Merge pull request #5 from rameerez/cursor/ensure-comprehensive-testing-and-production-readiness-d999

Ensure comprehensive testing and production readiness

Author: rameerez

.gitignore

@@ -16,14 +16,22 @@ test/dummy/node_modules/
 test/dummy/config/master.key
 test/dummy/storage
 test/dummy/storage/*.sqlite3*
+# Ignore dummy app vendored bundles completely
+test/dummy/vendor/
+test/dummy/.bundle/
 .DS_Store
 
 /dist/
 
 .vscode
 .cursor
+.claude
 
 TODO
 
 **/.kamal/
-deploy.yml
+deploy.yml
+
+# Global bundler/vendor ignores
+vendor/
+vendor/bundle/

Gemfile

@@ -28,7 +28,10 @@ gem "mocha", "~> 2.0"
 
 # For testing against a Rails app (later)
 # gem "rails", "~> 7.0"
-gem "sqlite3", "~> 1.4"
+ gem "sqlite3", ">= 2.1"
 
 # Debugging
 # gem "debug"
+
+# Speed up boot time for the dummy app when engine tasks load
+ gem "bootsnap", require: false

Gemfile.lock

@@ -1,9 +1,9 @@
 PATH
   remote: .
   specs:
-    api_keys (0.1.0)
-      activerecord (>= 7.0)
-      activesupport (>= 7.0)
+    api_keys (0.2.1)
+      activerecord (>= 6.0)
+      activesupport (>= 6.0)
       base58 (~> 0.2)
       bcrypt (~> 3.1)
       rails (>= 6.1)
@@ -88,6 +88,8 @@ GEM
     bcrypt (3.1.20)
     benchmark (0.4.0)
     bigdecimal (3.1.9)
+    bootsnap (1.18.6)
+      msgpack (~> 1.2)
     builder (3.3.0)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.1)
@@ -115,7 +117,6 @@ GEM
       net-smtp
     marcel (1.0.4)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.8)
     minitest (5.25.5)
     minitest-reporters (1.7.1)
       ansi
@@ -124,6 +125,7 @@ GEM
       ruby-progressbar
     mocha (2.7.1)
       ruby2_keywords (>= 0.0.5)
+    msgpack (1.8.0)
     net-imap (0.5.7)
       date
       net-protocol
@@ -202,8 +204,14 @@ GEM
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.4.1)
-    sqlite3 (1.7.3)
-      mini_portile2 (~> 2.8.0)
+    sqlite3 (2.7.3-aarch64-linux-gnu)
+    sqlite3 (2.7.3-aarch64-linux-musl)
+    sqlite3 (2.7.3-arm-linux-gnu)
+    sqlite3 (2.7.3-arm-linux-musl)
+    sqlite3 (2.7.3-arm64-darwin)
+    sqlite3 (2.7.3-x86_64-darwin)
+    sqlite3 (2.7.3-x86_64-linux-gnu)
+    sqlite3 (2.7.3-x86_64-linux-musl)
     stringio (3.1.7)
     thor (1.3.2)
     timeout (0.4.3)
@@ -229,12 +237,13 @@ PLATFORMS
 
 DEPENDENCIES
   api_keys!
+  bootsnap
   bundler (~> 2.0)
   minitest (~> 5.14)
   minitest-reporters (~> 1.4)
   mocha (~> 2.0)
   rake (~> 13.0)
-  sqlite3 (~> 1.4)
+  sqlite3 (>= 2.1)
 
 BUNDLED WITH
    2.6.4

Rakefile

@@ -16,17 +16,22 @@ RDoc::Task.new(:rdoc) do |rdoc|
   rdoc.rdoc_files.include("lib/**/*.rb")
 end
 
-APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
-load "rails/tasks/engine.rake"
+# Removed loading of engine tasks to avoid pulling in dummy app/vendor tests
+# APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+# load "rails/tasks/engine.rake"
 
-load "rails/tasks/statistics.rake"
+# Removed Rails statistics task; not needed for gem tests
+# load "rails/tasks/statistics.rake"
 
 require "rake/testtask"
 
+# Ensure any test task created by engine.rake is cleared so only this suite runs
+Rake::Task[:test].clear if Rake::Task.task_defined?(:test)
+
 Rake::TestTask.new(:test) do |t|
   t.libs << "test"
-  t.pattern = "test/**/*_test.rb"
   t.verbose = false
+  t.test_files = FileList['test/**/*_test.rb'].exclude('test/dummy/**/*')
 end
 
 task default: :test

lib/api_keys/services/digestor.rb

@@ -55,12 +55,16 @@ def self.match?(token:, stored_digest:, strategy: ApiKeys.configuration.hash_str
           comparison_proc.call(stored_digest, Digest::SHA256.hexdigest(token))
         else
           # Strategy mismatch or unsupported strategy should fail comparison safely
-          Rails.logger.error "[ApiKeys] Digestor comparison failed: Unsupported hash strategy '#{strategy}' for digest check." if defined?(Rails.logger)
+          if defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+            Rails.logger.error "[ApiKeys] Digestor comparison failed: Unsupported hash strategy '#{strategy}' for digest check."
+          end
           false
         end
       rescue ArgumentError => e
         # Catch potential errors from Digest or comparison proc
-        Rails.logger.error "[ApiKeys] Digestor comparison error: #{e.message}" if defined?(Rails.logger)
+        if defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+          Rails.logger.error "[ApiKeys] Digestor comparison error: #{e.message}"
+        end
         false
       end
     end

lib/api_keys/tenant_resolution.rb

@@ -33,7 +33,9 @@ def current_api_tenant
       @current_api_tenant = resolver&.call(current_api_key)
     rescue StandardError => e
       # Log error but don't break the request if resolver fails
-      Rails.logger.error "[ApiKeys] Tenant resolution failed: #{e.message}" if defined?(Rails.logger)
+      if defined?(Rails) && Rails.respond_to?(:logger) && Rails.logger
+        Rails.logger.error "[ApiKeys] Tenant resolution failed: #{e.message}"
+      end
       @current_api_tenant = nil
     end
   end

test/controllers/authentication_test.rb

@@ -0,0 +1,160 @@
+# frozen_string_literal: true
+
+require "test_helper"
+require "active_job"
+
+# Stub helper_method for non-Rails controller context
+module Kernel
+  def helper_method(*); end
+end
+
+module ApiKeys
+  class AuthenticationConcernTest < ApiKeys::Test
+    class FakeRequest
+      attr_reader :headers, :query_parameters, :protocol
+      def initialize(headers: {}, query_parameters: {}, protocol: "https://", uuid: SecureRandom.uuid)
+        @headers = headers
+        @query_parameters = query_parameters
+        @protocol = protocol
+        @uuid = uuid
+      end
+      def uuid
+        @uuid
+      end
+    end
+
+    # Minimal controller-like object including the concern
+    class FakeController
+      include ApiKeys::Authentication
+
+      attr_reader :rendered
+      def initialize(request)
+        @request = request
+        @rendered = nil
+      end
+
+      def request
+        @request
+      end
+
+      def render(json:, status:)
+        @rendered = { json: json, status: status }
+      end
+    end
+
+    def setup
+      super
+      ActiveJob::Base.queue_adapter = :test
+    end
+
+    def clear_enqueued_jobs
+      ActiveJob::Base.queue_adapter.enqueued_jobs.clear
+      ActiveJob::Base.queue_adapter.performed_jobs.clear if ActiveJob::Base.queue_adapter.respond_to?(:performed_jobs)
+    end
+
+    test "authenticate_api_key! success enqueues callbacks and stats job and sets helpers" do
+      user = User.create!(name: "Controller User")
+      key = ApiKeys::ApiKey.create!(owner: user, name: "Controller Key")
+      token = key.instance_variable_get(:@token)
+      request = FakeRequest.new(headers: { "Authorization" => "Bearer #{token}" })
+      controller = FakeController.new(request)
+
+      ApiKeys.configure do |c|
+        c.enable_async_operations = true
+        c.track_requests_count = true
+        c.before_authentication = ->(ctx) { ctx }
+        c.after_authentication  = ->(ctx) { ctx }
+      end
+
+      clear_enqueued_jobs
+      controller.send(:authenticate_api_key!)
+
+      # Helpers populated
+      assert_equal key, controller.send(:current_api_key)
+      assert_equal user, controller.send(:current_api_owner)
+      assert_equal user, controller.send(:current_api_user)
+
+      # Jobs enqueued: before + after callbacks + stats
+      jobs = ActiveJob::Base.queue_adapter.enqueued_jobs
+      job_classes = jobs.map { |j| j[:job] }
+      assert job_classes.count { |jc| jc == ApiKeys::Jobs::CallbacksJob } >= 2
+      assert_includes job_classes, ApiKeys::Jobs::UpdateStatsJob
+    end
+
+    test "authenticate_api_key! missing scope renders error and does not enqueue stats" do
+      user = User.create!(name: "Scoped User")
+      key = ApiKeys::ApiKey.create!(owner: user, name: "Scoped Key", scopes: ["read"]) # no 'write'
+      token = key.instance_variable_get(:@token)
+      request = FakeRequest.new(headers: { "Authorization" => "Bearer #{token}" })
+      controller = FakeController.new(request)
+
+      ApiKeys.configure do |c|
+        c.enable_async_operations = true
+        c.before_authentication = ->(ctx) { ctx }
+        c.after_authentication  = ->(ctx) { ctx }
+      end
+
+      clear_enqueued_jobs
+      controller.send(:authenticate_api_key!, scope: "write")
+
+      # Rendered unauthorized with missing scope
+      resp = controller.rendered
+      assert_equal :unauthorized, resp[:status]
+      assert_equal :missing_scope, resp[:json][:error]
+      assert_equal "write", resp[:json][:required_scope]
+
+      # Stats job not enqueued
+      jobs = ActiveJob::Base.queue_adapter.enqueued_jobs
+      job_classes = jobs.map { |j| j[:job] }
+      refute_includes job_classes, ApiKeys::Jobs::UpdateStatsJob
+      # But callbacks are still enqueued (before and after)
+      assert job_classes.count { |jc| jc == ApiKeys::Jobs::CallbacksJob } >= 2
+    end
+
+    test "authenticate_api_key! with async disabled enqueues no jobs" do
+      user = User.create!(name: "No Async User")
+      key = ApiKeys::ApiKey.create!(owner: user, name: "No Async Key")
+      token = key.instance_variable_get(:@token)
+      request = FakeRequest.new(headers: { "Authorization" => "Bearer #{token}" })
+      controller = FakeController.new(request)
+
+      ApiKeys.configure do |c|
+        c.enable_async_operations = false
+        c.track_requests_count = true
+        c.before_authentication = ->(ctx) { ctx }
+        c.after_authentication  = ->(ctx) { ctx }
+      end
+
+      clear_enqueued_jobs
+      controller.send(:authenticate_api_key!)
+
+      jobs = ActiveJob::Base.queue_adapter.enqueued_jobs
+      job_classes = jobs.map { |j| j[:job] }
+      refute_includes job_classes, ApiKeys::Jobs::CallbacksJob
+      refute_includes job_classes, ApiKeys::Jobs::UpdateStatsJob
+    end
+
+    test "authenticate_api_key! with multiple required scopes succeeds only if all present" do
+      user = User.create!(name: "Multi Scope User")
+      key = ApiKeys::ApiKey.create!(owner: user, name: "Multi", scopes: %w[read write])
+      token = key.instance_variable_get(:@token)
+      request = FakeRequest.new(headers: { "Authorization" => "Bearer #{token}" })
+      controller = FakeController.new(request)
+
+      ApiKeys.configure { |c| c.enable_async_operations = false }
+
+      # Succeeds when both required
+      controller.send(:authenticate_api_key!, scope: %w[read write])
+      assert_nil controller.rendered, "Should not render when authorized"
+
+      # Fails when one required scope missing
+      key_missing = ApiKeys::ApiKey.create!(owner: user, name: "Missing", scopes: %w[read])
+      token2 = key_missing.instance_variable_get(:@token)
+      controller2 = FakeController.new(FakeRequest.new(headers: { "Authorization" => "Bearer #{token2}" }))
+      controller2.send(:authenticate_api_key!, scope: %w[read write])
+      refute_nil controller2.rendered
+      assert_equal :missing_scope, controller2.rendered[:json][:error]
+      assert_equal %w[read write], controller2.rendered[:json][:required_scope]
+    end
+  end
+end