stitches 4.2.1 → 5.0.0.RC1

data/spec/api_key_middleware_spec.rb

@@ -12,13 +12,6 @@ RSpec.describe "/api/hellos", type: :request do
   let(:auth_header) { "MyAwesomeInternalScheme key=#{uuid}" }
   let(:allowlist) { nil }
 
-  before do
-    Stitches.configuration.reset_to_defaults!
-    Stitches.configuration.custom_http_auth_scheme = 'MyAwesomeInternalScheme'
-    Stitches.configuration.allowlist_regexp = allowlist if allowlist
-    Stitches::ApiClientAccessWrapper.clear_api_cache
-  end
-
   def execute_call(auth: auth_header)
     headers = {
       "Accept" => "application/json; version=1"
@@ -34,342 +27,381 @@ RSpec.describe "/api/hellos", type: :request do
     expect(response.headers["WWW-Authenticate"]).to eq("MyAwesomeInternalScheme realm=FakeApp")
   end
 
-  context "with modern schema" do
-    let(:api_client_enabled) { true }
-    let(:disabled_at) { nil }
-    let!(:api_client) {
-      uuid = SecureRandom.uuid
-      ApiClient.create(name: "MyApiClient", key: SecureRandom.uuid, enabled: false, created_at: 20.days.ago, disabled_at: 15.days.ago)
-      ApiClient.create(name: "MyApiClient", key: uuid, enabled: api_client_enabled, created_at: 10.days.ago, disabled_at: disabled_at)
-    }
-
-    context "when path is not on allowlist" do
-      context "when api_client is valid" do
-        it "executes the correct controller" do
-          execute_call
-
-          expect(response.body).to include "Hello"
-        end
-
-        it "saves the api_client information used" do
-          execute_call
-
-          expect(response.body).to include "MyApiClient"
-          expect(response.body).to include "#{api_client.id}"
-        end
+  context "disabled api key support" do
+    before do
+      Stitches.configuration.reset_to_defaults!
+      Stitches.configuration.custom_http_auth_scheme = 'MyAwesomeInternalScheme'
+      Stitches.configuration.disable_api_key_support = true
+    end
 
-        context "caching is enabled" do
-          before do
-            allow(ApiClient).to receive(:find_by).and_call_original
+    let(:uuid) { SecureRandom.uuid }
 
-            Stitches.configure do |config|
-              config.max_cache_ttl  = 5
-              config.max_cache_size = 10
-            end
-          end
+    it "executes the correct controller" do
+      execute_call
 
-          it "only gets the the api_client information once" do
-            execute_call
-            execute_call
-
-            expect(response.body).to include "#{api_client.id}"
-            expect(ApiClient).to have_received(:find_by).once
-          end
-        end
-      end
-
-      context "when api client key does not match" do
-        let(:uuid) { SecureRandom.uuid } # random uuid
+      expect(response.body).to include "Hello"
+    end
 
-        it "rejects request" do
-          execute_call
+    it "does not look up information from the database" do
+      execute_call
 
-          expect_unauthorized
-        end
-      end
+      expect(response.body).to include "NameNotFound"
+      expect(response.body).to include "IdNotFound"
+    end
 
-      context "when api client key not enabled" do
-        let(:api_client_enabled) { false }
+    it "indicates a successful response" do
+      execute_call
 
-        context "when disabled_at is not set" do
-          it "rejects request" do
-            execute_call
+      expect(response.status).to eq 200
+    end
+  end
 
-            expect_unauthorized
-          end
-        end
+  context "enabled api key support" do
+    before do
+      Stitches.configuration.reset_to_defaults!
+      Stitches.configuration.custom_http_auth_scheme = 'MyAwesomeInternalScheme'
+      Stitches.configuration.allowlist_regexp = allowlist if allowlist
+      Stitches.configuration.disable_api_key_support = false
+      Stitches::ApiClientAccessWrapper.clear_api_cache
+    end
 
-        context "when disabled_at is set to a time older than three days ago" do
-          let(:disabled_at) { 4.day.ago }
+    context "with modern schema" do
+      let(:api_client_enabled) { true }
+      let(:disabled_at) { nil }
+      let!(:api_client) {
+        uuid = SecureRandom.uuid
+        ApiClient.create(name: "MyApiClient", key: SecureRandom.uuid, enabled: false, created_at: 20.days.ago, disabled_at: 15.days.ago)
+        ApiClient.create(name: "MyApiClient", key: uuid, enabled: api_client_enabled, created_at: 10.days.ago, disabled_at: disabled_at)
+      }
 
-          it "does not allow the call" do
+      context "when path is not on allowlist" do
+        context "when api_client is valid" do
+          it "executes the correct controller" do
             execute_call
 
-            expect_unauthorized
-
+            expect(response.body).to include "Hello"
           end
-        end
 
-        context "when disabled_at is set to a recent time" do
-          let(:disabled_at) { 1.day.ago }
-
-          it "allows the call" do
+          it "saves the api_client information used" do
             execute_call
 
-            expect(response.body).to include "Hello"
             expect(response.body).to include "MyApiClient"
             expect(response.body).to include "#{api_client.id}"
           end
 
-          it "warns about the disabled key to log writer when available" do
-            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
-            allow(StitchFix::Logger::LogWriter).to receive(:warn)
+          context "caching is enabled" do
+            before do
+              allow(ApiClient).to receive(:find_by).and_call_original
 
-            execute_call
+              Stitches.configure do |config|
+                config.max_cache_ttl  = 5
+                config.max_cache_size = 10
+              end
+            end
 
-            expect(StitchFix::Logger::LogWriter).to have_received(:warn).once
+            it "only gets the the api_client information once" do
+              execute_call
+              execute_call
+
+              expect(response.body).to include "#{api_client.id}"
+              expect(ApiClient).to have_received(:find_by).once
+            end
           end
+        end
 
-          it "warns about the disabled key to the Rails.logger" do
-            allow(Rails.logger).to receive(:warn)
-            allow(Rails.logger).to receive(:error)
+        context "when api client key does not match" do
+          let(:uuid) { SecureRandom.uuid } # random uuid
 
+          it "rejects request" do
             execute_call
 
-            expect(Rails.logger).to have_received(:warn).once
-            expect(Rails.logger).not_to have_received(:error)
+            expect_unauthorized
           end
         end
 
-        context "when disabled_at is set to a dangerously long time" do
-          let(:disabled_at) { 52.hours.ago }
+        context "when api client key not enabled" do
+          let(:api_client_enabled) { false }
 
-          it "allows the call" do
-            execute_call
+          context "when disabled_at is not set" do
+            it "rejects request" do
+              execute_call
 
-            expect(response.body).to include "Hello"
-            expect(response.body).to include "MyApiClient"
-            expect(response.body).to include "#{api_client.id}"
+              expect_unauthorized
+            end
           end
 
-          it "logs error about the disabled key to log writer when available" do
-            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
-            allow(StitchFix::Logger::LogWriter).to receive(:error)
+          context "when disabled_at is set to a time older than three days ago" do
+            let(:disabled_at) { 4.day.ago }
 
-            execute_call
+            it "does not allow the call" do
+              execute_call
 
-            expect(StitchFix::Logger::LogWriter).to have_received(:error).once
-          end
+              expect_unauthorized
 
-          it "logs error about the disabled key to the Rails.logger" do
-            allow(Rails.logger).to receive(:warn)
-            allow(Rails.logger).to receive(:error) do |message1|
-              expect(message1).not_to include uuid
             end
+          end
 
-            execute_call
+          context "when disabled_at is set to a recent time" do
+            let(:disabled_at) { 1.day.ago }
 
-            expect(Rails.logger).to have_received(:error).once
-            expect(Rails.logger).not_to have_received(:warn)
-          end
-        end
+            it "allows the call" do
+              execute_call
 
-        context "when disabled_at is set to an unacceptably long time" do
-          let(:disabled_at) { 5.days.ago }
+              expect(response.body).to include "Hello"
+              expect(response.body).to include "MyApiClient"
+              expect(response.body).to include "#{api_client.id}"
+            end
 
-          it "forbids the call" do
-            execute_call
+            it "warns about the disabled key to log writer when available" do
+              stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+              allow(StitchFix::Logger::LogWriter).to receive(:warn)
 
-            expect_unauthorized
-          end
+              execute_call
 
-          it "logs error about the disabled key to log writer when available" do
-            stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
-            allow(StitchFix::Logger::LogWriter).to receive(:error)
+              expect(StitchFix::Logger::LogWriter).to have_received(:warn).once
+            end
 
-            execute_call
+            it "warns about the disabled key to the Rails.logger" do
+              allow(Rails.logger).to receive(:warn)
+              allow(Rails.logger).to receive(:error)
+
+              execute_call
 
-            expect(StitchFix::Logger::LogWriter).to have_received(:error).once
+              expect(Rails.logger).to have_received(:warn).once
+              expect(Rails.logger).not_to have_received(:error)
+            end
           end
 
-          it "logs error about the disabled key to the Rails.logger" do
-            allow(Rails.logger).to receive(:warn)
-            allow(Rails.logger).to receive(:error)
+          context "when disabled_at is set to a dangerously long time" do
+            let(:disabled_at) { 52.hours.ago }
+
+            it "allows the call" do
+              execute_call
 
-            execute_call
+              expect(response.body).to include "Hello"
+              expect(response.body).to include "MyApiClient"
+              expect(response.body).to include "#{api_client.id}"
+            end
 
-            expect(Rails.logger).to have_received(:error).once
-            expect(Rails.logger).not_to have_received(:warn)
-          end
-        end
+            it "logs error about the disabled key to log writer when available" do
+              stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+              allow(StitchFix::Logger::LogWriter).to receive(:error)
 
-        context "custom leniency is set" do
-          before do
-            Stitches.configuration.disabled_key_leniency_in_seconds = 100
-            Stitches.configuration.disabled_key_leniency_error_log_threshold_in_seconds = 50
-          end
+              execute_call
 
-          context "when disabled_at is set to an unacceptably long time" do
-            let(:disabled_at) { 101.seconds.ago }
+              expect(StitchFix::Logger::LogWriter).to have_received(:error).once
+            end
 
-            it "forbids the call" do
+            it "logs error about the disabled key to the Rails.logger" do
+              allow(Rails.logger).to receive(:warn)
               allow(Rails.logger).to receive(:error) do |message1|
                 expect(message1).not_to include uuid
               end
 
               execute_call
 
-              expect_unauthorized
               expect(Rails.logger).to have_received(:error).once
+              expect(Rails.logger).not_to have_received(:warn)
             end
           end
 
-          context "when disabled_at is set to a dangerously long time" do
-            let(:disabled_at) { 75.seconds.ago }
+          context "when disabled_at is set to an unacceptably long time" do
+            let(:disabled_at) { 5.days.ago }
 
-            it "allows the call" do
+            it "forbids the call" do
+              execute_call
+
+              expect_unauthorized
+            end
+
+            it "logs error about the disabled key to log writer when available" do
+              stub_const("StitchFix::Logger::LogWriter", FakeLogger.new)
+              allow(StitchFix::Logger::LogWriter).to receive(:error)
+
+              execute_call
+
+              expect(StitchFix::Logger::LogWriter).to have_received(:error).once
+            end
+
+            it "logs error about the disabled key to the Rails.logger" do
+              allow(Rails.logger).to receive(:warn)
               allow(Rails.logger).to receive(:error)
 
               execute_call
 
-              expect(response.body).to include "Hello"
               expect(Rails.logger).to have_received(:error).once
+              expect(Rails.logger).not_to have_received(:warn)
             end
           end
 
-          context "when disabled_at is set to a short time ago" do
-            let(:disabled_at) { 25.seconds.ago }
+          context "custom leniency is set" do
+            before do
+              Stitches.configuration.disabled_key_leniency_in_seconds = 100
+              Stitches.configuration.disabled_key_leniency_error_log_threshold_in_seconds = 50
+            end
 
-            it "allows the call" do
-              allow(Rails.logger).to receive(:warn) do |message1|
-                expect(message1).not_to include uuid
+            context "when disabled_at is set to an unacceptably long time" do
+              let(:disabled_at) { 101.seconds.ago }
+
+              it "forbids the call" do
+                allow(Rails.logger).to receive(:error) do |message1|
+                  expect(message1).not_to include uuid
+                end
+
+                execute_call
+
+                expect_unauthorized
+                expect(Rails.logger).to have_received(:error).once
               end
+            end
 
-              execute_call
+            context "when disabled_at is set to a dangerously long time" do
+              let(:disabled_at) { 75.seconds.ago }
 
-              expect(response.body).to include "Hello"
-              expect(Rails.logger).to have_received(:warn).once
+              it "allows the call" do
+                allow(Rails.logger).to receive(:error)
+
+                execute_call
+
+                expect(response.body).to include "Hello"
+                expect(Rails.logger).to have_received(:error).once
+              end
+            end
+
+            context "when disabled_at is set to a short time ago" do
+              let(:disabled_at) { 25.seconds.ago }
+
+              it "allows the call" do
+                allow(Rails.logger).to receive(:warn) do |message1|
+                  expect(message1).not_to include uuid
+                end
+
+                execute_call
+
+                expect(response.body).to include "Hello"
+                expect(Rails.logger).to have_received(:warn).once
+              end
             end
           end
         end
-      end
 
-      context "when authorization header is missing" do
-        it "rejects request" do
-          execute_call(auth: nil)
+        context "when authorization header is missing" do
+          it "rejects request" do
+            execute_call(auth: nil)
 
-          expect_unauthorized
+            expect_unauthorized
+          end
+        end
+
+        context "when scheme does not match" do
+          it "rejects request" do
+            execute_call(auth: "OtherScheme key=#{uuid}")
+
+            expect_unauthorized
+          end
         end
       end
 
-      context "when scheme does not match" do
-        it "rejects request" do
-          execute_call(auth: "OtherScheme key=#{uuid}")
+      context "when path is on allowlist" do
+        let(:allowlist) { /.*hello.*/ }
 
-          expect_unauthorized
+        context "when api_client is valid" do
+          it "executes the correct controller" do
+            execute_call
+
+            expect(response.body).to include "Hello"
+          end
+
+          it "does not save the api_client information used" do
+            execute_call
+
+            expect(response.body).to include "NameNotFound"
+            expect(response.body).to include "IdNotFound"
+          end
+        end
+
+        context "when api client key does not match" do
+          let(:uuid) { SecureRandom.uuid } # random uuid
+
+          it "executes the correct controller" do
+            execute_call
+
+            expect(response.body).to include "Hello"
+          end
         end
       end
     end
 
-    context "when path is on allowlist" do
-      let(:allowlist) { /.*hello.*/ }
+    context "when schema is old and missing disabled_at field" do
+      around(:each) do |example|
+        load 'fake_app/db/schema_missing_disabled_at.rb'
+        ApiClient.reset_column_information
+        example.run
+        load 'fake_app/db/schema_modern.rb'
+        ApiClient.reset_column_information
+      end
 
       context "when api_client is valid" do
+        let!(:api_client) {
+          uuid = SecureRandom.uuid
+          ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: true)
+        }
+
         it "executes the correct controller" do
           execute_call
 
           expect(response.body).to include "Hello"
         end
 
-        it "does not save the api_client information used" do
+        it "saves the api_client information used" do
           execute_call
 
-          expect(response.body).to include "NameNotFound"
-          expect(response.body).to include "IdNotFound"
+          expect(response.body).to include "MyApiClient"
+          expect(response.body).to include "#{api_client.id}"
         end
       end
 
-      context "when api client key does not match" do
-        let(:uuid) { SecureRandom.uuid } # random uuid
+      context "when api_client is not enabled" do
+        let!(:api_client) {
+          uuid = SecureRandom.uuid
+          ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: false)
+        }
 
-        it "executes the correct controller" do
+        it "rejects request" do
           execute_call
 
-          expect(response.body).to include "Hello"
+          expect_unauthorized
         end
       end
     end
-  end
-
-  context "when schema is old and missing disabled_at field" do
-    around(:each) do |example|
-      load 'fake_app/db/schema_missing_disabled_at.rb'
-      ApiClient.reset_column_information
-      example.run
-      load 'fake_app/db/schema_modern.rb'
-      ApiClient.reset_column_information
-    end
-
-    context "when api_client is valid" do
-      let!(:api_client) {
-        uuid = SecureRandom.uuid
-        ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: true)
-      }
-
-      it "executes the correct controller" do
-        execute_call
 
-        expect(response.body).to include "Hello"
+    context "when schema is old and missing enabled field" do
+      around(:each) do |example|
+        load 'fake_app/db/schema_missing_enabled.rb'
+        ApiClient.reset_column_information
+        example.run
+        load 'fake_app/db/schema_modern.rb'
+        ApiClient.reset_column_information
       end
 
-      it "saves the api_client information used" do
-        execute_call
-
-        expect(response.body).to include "MyApiClient"
-        expect(response.body).to include "#{api_client.id}"
-      end
-    end
-
-    context "when api_client is not enabled" do
       let!(:api_client) {
         uuid = SecureRandom.uuid
-        ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now(), enabled: false)
+        ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now())
       }
 
-      it "rejects request" do
-        execute_call
-
-        expect_unauthorized
-      end
-    end
-  end
-
-  context "when schema is old and missing enabled field" do
-    around(:each) do |example|
-      load 'fake_app/db/schema_missing_enabled.rb'
-      ApiClient.reset_column_information
-      example.run
-      load 'fake_app/db/schema_modern.rb'
-      ApiClient.reset_column_information
-    end
-
-    let!(:api_client) {
-      uuid = SecureRandom.uuid
-      ApiClient.create(name: "MyApiClient", key: uuid, created_at: Time.now())
-    }
-
-    context "when api_client is valid" do
-      it "executes the correct controller" do
-        execute_call
+      context "when api_client is valid" do
+        it "executes the correct controller" do
+          execute_call
 
-        expect(response.body).to include "Hello"
-      end
+          expect(response.body).to include "Hello"
+        end
 
-      it "saves the api_client information used" do
-        execute_call
+        it "saves the api_client information used" do
+          execute_call
 
-        expect(response.body).to include "MyApiClient"
-        expect(response.body).to include "#{api_client.id}"
+          expect(response.body).to include "MyApiClient"
+          expect(response.body).to include "#{api_client.id}"
+        end
       end
     end
   end

data/spec/configuration_spec.rb

@@ -44,6 +44,10 @@ describe Stitches::Configuration do
       expect(Stitches.configuration.max_cache_size).to eq(0)
     end
 
+    it "sets a default of false for disable_api_key_support" do
+      expect(Stitches.configuration.disable_api_key_support).to be false
+    end
+
     it "blows up if you try to use custom_http_auth_scheme without having set it" do
       expect {
         Stitches.configuration.custom_http_auth_scheme

data/spec/fake_app/.ruby-version

@@ -1 +1 @@
-ruby-2.7.3
+ruby-3.2.3

data/spec/fake_app/Gemfile

@@ -1,14 +1,14 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby '2.7.3'
+ruby '3.2.3'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails', branch: 'main'
-gem 'rails', '~> 6.1.4'
-# Use sqlite3 as the database for Active Record
-gem 'sqlite3', '~> 1.4'
+gem 'rails', '~> 7.1.3'
+# Use postgres as the database for Active Record
+gem 'pg'
 # Use Puma as the app server
-gem 'puma', '~> 5.0'
+gem 'puma'
 # Use SCSS for stylesheets
 gem 'sass-rails', '>= 6'
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
@@ -44,7 +44,6 @@ end
 
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]
-gem 'apitome'
 
 group :development, :test do
   gem 'rspec'