Always vary based on Authorization header
requested to merge webapp-2442-mr-2019-fix-anonymous-cached-responses-being-served-for-authenticated-users into master
Always vary based on Authorization header
See https://gitlab.com/gitlab-org/gitter/webapp/-/merge_requests/2019#note_424095474
When the first anonymous request comes through, we cache it based on the vary headers which does not include Authorization
Then when the second authenticated request comes through, we don't take into account Authorization
because it wasn't listed to vary before. This causes us to serve the anonymous response for the authenticated user.
In this specific case, it matters because the response doesn't include the permissions
field we want but could have many consequences throughout the codebase.
-
https://api.github.com/repos/gitter-integration-tests/public-repo-1
withAuthorization: Basic xxx
(anonymous request using the public token poolclient_id
andclient_secret
)- No
permissions
in response - ->
vary: Accept, Accept-Encoding, Accept, X-Requested-With
(notice thatAuthorization
is not in this list)
- No
-
https://api.github.com/repos/gitter-integration-tests/public-repo-1
withAuthorization: token xxx
-
permissions
in response - ->
vary: Accept, Authorization, Cookie, X-GitHub-OTP, Accept-Encoding, Accept, X-Requested-With
-
Todo
-
Add tests
Edited by Eric Eastwood