JSONAPI - Response still cached when using different HTTP Basic Authentication credentials

What are the response headers when the wrong thing happens?

Here are headers for a request, using the right user credentials with HTTP Basic, after making a request with wrong credentials. The data property in the response is empty.

Using the -i flag with curl to get the headers.

HTTP/2 200 
server: nginx
content-type: application/vnd.api+json
x-powered-by: PHP/8.1.16
cache-control: must-revalidate, no-cache, private
date: Mon, 20 Mar 2023 22:01:33 GMT
x-drupal-dynamic-cache: HIT
x-ua-compatible: IE=edge
content-language: en
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
expires: Sun, 19 Nov 1978 05:00:00 GMT
x-generator: Drupal 9 (https://www.drupal.org)
content-security-policy: frame-ancestors 'self'
x-xss-protection: 1; mode=block
referrer-policy: no-referrer-when-downgrade
x-robots-tag: noindex, nofollow, nosnippet, noarchive

For more information, I am using JSONAPI Extras, and JSONAPI Include modules. I do have a small custom EventSubscriber, subscribing to KernelEvents::RESPONSE which unsets a value in the JSON response when one of the node's fields has a certain value. It simply decodes the response JSON, and if a certain url parameter in the request exists, I unset a value from the JSON, encode the JSON again, and do $event->getResponse()->setContent($content) .. Nothing in their specific to caching, or the authentication, but full disclosure.

Can you reproduce this on a clean drupal install? I tried and couldn't.

Well now I feel dumb, I can't replicate on a local instance, something Nginx-y perhaps.

Changing to support request. Thanks for your time.

Ok great, and thank you for following up the issue! That helps loads :)

For anyone finding this via Google.
In the Nginx config for the site, had to turn off fastcgi_cache .. I didn't dig deeper yet as to why or how to conditionally enable that.
fastcgi_cache off;