DEV Community: Jibran Usman The latest articles on DEV Community by Jibran Usman (@jibranusman95). https://dev.to/jibranusman95 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3965902%2F023010ee-a64d-4d53-aba0-1488285dc4d1.jpeg DEV Community: Jibran Usman https://dev.to/jibranusman95 en Why WebMock Stubs Lie (And What To Do About It) Jibran Usman Wed, 03 Jun 2026 06:50:25 +0000 https://dev.to/jibranusman95/why-webmock-stubs-lie-and-what-to-do-about-it-4990 https://dev.to/jibranusman95/why-webmock-stubs-lie-and-what-to-do-about-it-4990 <p>You've written the test. WebMock is set up. The stub returns 200. Everything is green.</p> <p>Then Stripe ships a breaking change, your code sends a malformed request body, and you find out in production.</p> <p>Your tests lied to you.</p> <h2> The Problem With Stubs </h2> <p>WebMock is excellent at what it does. But what it does is intercept HTTP calls and return whatever you told it to return — regardless of whether your request was valid.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">stub_request</span><span class="p">(</span><span class="ss">:post</span><span class="p">,</span> <span class="s2">"https://api.stripe.com/v1/charges"</span><span class="p">)</span> <span class="p">.</span><span class="nf">to_return</span><span class="p">(</span><span class="ss">status: </span><span class="mi">200</span><span class="p">,</span> <span class="ss">body: </span><span class="p">{</span> <span class="ss">id: </span><span class="s2">"ch_123"</span> <span class="p">}.</span><span class="nf">to_json</span><span class="p">)</span> </code></pre> </div> <p>This stub will return 200 whether you send:</p> <ul> <li>A perfectly formed request</li> <li>A request missing the required <code>amount</code> field</li> <li>A request with a completely wrong content type</li> <li>Nothing at all</li> </ul> <p>You're not testing that your integration works. You're testing that your code calls a URL.</p> <h2> VCR Cassettes Are Worse </h2> <p>VCR records real HTTP interactions and replays them. That sounds great until:</p> <ul> <li> <strong>Cassettes go stale.</strong> The API changes, your cassette keeps replaying the old response forever.</li> <li> <strong>Diffs are unreadable.</strong> Cassette files are YAML blobs that nobody wants to review in a PR.</li> <li> <strong>Re-recording is painful.</strong> You need real credentials, a real network, and hope the API behaves the same way twice.</li> <li> <strong>Parallel tests break.</strong> Cassettes aren't built for concurrent access.</li> </ul> <p>You end up with a test suite that passes in CI and quietly lies about your production behaviour for months.</p> <h2> What Actually Helps: A Real Server </h2> <p>What if your test spun up an actual HTTP server — one that could validate your requests, enforce contracts, and simulate real failure modes?</p> <p>That's what <a href="https://github.com/jibranusman95/http_decoy" rel="noopener noreferrer">http_decoy</a> does.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">HttpDecoy</span><span class="p">.</span><span class="nf">define</span><span class="p">(</span><span class="ss">:payments</span><span class="p">)</span> <span class="k">do</span> <span class="n">base_url</span> <span class="s2">"https://payments.example.com"</span> <span class="n">post</span> <span class="s2">"/charge"</span> <span class="k">do</span> <span class="n">requires_body</span> <span class="ss">:amount</span><span class="p">,</span> <span class="ss">:currency</span> <span class="n">respond</span> <span class="ss">status: </span><span class="mi">201</span><span class="p">,</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">id: </span><span class="s2">"ch_123"</span><span class="p">,</span> <span class="ss">status: </span><span class="s2">"success"</span> <span class="p">}</span> <span class="k">end</span> <span class="n">post</span> <span class="s2">"/charge"</span><span class="p">,</span> <span class="ss">scenario: :decline</span> <span class="k">do</span> <span class="n">respond</span> <span class="ss">status: </span><span class="mi">402</span><span class="p">,</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"card_declined"</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>This is a real WEBrick server running on a random port inside your test process. Your code makes actual HTTP calls to it. WebMock integration is automatic — no config needed.</p> <h2> In Your RSpec Tests </h2> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">RSpec</span><span class="p">.</span><span class="nf">describe</span> <span class="no">PaymentsService</span> <span class="k">do</span> <span class="kp">include</span> <span class="no">HttpDecoy</span><span class="p">.</span><span class="nf">define</span><span class="p">(</span><span class="ss">:payments</span><span class="p">).</span><span class="nf">rspec_helpers</span> <span class="n">fake_server</span> <span class="ss">:payments</span> <span class="n">it</span> <span class="s2">"charges the card"</span> <span class="k">do</span> <span class="n">result</span> <span class="o">=</span> <span class="no">PaymentsService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="ss">amount: </span><span class="mi">100</span><span class="p">,</span> <span class="ss">currency: </span><span class="s2">"usd"</span><span class="p">)</span> <span class="n">expect</span><span class="p">(</span><span class="n">result</span><span class="p">).</span><span class="nf">to</span> <span class="n">be_success</span> <span class="k">end</span> <span class="n">it</span> <span class="s2">"handles declines gracefully"</span> <span class="k">do</span> <span class="n">with_scenario</span><span class="p">(</span><span class="ss">:decline</span><span class="p">)</span> <span class="k">do</span> <span class="n">result</span> <span class="o">=</span> <span class="no">PaymentsService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="ss">amount: </span><span class="mi">100</span><span class="p">,</span> <span class="ss">currency: </span><span class="s2">"usd"</span><span class="p">)</span> <span class="n">expect</span><span class="p">(</span><span class="n">result</span><span class="p">).</span><span class="nf">to</span> <span class="n">be_declined</span> <span class="k">end</span> <span class="k">end</span> <span class="n">it</span> <span class="s2">"validates the request body"</span> <span class="k">do</span> <span class="n">expect</span> <span class="p">{</span> <span class="no">PaymentsService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="ss">amount: </span><span class="kp">nil</span><span class="p">)</span> <span class="p">}</span> <span class="p">.</span><span class="nf">to</span> <span class="n">raise_error</span><span class="p">(</span><span class="no">PaymentsService</span><span class="o">::</span><span class="no">InvalidRequest</span><span class="p">)</span> <span class="k">end</span> <span class="k">end</span> </code></pre> </div> <p>Notice what changed: the server validates that <code>amount</code> and <code>currency</code> are present. If your code doesn't send them, the request fails — exactly like the real API would.</p> <h2> What This Catches That WebMock Doesn't </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>WebMock</th> <th>http_decoy</th> </tr> </thead> <tbody> <tr> <td>Missing required field</td> <td>Passes silently</td> <td>Fails the request</td> </tr> <tr> <td>Wrong content type</td> <td>Passes silently</td> <td>Configurable validation</td> </tr> <tr> <td>Stale response format</td> <td>Invisible</td> <td>Update the fake, tests break</td> </tr> <tr> <td>Network timeout simulation</td> <td>Awkward</td> <td><code>raise_error Net::ReadTimeout</code></td> </tr> <tr> <td>Scenario switching</td> <td>Multiple stubs</td> <td><code>with_scenario(:decline)</code></td> </tr> <tr> <td>Request log inspection</td> <td>Not built in</td> <td> <code>have_received_request</code> matcher</td> </tr> </tbody> </table></div> <h2> Scenario Switching </h2> <p>Testing sad paths with WebMock means redefining stubs inside individual tests — messy and hard to reuse. With http_decoy, scenarios are first-class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="no">HttpDecoy</span><span class="p">.</span><span class="nf">define</span><span class="p">(</span><span class="ss">:payments</span><span class="p">)</span> <span class="k">do</span> <span class="n">base_url</span> <span class="s2">"https://payments.example.com"</span> <span class="n">post</span> <span class="s2">"/charge"</span> <span class="k">do</span> <span class="n">respond</span> <span class="ss">status: </span><span class="mi">201</span><span class="p">,</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">id: </span><span class="s2">"ch_123"</span> <span class="p">}</span> <span class="k">end</span> <span class="n">post</span> <span class="s2">"/charge"</span><span class="p">,</span> <span class="ss">scenario: :rate_limited</span> <span class="k">do</span> <span class="n">respond</span> <span class="ss">status: </span><span class="mi">429</span><span class="p">,</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"rate_limit_exceeded"</span> <span class="p">}</span> <span class="k">end</span> <span class="n">post</span> <span class="s2">"/charge"</span><span class="p">,</span> <span class="ss">scenario: :server_error</span> <span class="k">do</span> <span class="n">respond</span> <span class="ss">status: </span><span class="mi">500</span><span class="p">,</span> <span class="ss">json: </span><span class="p">{</span> <span class="ss">error: </span><span class="s2">"internal_server_error"</span> <span class="p">}</span> <span class="k">end</span> <span class="k">end</span> <span class="c1"># In tests:</span> <span class="n">with_scenario</span><span class="p">(</span><span class="ss">:rate_limited</span><span class="p">)</span> <span class="p">{</span> <span class="no">PaymentsService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="p">}</span> <span class="n">with_scenario</span><span class="p">(</span><span class="ss">:server_error</span><span class="p">)</span> <span class="p">{</span> <span class="no">PaymentsService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="o">...</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Inspecting Requests </h2> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="n">it</span> <span class="s2">"sends the correct currency"</span> <span class="k">do</span> <span class="no">PaymentsService</span><span class="p">.</span><span class="nf">charge</span><span class="p">(</span><span class="ss">amount: </span><span class="mi">100</span><span class="p">,</span> <span class="ss">currency: </span><span class="s2">"usd"</span><span class="p">)</span> <span class="n">expect</span><span class="p">(</span><span class="n">payments_server</span><span class="p">).</span><span class="nf">to</span> <span class="n">have_received_request</span><span class="p">(</span><span class="ss">:post</span><span class="p">,</span> <span class="s2">"/charge"</span><span class="p">)</span> <span class="p">.</span><span class="nf">with_body</span><span class="p">(</span><span class="n">including</span><span class="p">(</span><span class="s2">"currency"</span> <span class="o">=&gt;</span> <span class="s2">"usd"</span><span class="p">))</span> <span class="k">end</span> </code></pre> </div> <p>This isn't checking that your code built the right hash. It's checking what actually went over the wire.</p> <h2> Getting Started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gem <span class="nb">install </span>http_decoy </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight ruby"><code><span class="c1"># Gemfile</span> <span class="n">gem</span> <span class="s2">"http_decoy"</span><span class="p">,</span> <span class="ss">group: :test</span> </code></pre> </div> <p>Works with WebMock out of the box. No additional config for existing test suites.</p> <p>Full docs and examples: <a href="https://github.com/jibranusman95/http_decoy" rel="noopener noreferrer">https://github.com/jibranusman95/http_decoy</a></p> <h2> The Bottom Line </h2> <p>WebMock is the right tool for unit tests where you want fast, isolated behaviour. But for integration tests that touch real service boundaries, you want a server that enforces contracts — not a stub that returns whatever you asked it to.</p> <p>Your cassettes are lying to you. Ship a fake that tells the truth.</p> <p><em>Built this? Feedback welcome in the comments or open an issue on GitHub.</em></p> ruby testing rails cicd