
-  def self.fetch_for_key_from_cache(key)
+  def self.fetch_for_key_from_cache(key, configuration)
     api_key_cache.getset(key) do
-      fetch_for_key_from_db(key)
+      fetch_for_key_from_db(key, configuration)
     end
   end
 
-  def self.fetch_for_key_from_db(key)
-    if ::ApiClient.column_names.include?("enabled")
-      ::ApiClient.find_by(key: key, enabled: true)
+  def self.fetch_for_key_from_db(key, configuration)
+    api_client = ::ApiClient.find_by(key: key)
+    return unless api_client
+
+    unless api_client.respond_to?(:enabled?)
+      logger.warn('api_keys is missing "enabled" column.  Run "rails g stitches:add_enabled_to_api_clients"')
+      return api_client
+    end
+
+    unless api_client.respond_to?(:disabled_at)
+      logger.warn('api_keys is missing "disabled_at" column.  Run "rails g stitches:add_disabled_at_to_api_clients"')
+    end
+
+    return api_client if api_client.enabled?
+
+    disabled_at = api_client.respond_to?(:disabled_at) ? api_client.disabled_at : nil
+    if disabled_at && disabled_at > configuration.disabled_key_leniency_in_seconds.seconds.ago
+      message = "Allowing disabled ApiClient: #{api_client.name} with key #{api_client.key} disabled at #{disabled_at}"
+      if disabled_at > configuration.disabled_key_leniency_error_log_threshold_in_seconds.seconds.ago
+        logger.warn(message)
+      else
+        logger.error(message)
+      end
+      return api_client
+    else
+      logger.error("Rejecting disabled ApiClient: #{api_client.name} with key #{api_client.key}")
+    end
+    nil
+  end
+
+  def self.logger
+    if defined?(StitchFix::Logger::LogWriter)
+      StitchFix::Logger::LogWriter
+    elsif defined?(Rails.logger)
+      Rails.logger
     else
-      ActiveSupport::Deprecation.warn('api_keys is missing "enabled" column.  Run "rails g stitches:add_enabled_to_api_clients"')
-      ::ApiClient.find_by(key: key)
+      ::Logger.new('/dev/null')
     end
   end
 
@@ -39,4 +70,4 @@ module Stitches::ApiClientAccessWrapper
   def self.cache_enabled
     Stitches.configuration.max_cache_ttl.positive?
   end
-end
+end

data/lib/stitches/api_key.rb

@@ -25,12 +25,12 @@ module Stitches
     def do_call(env)
       authorization = env["HTTP_AUTHORIZATION"]
       if authorization
-        if authorization =~ /#{@configuration.custom_http_auth_scheme}\s+key=(.*)\s*$/
+        if authorization =~ /#{configuration.custom_http_auth_scheme}\s+key=(.*)\s*$/
           key = $1
-          client = Stitches::ApiClientAccessWrapper.fetch_for_key(key)
+          client = Stitches::ApiClientAccessWrapper.fetch_for_key(key, configuration)
           if client.present?
-            env[@configuration.env_var_to_hold_api_client_primary_key] = client.id
-            env[@configuration.env_var_to_hold_api_client] = client
+            env[configuration.env_var_to_hold_api_client_primary_key] = client.id
+            env[configuration.env_var_to_hold_api_client] = client
             @app.call(env)
           else
             unauthorized_response("key invalid")
@@ -59,7 +59,7 @@ module Stitches
     def unauthorized_response(reason)
       status = 401
       body = "Unauthorized - #{reason}"
-      header = { "WWW-Authenticate" => "#{@configuration.custom_http_auth_scheme} realm=#{rails_app_module}" }
+      header = { "WWW-Authenticate" => "#{configuration.custom_http_auth_scheme} realm=#{rails_app_module}" }
       Rack::Response.new(body, status, header).finish
     end
 

data/lib/stitches/configuration.rb

@@ -15,8 +15,12 @@ class Stitches::Configuration
     @env_var_to_hold_api_client= NonNullString.new("env_var_to_hold_api_client","STITCHES_API_CLIENT")
     @max_cache_ttl = NonNullInteger.new("max_cache_ttl", 0)
     @max_cache_size = NonNullInteger.new("max_cache_size", 0)
+    @disabled_key_leniency_in_seconds = ActiveSupport::Duration.days(3)
+    @disabled_key_leniency_error_log_threshold_in_seconds = ActiveSupport::Duration.days(2)
   end
 
+  attr_accessor :disabled_key_leniency_in_seconds, :disabled_key_leniency_error_log_threshold_in_seconds
+
   # A RegExp that allows URLS around the mime type and api key requirements.
   # nil means that ever request must have a proper mime type and api key.
   attr_reader :allowlist_regexp

data/lib/stitches/generator_files/db/migrate/add_disabled_at_to_api_clients.rb

@@ -0,0 +1,9 @@
+<% if Rails::VERSION::MAJOR >= 5 %>
+class AddEnabledToApiClients < ActiveRecord::Migration[<%= Rails::VERSION::MAJOR %>.<%= Rails::VERSION::MINOR %>]
+<% else %>
+class AddEnabledToApiClients < ActiveRecord::Migration
+<% end %>
+  def change
+    add_column :api_clients, :disabled_at, "timestamp with time zone", null: true
+  end
+end

data/lib/stitches/generator_files/db/migrate/create_api_clients.rb

@@ -9,6 +9,7 @@ class CreateApiClients < ActiveRecord::Migration
       t.column :key, "uuid default uuid_generate_v4()", null: false
       t.column :enabled, :bool, null: false, default: true
       t.column :created_at, "timestamp with time zone default now()", null: false
+      t.column :disabled_at, "timestamp with time zone", null: true
     end
     add_index :api_clients, [:name]
     add_index :api_clients, [:key], unique: true

data/lib/stitches/render_timestamps_in_iso8601_in_json.rb

@@ -1,13 +1,9 @@
 require 'active_support/time_with_zone'
 
 class ActiveSupport::TimeWithZone
-  # We want dates to always be in UTC
+  # We want dates to be a) in UTC and b) in ISO8601 always
   def as_json(options = {})
-    if utc?
-      super
-    else
-      utc.as_json(options)
-    end
+    utc.iso8601
   end
 end
 

data/lib/stitches/valid_mime_type.rb

@@ -20,7 +20,7 @@ module Stitches
 
     def do_call(env)
       accept = String(env["HTTP_ACCEPT"])
-      if (accept =~ %r{application/json} && accept =~ %r{version=\d+}) || accept =~ %r{application/protobuf}
+      if (%r{application/json}.match?(accept) && %r{version=\d+}.match?(accept)) || %r{application/protobuf}.match?(accept)
         @app.call(env)
       else
         not_acceptable_response(accept)

data/lib/stitches/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stitches
-  VERSION = '4.1.0RC2'
+  VERSION = '4.2.0.RC1'
 end

data/lib/stitches_norailtie.rb

@@ -14,6 +14,7 @@ require 'stitches/errors'
 require 'stitches/api_generator'
 require 'stitches/add_deprecation_generator'
 require 'stitches/add_enabled_to_api_clients_generator'
+require 'stitches/add_disabled_at_to_api_clients_generator'
 require 'stitches/api_version_constraint'
 require 'stitches/api_key'
 require 'stitches/deprecation'

data/spec/api_key_middleware_spec.rb

@@ -0,0 +1,368 @@
+require 'rails_helper'
+require 'securerandom'
+
+class FakeLogger
+  # This shouldn't be needed but there's a weird mocking conflict with kernal warn method otherwise
+  def warn(message)
+  end
+end
+
+RSpec.describe "/api/hellos", type: :request do
+  let(:uuid) { api_client.key }
+  let(:auth_header) { "MyAwesomeInternalScheme key=#{uuid}" }
+  let(:allowlist) { nil }
+
+  before do
+    Stitches.configuration.reset_to_defaults!
+    Stitches.configuration.custom_http_auth_scheme = 'MyAwesomeInternalScheme'
+    Stitches.configuration.allowlist_regexp = allowlist if allowlist
+    Stitches::ApiClientAccessWrapper.clear_api_cache
+  end
+
+  def execute_call(auth: auth_header)
+    headers = {
+      "Accept" => "application/json; version=1"
+    }
+    headers["Authorization"] = auth if auth
+
+    get "/api/hellos", headers: headers
+  end
+
+  def expect_unauthorized
+    expect(response.body).to include "Unauthorized"
+    expect(response.status).to eq 401
+    expect(response.headers["WWW-Authenticate"]).to eq("MyAwesomeInternalScheme realm=FakeApp")
+  end
+
+  context "with modern schema" do
+    let(:api_client_enabled) { true }
+    let(:disabled_at) { nil }
+    let!(:api_client) {
+      uuid = SecureRandom.uuid
+      ApiClient.create(name: "MyApiClient", key: SecureRandom.uuid, enabled: false, created_at: 20.days.ago, disabled_at: 15.days.ago)
+      ApiClient.create(name: "MyApiClient", key: uuid, enabled: api_client_enabled, created_at: 10.days.ago, disabled_at: disabled_at)
+    }
+
+    context "when path is not on allowlist" do
+      context "when api_client is valid" do
+        it "executes the correct controller" do
+          execute_call
+
+          expect(response.body).to include "Hello"
+        end
+
+        it "saves the api_client information used" do
+          execute_call
+
+          expect(response.body).to include "MyApiClient"
+          expect(response.body).to include "#{api_client.id}"
+        end
+
+        context "caching is enabled" do
+          before do
+            allow(ApiClient).to receive(:find_by).and_call_original
+
+            Stitches.configure do |config|
+              config.max_cache_ttl  = 5
+              config.max_cache_size = 10
+            end
+          end
+
+          it "only gets the the api_client information once" do
+            execute_call
+            execute_call
+
+            expect(response.body).to include "#{api_client.id}"
+            expect(ApiClient).to have_received(:find_by).once
+          end
+        end
+      end
+
+      context "when api client key does not match" do
+        let(:uuid) { SecureRandom.uuid } # random uuid
+
+        it "rejects request" do
+          execute_call
+
+          expect_unauthorized
+        end
+      end
+
+      context "when api client key not enabled" do
+        let(:api_client_enabled) { false }
+
+        context "when disabled_at is not set" do
+          it "rejects request" do
+            execute_call
+
+            expect_unauthorized
+          end
+        end
+
+        context "when disabled_at is set to a time older than three days ago" do
+          let(:disabled_at) { 4.day.ago }
+
+          it "allows the call" do
+            execute_call
+
+            expect_unauthorized
+          end
+        end
+
+        context "when disabled_at is set to a recent time" do
+          let(:disabled_at) { 1.day.ago }
+
+          it "allows the call" do
+            execute_call
+
+            expect(response.body).to include "Hello"
+            expect(response.body).to include "MyApiClient"
+            expect(response.body).to include "#{api_client.id}"
+          end
+
+          it "warns about the disabled key to log writer when available" do
+            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+            allow(StitchFix::Logger::LogWriter).to receive(:warn)
+
+            execute_call
+
+            expect(StitchFix::Logger::LogWriter).to have_received(:warn).once
+          end
+
+          it "warns about the disabled key to the Rails.logger" do
+            allow(Rails.logger).to receive(:warn)
+            allow(Rails.logger).to receive(:error)
+
+            execute_call
+
+            expect(Rails.logger).to have_received(:warn).once
+            expect(Rails.logger).not_to have_received(:error)
+          end
+        end
+
+        context "when disabled_at is set to a dangerously long time" do
+          let(:disabled_at) { 52.hours.ago }
+
+          it "allows the call" do
+            execute_call
+
+            expect(response.body).to include "Hello"
+            expect(response.body).to include "MyApiClient"
+            expect(response.body).to include "#{api_client.id}"
+          end
+
+          it "logs error about the disabled key to log writer when available" do
+            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+            allow(StitchFix::Logger::LogWriter).to receive(:error)
+
+            execute_call
+
+            expect(StitchFix::Logger::LogWriter).to have_received(:error).once
+          end
+
+          it "logs error about the disabled key to the Rails.logger" do
+            allow(Rails.logger).to receive(:warn)
+            allow(Rails.logger).to receive(:error)
+
+            execute_call
+
+            expect(Rails.logger).to have_received(:error).once
+            expect(Rails.logger).not_to have_received(:warn)
+          end
+        end
+
+        context "when disabled_at is set to an unacceptably long time" do
+          let(:disabled_at) { 5.days.ago }
+
+          it "forbids the call" do
+            execute_call
+
+            expect_unauthorized
+          end
+
+          it "logs error about the disabled key to log writer when available" do
+            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+            allow(StitchFix::Logger::LogWriter).to receive(:error)
+
+            execute_call
+
+            expect(StitchFix::Logger::LogWriter).to have_received(:error).once
+          end
+
+          it "logs error about the disabled key to the Rails.logger" do
+            allow(Rails.logger).to receive(:warn)
+            allow(Rails.logger).to receive(:error)
+
+            execute_call
+
+            expect(Rails.logger).to have_received(:error).once
+            expect(Rails.logger).not_to have_received(:warn)
+          end
+        end
+
+        context "custom leniency is set" do
+          before do
+            Stitches.configuration.disabled_key_leniency_in_seconds = 100
+            Stitches.configuration.disabled_key_leniency_error_log_threshold_in_seconds = 50
+          end
+
+          context "when disabled_at is set to an unacceptably long time" do
+            let(:disabled_at) { 101.seconds.ago }
+
+            it "forbids the call" do
+              allow(Rails.logger).to receive(:error)
+              execute_call
+
+              expect_unauthorized
+              expect(Rails.logger).to have_received(:error).once
+            end
+          end
+
+          context "when disabled_at is set to a dangerously long time" do
+            let(:disabled_at) { 75.seconds.ago }
+
+            it "allows the call" do
+              allow(Rails.logger).to receive(:error)
+
+              execute_call
+
+              expect(response.body).to include "Hello"
+              expect(Rails.logger).to have_received(:error).once
+            end
+          end
+
+          context "when disabled_at is set to a short time ago" do
+            let(:disabled_at) { 25.seconds.ago }
+
+            it "allows the call" do
+              allow(Rails.logger).to receive(:warn)
+
+              execute_call
+
+              expect(response.body).to include "Hello"
+              expect(Rails.logger).to have_received(:warn).once
+            end
+          end
+        end
+      end
+
+      context "when authorization header is missing" do
+        it "rejects request" do
+          execute_call(auth: nil)
+
+          expect_unauthorized
+        end
+      end
+
+      context "when scheme does not match" do
+        it "rejects request" do
+          execute_call(auth: "OtherScheme key=#{uuid}")
+
+          expect_unauthorized
+        end
+      end
+    end
+
+    context "when path is on allowlist" do
+      let(:allowlist) { /.*hello.*/ }
+
+      context "when api_client is valid" do
+        it "executes the correct controller" do
+          execute_call
+
+          expect(response.body).to include "Hello"
+        end
+
+        it "does not save the api_client information used" do
+          execute_call
+
+          expect(response.body).to include "NameNotFound"
+          expect(response.body).to include "IdNotFound"
+        end
+      end
+
+      context "when api client key does not match" do
+        let(:uuid) { SecureRandom.uuid } # random uuid
+
+        it "executes the correct controller" do
+          execute_call
+
+          expect(response.body).to include "Hello"
+        end
+      end
+    end
+  end
+
+  context "when schema is old and missing disabled_at field" do
+    around(:each) do |example|
+      load 'fake_app/db/schema_missing_disabled_at.rb'
+      ApiClient.reset_column_information
+      example.run
+      load 'fake_app/db/schema_modern.rb'
+      ApiClient.reset_column_information
+    end
+
+    context "when api_client is valid" do
+      let!(:api_client) {
+        uuid = SecureRandom.uuid
+        ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: true)
+      }
+
+      it "executes the correct controller" do
+        execute_call
+
+        expect(response.body).to include "Hello"
+      end
+
+      it "saves the api_client information used" do
+        execute_call
+
+        expect(response.body).to include "MyApiClient"
+        expect(response.body).to include "#{api_client.id}"
+      end
+    end
+
+    context "when api_client is not enabled" do
+      let!(:api_client) {
+        uuid = SecureRandom.uuid
+        ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: false)
+      }
+
+      it "rejects request" do
+        execute_call
+
+        expect_unauthorized
+      end
+    end
+  end
+
+  context "when schema is old and missing enabled field" do
+    around(:each) do |example|
+      load 'fake_app/db/schema_missing_enabled.rb'
+      ApiClient.reset_column_information
+      example.run
+      load 'fake_app/db/schema_modern.rb'
+      ApiClient.reset_column_information
+    end
+
+    let!(:api_client) {
+      uuid = SecureRandom.uuid
+      ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now())
+    }
+
+    context "when api_client is valid" do
+      it "executes the correct controller" do
+        execute_call
+
+        expect(response.body).to include "Hello"
+      end
+
+      it "saves the api_client information used" do
+        execute_call
+
+        expect(response.body).to include "MyApiClient"
+        expect(response.body).to include "#{api_client.id}"
+      end
+    end
+  end
+end