Always vary based on Authorization header (!14) · Merge requests · gitter / request-http-cache

Eric Eastwood requested to merge webapp-2442-mr-2019-fix-anonymous-cached-responses-being-served-for-authenticated-users into master Oct 06, 2020

Always vary based on Authorization header

See https://gitlab.com/gitlab-org/gitter/webapp/-/merge_requests/2019#note_424095474

When the first anonymous request comes through, we cache it based on the vary headers which does not include Authorization Then when the second authenticated request comes through, we don't take into account Authorization because it wasn't listed to vary before. This causes us to serve the anonymous response for the authenticated user.

In this specific case, it matters because the response doesn't include the permissions field we want but could have many consequences throughout the codebase.

https://api.github.com/repos/gitter-integration-tests/public-repo-1 with Authorization: Basic xxx (anonymous request using the public token pool client_id and client_secret)
- No permissions in response
- -> vary: Accept, Accept-Encoding, Accept, X-Requested-With (notice that Authorization is not in this list)
https://api.github.com/repos/gitter-integration-tests/public-repo-1 with Authorization: token xxx
- permissions in response
- -> vary: Accept, Authorization, Cookie, X-GitHub-OTP, Accept-Encoding, Accept, X-Requested-With

Todo

Add tests

Edited Oct 06, 2020 by Eric Eastwood

Always vary based on Authorization header

Todo

Merge request reports