stitches 5.0.0 → 5.1.0.RC1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 162beab8fe18efd29717c69f7d1ff734ef6822f1355addc8699b4e1079eef741
-  data.tar.gz: 9e0d31dc4943c09889b0ddee7226963ed2cf82b13709c0f9f5a0c06603bd1990
+  metadata.gz: 7e87005e3080477f7dc3d927596ea5cdeab14f4b004cd20744894088866f5b2b
+  data.tar.gz: e50f73f746ccc1b283bad98619f9a4e70a56f91c3f0e11faec66e375cfb7055f
 SHA512:
-  metadata.gz: 15a4b24194f3b19a930b99894d8be0ba7cac737830b50e71e763e3e66df7e944c9615692d0f3b854faeaf422cc8fa82fdb4e73ac025ed7b0ce9ccf4f673af8f0
-  data.tar.gz: 62a6dc4a6c5430f9556747ff931cb92d94a55b0d1c943c4b1dbbe53d96e2338cefc57ed7ea0513c52d69f60a8ab1455224be8bfbb5c2dba172c4ef83d3ab60fb
+  metadata.gz: 84cf005517476feb055dbb1d22142d3b17749a7cdd01cb1135de3c00c9d29ca40e034dd2ee23a5d259bcf346458e1aea12cef301145df583f587fb9038d38b63
+  data.tar.gz: 4e592659a77f77ff2f6eb7c6d3b217ab6f36fd52dcf2fdaf3f16ad0e2950f7a8af69efa9a7c880d13100307aecf513c6eed4a1f31392ea1067a97ff9a21634b1

data/.circleci/config.yml

@@ -15,21 +15,21 @@ parameters:
     default: ""
   old_ruby:
     type: string
-    default: "3.2.4"
+    default: "3.3.9"
   current_ruby:
     type: string
-    default: "3.3.2"
+    default: "3.4.5"
   old_rails:
     type: string
-    default: "7.0.8.4"
+    default: "8.0.3"
   current_rails:
     type: string
-    default: "7.1.3.4"
+    default: "8.1.2"
 
 jobs:
   generate-and-push-docs:
     docker:
-      - image: cimg/ruby:3.3.2
+      - image: cimg/ruby:3.3.7
         auth:
           username: "$DOCKERHUB_USERNAME"
           password: "$DOCKERHUB_PASSWORD"
@@ -52,7 +52,7 @@ jobs:
             docs:push; fi
   release:
     docker:
-      - image: cimg/ruby:3.3.2
+      - image: cimg/ruby:3.3.7
         auth:
           username: "$DOCKERHUB_USERNAME"
           password: "$DOCKERHUB_PASSWORD"
@@ -126,7 +126,7 @@ jobs:
             fi
       - run:
           name: Notify Pager Duty
-          command: bundle exec y-notify "#app-platform-ops"
+          command: bundle exec y-notify "#pire-ops"
           when: on_fail
       - store_test_results:
           path: "/tmp/test-results"

data/.github/CODEOWNERS

@@ -8,4 +8,4 @@
 # This file uses the GitHub CODEOWNERS convention to assign PR reviewers:
 # https://help.github.com/articles/about-codeowners/
 
-* @stitchfix/app-platform
+* @stitchfix/platform-insights-and-reliability-engineering

data/.ruby-version

@@ -1 +1 @@
-ruby-3.2.3
+ruby-3.4.9

data/CODE_OF_CONDUCT.md

@@ -1,6 +1,136 @@
 # Code of Conduct
 
-We are committed to keeping our community open and inclusive.
+This code of conduct outlines our expectations for participants within
+the **Stitch Fix** community, as well as steps to
+reporting unacceptable behavior. We are committed to providing a
+welcoming and inspiring community for all and expect our code of conduct
+to be honored. Anyone who violates this code of conduct may be banned
+from the community.
 
-**Our Code of Conduct can be found here**:
-http://opensource.stitchfix.com/code-of-conduct.html
+Our open source community strives to:
+
+- **Be friendly and patient.**
+- **Be welcoming**: We strive to be a community
+  that welcomes and supports people of all backgrounds and identities.
+  This includes, but is not limited to members of any race, ethnicity,
+  culture, national origin, colour, immigration status, social and
+  economic class, educational level, sex, sexual orientation, gender
+  identity and expression, age, size, family status, political belief,
+  religion, and mental and physical ability.
+- **Be considerate**: Your work will be used by
+  other people, and you in turn will depend on the work of others. Any
+  decision you take will affect users and colleagues, and you should
+  take those consequences into account when making decisions. Remember
+  that we’re a world-wide community, so you might not be communicating
+  in someone else’s primary language.
+- **Be respectful**: Not all of us will agree all
+  the time, but disagreement is no excuse for poor behavior and poor
+  manners. We might all experience some frustration now and then, but we
+  cannot allow that frustration to turn into a personal attack. It’s
+  important to remember that a community where people feel uncomfortable
+  or threatened is not a productive one.
+- **Be careful in the words that we choose**: we
+  are a community of professionals, and we conduct ourselves
+  professionally. Be kind to others. Do not insult or put down other
+  participants. Harassment and other exclusionary behavior aren’t
+  acceptable.
+- **Try to understand why we disagree**:
+  Disagreements, both social and technical, happen all the time. It is
+  important that we resolve disagreements and differing views
+  constructively. Remember that we’re different. The strength of our
+  community comes from its diversity, people from a wide range of
+  backgrounds. Different people have different perspectives on issues.
+  Being unable to understand why someone holds a viewpoint doesn’t mean
+  that they’re wrong. Don’t forget that it is human to err and blaming
+  each other doesn’t get us anywhere. Instead, focus on helping to
+  resolve issues and learning from mistakes.
+
+## Definitions
+
+Harassment includes, but is not limited to:
+
+- Offensive comments related to gender, gender identity and expression,
+  sexual orientation, disability, mental illness, neuro(a)typicality,
+  physical appearance, body size, race, age, regional discrimination,
+  political or religious affiliation
+- Unwelcome comments regarding a person’s lifestyle choices and
+  practices, including those related to food, health, parenting, drugs,
+  and employment
+- Deliberate misgendering. This includes deadnaming or persistently
+  using a pronoun that does not correctly reflect a person’s gender
+  identity. You must address people by the name they give you when not
+  addressing them by their username or handle
+- Physical contact and simulated physical contact (eg, textual
+  descriptions like “*hug*” or “*backrub*”) without consent or after a
+  request to stop
+- Threats of violence, both physical and psychological
+- Incitement of violence towards any individual, including encouraging a
+  person to commit suicide or to engage in self-harm
+- Deliberate intimidation
+- Stalking or following
+- Harassing photography or recording, including logging online activity
+  for harassment purposes
+- Sustained disruption of discussion
+- Unwelcome sexual attention, including gratuitous or off-topic sexual
+  images or behaviour
+- Pattern of inappropriate social contact, such as requesting/assuming
+  inappropriate levels of intimacy with others
+- Continued one-on-one communication after requests to cease
+- Deliberate “outing” of any aspect of a person’s identity without their
+  consent except as necessary to protect others from intentional abuse
+- Publication of non-harassing private communication
+
+### Diversity Statement
+
+We encourage everyone to participate and are committed to building a
+community for all. Although we will fail at times, we seek to treat
+everyone both as fairly and equally as possible. Whenever a participant
+has made a mistake, we expect them to take responsibility for it. If
+someone has been harmed or offended, it is our responsibility to listen
+carefully and respectfully, and do our best to right the wrong.
+
+Although this list cannot be exhaustive, we explicitly honor diversity
+in age, gender, gender identity or expression, culture, ethnicity,
+language, national origin, political beliefs, profession, race,
+religion, sexual orientation, socioeconomic status, and technical
+ability. We will not tolerate discrimination based on any of the
+protected characteristics above, including participants with
+disabilities.
+
+### Reporting Issues
+
+If you experience or witness unacceptable behavior—or have any other
+concerns—please report it by contacting us via
+**opensource@stitchfix.com**. All reports will be
+handled with discretion. In your report please include:
+
+- Your contact information.
+- Names (real, nicknames, or pseudonyms) of any individuals involved. If
+  there are additional witnesses, please include them as well. Your
+  account of what occurred, and if you believe the incident is ongoing.
+  If there is a publicly available record (e.g. a mailing list archive
+  or a public IRC logger), please include a link.
+- Any additional information that may be helpful.
+
+After filing a report, a representative will contact you personally,
+review the incident, follow up with any additional questions, and make a
+decision as to how to respond. If the person who is harassing you is
+part of the response team, they will recuse themselves from handling
+your incident. If the complaint originates from a member of the response
+team, it will be handled by a different member of the response team. We
+will respect confidentiality requests for the purpose of protecting
+victims of abuse.
+
+### Attribution & Acknowledgements
+
+We all stand on the shoulders of giants across many open source
+communities. We’d like to thank the communities and projects that
+established code of conducts and diversity statements as our
+inspiration:
+
+- [Django](https://www.djangoproject.com/conduct/reporting/)
+- [Python](https://www.python.org/community/diversity/)
+- [Ubuntu](http://www.ubuntu.com/about/about-ubuntu/conduct)
+- [Contributor Covenant](http://contributor-covenant.org/)
+- [Geek Feminism](http://geekfeminism.org/about/code-of-conduct/)
+- [Citizen Code of Conduct](http://citizencodeofconduct.org/)

data/README.md

@@ -42,6 +42,78 @@ Stitches.configure do |config|
 end
 ```
 
+### Caller Identification via `X-StitchFix-Calling-Service`
+
+When API key auth is disabled, services lose the ability to identify which
+internal service is calling them. The `Stitches::CallingServiceName` concern
+provides a replacement that works with or without API keys enabled.
+
+**Include the concern in your API controller:**
+
+```ruby
+class Api::ApiController < ActionController::API
+  include Stitches::CallingServiceName
+
+  # Replace api_client.name with calling_service_name anywhere you need
+  # to know who the caller is (stats, routing, updated_by, etc.)
+end
+```
+
+For controllers that don't inherit from your ApiController (e.g. Devise
+controllers), include the concern directly:
+
+```ruby
+class Api::V1::SessionsController < Devise::SessionsController
+  include Stitches::CallingServiceName
+end
+```
+
+**Resolution order:**
+
+1. `X-StitchFix-Calling-Service` request header (preferred)
+2. `api_client&.name` — the stitches-authenticated ApiClient (works when API keys are enabled)
+3. `"N/A"` — fallback when neither is available
+
+This is backwards compatible. When `disable_api_key_support` is false, the
+stitches middleware still populates `api_client`, so the fallback returns the
+authenticated name. When true, callers identify themselves via the header.
+
+**Client-side setup:**
+
+Clients using `stitchfix-api_client` (v5.1+) automatically send this header.
+The value is derived from the `app_name` config option or `ENV["APP_NAME"]`:
+
+```ruby
+MyServiceClient.new(
+  endpoint: "https://my-service.internal",
+  app_name: "kingmob"  # sent as X-StitchFix-Calling-Service
+)
+```
+
+If `app_name` is not set, `ENV["APP_NAME"]` is used (typically set in
+production deployments). If neither is available, the header is not sent.
+
+#### Security considerations
+
+`X-StitchFix-Calling-Service` is a **self-declared, unsigned header**. Any
+caller that can reach your service can set it to any value. This means:
+
+- **Do not use `calling_service_name` as a sole authorization mechanism for
+  sensitive operations** (e.g. granting admin tokens, bypassing verification
+  flows) unless the network layer guarantees that only the legitimate service
+  can reach the endpoint.
+- **Strip this header at public ingress points** (Traefik, ALB, API gateway)
+  to prevent external callers from spoofing internal service identities.
+  Internal-only traffic should be the only source of this header.
+- **This header replaces API key-based identity, not authorization.** API
+  keys provided a weak form of authentication (possession of a shared secret).
+  This header provides identification only. If you need to verify the caller's
+  identity cryptographically, use mTLS or a service mesh AuthorizationPolicy.
+- **Safe uses:** stats tagging, logging, `updated_by` audit fields, routing
+  hints, non-security-critical behavioral branching.
+- **Unsafe without network enforcement:** access control decisions, privilege
+  escalation gates, bypassing user-facing safety flows.
+
 ### Upgrading from an older version
 
 - When upgrading to version 4.0.0 and above you may now take advantage of an in-memory cache
@@ -180,6 +252,12 @@ Also, the integration test does a lot of "testing the implementation", but since
 failing with a successful result, we have to make sure that the various `inject_into_file` calls are actually working. Do not do
 any fancy refactors here, just keep it up to date.
 
+## Ruby / Rails version support
+
+This gem attempts to support the most recent 2 major/minor versions of Ruby and Rails. This is a moving
+target, and we make a best effort to track to this policy. Older versions _may_ work, but supporting
+those versions is outside of the scope of what we intend to maintain.
+
 ## Releases
 
 See the release process for open source gems in the Stitch Fix engineering wiki under technical topics.

data/build-matrix.json

@@ -0,0 +1,5 @@
+{
+    "build_matrix": {
+        "artisinally-hand-crafted": true
+    }
+}

data/lib/stitches/api_key.rb

@@ -41,7 +41,13 @@ module Stitches
           unauthorized_response("bad authorization type")
         end
       else
-        unauthorized_response("no authorization header")
+        message = "no authorization header"
+
+        if Rails.env.test? || Rails.env.development?
+          message += " (Development/Test Env Hint: Blocked by stitches; confirm your authorization header is set OR check the `allowlist_regex` config for this path)"
+        end
+
+        unauthorized_response(message)
       end
     end
 

data/lib/stitches/calling_service_name.rb

@@ -0,0 +1,12 @@
+module Stitches
+  module CallingServiceName
+    HEADER = "X-StitchFix-Calling-Service"
+
+    def calling_service_name
+      @calling_service_name ||=
+        request.headers[HEADER].presence ||
+        api_client&.name ||
+        "N/A"
+    end
+  end
+end

data/lib/stitches/generator_files/app/controllers/api/api_controller.rb

@@ -1,4 +1,5 @@
 class Api::ApiController < ActionController::API
+  include Stitches::CallingServiceName
   include Stitches::Deprecation
   #
   # The order of the rescue_from blocks is important - ActiveRecord::RecordNotFound must come after StandardError,

data/lib/stitches/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stitches
-  VERSION = '5.0.0'
+  VERSION = '5.1.0.RC1'
 end

data/lib/stitches_norailtie.rb

@@ -18,5 +18,6 @@ require 'stitches/add_enabled_to_api_clients_generator'
 require 'stitches/add_disabled_at_to_api_clients_generator'
 require 'stitches/api_version_constraint'
 require 'stitches/api_key'
+require 'stitches/calling_service_name'
 require 'stitches/deprecation'
 require 'stitches/valid_mime_type'

data/spec/api_version_constraint_middleware_spec.rb

@@ -40,9 +40,9 @@ RSpec.describe "/api/hellos", type: :request do
     let(:version) { 6 }
 
     it "fails to map to a controller" do
-      expect {
-        get "/api/hellos", headers: headers
-      }.to raise_error(ActionController::RoutingError)
+      get "/api/hellos", headers: headers
+
+      expect(response).to be_not_found
     end
   end
 
@@ -50,9 +50,9 @@ RSpec.describe "/api/hellos", type: :request do
     let(:accept_header) { "application/json" }
 
     it "fails to map to a controller" do
-      expect {
-        get "/api/hellos", headers: headers
-      }.to raise_error(ActionController::RoutingError)
+      get "/api/hellos", headers: headers
+
+      expect(response).to be_not_found
     end
   end
 end

data/spec/calling_service_name_spec.rb

@@ -0,0 +1,71 @@
+require 'rails_helper'
+
+describe Stitches::CallingServiceName do
+  let(:headers) { {} }
+  let(:fake_request) { double("request", headers: headers) }
+  let(:fake_api_client) { nil }
+  let(:fake_controller) {
+    req = fake_request
+    client = fake_api_client
+    Object.new.tap { |c|
+      c.extend(described_class)
+      c.define_singleton_method(:request) { req }
+      c.define_singleton_method(:api_client) { client }
+    }
+  }
+
+  describe "#calling_service_name" do
+    context "when X-StitchFix-Calling-Service header is present" do
+      let(:headers) { {"X-StitchFix-Calling-Service" => "kingmob"} }
+
+      it "returns the header value" do
+        expect(fake_controller.calling_service_name).to eq("kingmob")
+      end
+
+      context "and api_client is also present" do
+        let(:fake_api_client) { double("ApiClient", name: "other-service") }
+
+        it "prefers the header" do
+          expect(fake_controller.calling_service_name).to eq("kingmob")
+        end
+      end
+    end
+
+    context "when header is absent but api_client is present" do
+      let(:fake_api_client) { double("ApiClient", name: "mobile-service") }
+
+      it "returns the api_client name" do
+        expect(fake_controller.calling_service_name).to eq("mobile-service")
+      end
+    end
+
+    context "when header is blank" do
+      let(:headers) { {"X-StitchFix-Calling-Service" => ""} }
+      let(:fake_api_client) { double("ApiClient", name: "fallback-service") }
+
+      it "treats blank as absent and falls through to api_client" do
+        expect(fake_controller.calling_service_name).to eq("fallback-service")
+      end
+    end
+
+    context "when neither header nor api_client is present" do
+      it "returns 'unknown'" do
+        expect(fake_controller.calling_service_name).to eq("N/A")
+      end
+    end
+
+    context "when api_client is nil" do
+      let(:fake_api_client) { nil }
+
+      it "returns 'unknown'" do
+        expect(fake_controller.calling_service_name).to eq("N/A")
+      end
+    end
+  end
+
+  describe "::HEADER" do
+    it "is the expected header name" do
+      expect(described_class::HEADER).to eq("X-StitchFix-Calling-Service")
+    end
+  end
+end

data/spec/fake_app/.ruby-version

@@ -1 +1 @@
-ruby-3.2.3
+ruby-3.3.7

data/spec/fake_app/Gemfile

@@ -1,10 +1,10 @@
 source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
-ruby '3.2.3'
+ruby '3.3.7'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails', branch: 'main'
-gem 'rails', '~> 7.1.3'
+gem 'rails', '~> 7.2.2'
 # Use postgres as the database for Active Record
 gem 'pg'
 # Use Puma as the app server

metadata

@@ -1,17 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: stitches
 version: !ruby/object:Gem::Version
-  version: 5.0.0
+  version: 5.1.0.RC1
 platform: ruby
 authors:
 - Stitch Fix Engineering
 - Andrew Peterson
 - Dave Copeland
 - Jonathan Dean
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-06-20 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -158,13 +157,13 @@ files:
 - ".gitignore"
 - ".ruby-gemset"
 - ".ruby-version"
-- ".travis.yml"
 - CODE_OF_CONDUCT.md
 - CONTRIBUTING.md
 - Gemfile
 - LICENSE.txt
 - README.md
 - Rakefile
+- build-matrix.json
 - lib/stitches.rb
 - lib/stitches/add_deprecation_generator.rb
 - lib/stitches/add_disabled_at_to_api_clients_generator.rb
@@ -175,6 +174,7 @@ files:
 - lib/stitches/api_key.rb
 - lib/stitches/api_migration_generator.rb
 - lib/stitches/api_version_constraint.rb
+- lib/stitches/calling_service_name.rb
 - lib/stitches/configuration.rb
 - lib/stitches/deprecation.rb
 - lib/stitches/error.rb
@@ -209,6 +209,7 @@ files:
 - owners.json
 - spec/api_key_middleware_spec.rb
 - spec/api_version_constraint_middleware_spec.rb
+- spec/calling_service_name_spec.rb
 - spec/configuration_spec.rb
 - spec/deprecation_spec.rb
 - spec/error_spec.rb
@@ -285,7 +286,6 @@ homepage: https://github.com/stitchfix/stitches
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -300,13 +300,13 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
-signing_key:
+rubygems_version: 3.6.9
 specification_version: 4
 summary: You'll be in stitches at how easy it is to create a service at Stitch Fix
 test_files:
 - spec/api_key_middleware_spec.rb
 - spec/api_version_constraint_middleware_spec.rb
+- spec/calling_service_name_spec.rb
 - spec/configuration_spec.rb
 - spec/deprecation_spec.rb
 - spec/error_spec.rb

data/.travis.yml

@@ -1,10 +0,0 @@
-language: ruby
-rvm:
-  - 2.6
-  - 2.7
-  - ruby-head
-notifications:
-  email: false
-jobs:
-  allow_failures:
-    - rvm: ruby-head