Make load_and_authorize_remix deterministic.

This commit changes RemixesController#load_and_authorize_remix to
deterministically always return the most recent Project record based on
created_at and, secondarily, updated_at dates.

While, in principle, there should not be multiple records where
(remixed_from_id:, user_id:) are the same, in practice there are and
there is no database constraint to prevent there being.

The previous code would nondeterministically return one of possibly many
records, causing downstream errors in Experience CS since each would
have a different identifier, not matching the one stored in Experience
CS.

Overarching epic:

RaspberryPiFoundation/experience-cs#1826

Author: fspeirs

app/controllers/api/projects/remixes_controller.rb

@@ -44,7 +44,9 @@ def project
       end
 
       def load_and_authorize_remix
-        @project = Project.find_by!(remixed_from_id: project.id, user_id: current_user&.id)
+        @project = Project.where(remixed_from_id: project.id, user_id: current_user&.id)
+                          .order(created_at: :desc, updated_at: :desc)
+                          .first!
         authorize! :show, @project
       end
 

spec/requests/projects/remix_spec.rb

@@ -68,6 +68,24 @@
 
         expect(response).to have_http_status(:not_found)
       end
+
+      context 'when multiple remixes exist for the same user and project' do
+        before do
+          create(:project, remixed_from_id: original_project.id, user_id: authenticated_user.id,
+                           created_at: 2.days.ago, updated_at: 2.days.ago)
+        end
+
+        let!(:newer_remix) do
+          create(:project, remixed_from_id: original_project.id, user_id: authenticated_user.id,
+                           created_at: 1.hour.from_now, updated_at: 1.hour.from_now)
+        end
+
+        it 'returns the most recently created remix' do
+          get("/api/projects/#{original_project.identifier}/remix", headers:)
+
+          expect(response.parsed_body['identifier']).to eq(newer_remix.identifier)
+        end
+      end
     end
 
     describe('#show_identifier') do
@@ -97,6 +115,23 @@
         get("/api/projects/#{original_project.identifier}/remix/identifier", headers:)
         expect(response).to have_http_status(:not_found)
       end
+
+      context 'when multiple remixes exist for the same user and project' do
+        before do
+          create(:project, remixed_from_id: original_project.id, user_id: authenticated_user.id,
+                           created_at: 2.days.ago, updated_at: 2.days.ago)
+        end
+
+        let!(:newer_remix) do
+          create(:project, remixed_from_id: original_project.id, user_id: authenticated_user.id,
+                           created_at: 1.hour.from_now, updated_at: 1.hour.from_now)
+        end
+
+        it 'returns the identifier of the most recently created remix' do
+          get("/api/projects/#{original_project.identifier}/remix/identifier", headers:)
+          expect(response.parsed_body['identifier']).to eq(newer_remix.identifier)
+        end
+      end
     end
 
     describe '#create' do