JSONAPI - Response still cached when using different HTTP Basic Authentication credentials

Created on 20 March 2023, about 1 year ago
Updated 7 April 2023, about 1 year ago

Perhaps support request, but feels like a bug to me.

Problem/Motivation

Drupal caches responses to requests, even when different HTTP Basic Authentication credentials are used when making the request.

Steps to reproduce

When providing endpoints with JSON API module. Enable HTTP Basic Authentication module.
Set only authenticated users to "view content"
Create a test user.

Make request to endpoint with curl.
curl ---header 'Accept: application/vnd.api+json' --user some-user --request GET "https://yourdomain/jsonapi/node/basic-page"

Enter the wrong credentials when prompted
Will get a response without data as per permission settings for viewing content (assume authenticated user only can view content)

Execute the curl command again. This time use the correct password

Response still will not have data.

I can use the &time=[timestamp] parameter and the response is always fresh/correct.

Proposed resolution

Shouldn't the response not be cached if the request is made with different credentials?
OR
How can one make sure the response is fresh if different HTTP Basic Authentication credentials are used in a request?

Is this possible in an KernelEvents::RESPONSE Event Subscriber?

πŸ’¬ Support request
Status

Closed: works as designed

Version

9.5

Component
JSON APIΒ  β†’

Last updated 2 days ago

Created by

πŸ‡ΊπŸ‡ΈUnited States markusa

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @markusa
  • πŸ‡ΊπŸ‡ΈUnited States cilefen

    What are the response headers when the wrong thing happens?

  • πŸ‡ΊπŸ‡ΈUnited States markusa

    Here are headers for a request, using the right user credentials with HTTP Basic, after making a request with wrong credentials. The data property in the response is empty.

    Using the -i flag with curl to get the headers.

    HTTP/2 200 
    server: nginx
    content-type: application/vnd.api+json
    x-powered-by: PHP/8.1.16
    cache-control: must-revalidate, no-cache, private
    date: Mon, 20 Mar 2023 22:01:33 GMT
    x-drupal-dynamic-cache: HIT
    x-ua-compatible: IE=edge
    content-language: en
    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    expires: Sun, 19 Nov 1978 05:00:00 GMT
    x-generator: Drupal 9 (https://www.drupal.org)
    content-security-policy: frame-ancestors 'self'
    x-xss-protection: 1; mode=block
    referrer-policy: no-referrer-when-downgrade
    x-robots-tag: noindex, nofollow, nosnippet, noarchive

    For more information, I am using JSONAPI Extras, and JSONAPI Include modules. I do have a small custom EventSubscriber, subscribing to KernelEvents::RESPONSE which unsets a value in the JSON response when one of the node's fields has a certain value. It simply decodes the response JSON, and if a certain url parameter in the request exists, I unset a value from the JSON, encode the JSON again, and do $event->getResponse()->setContent($content) .. Nothing in their specific to caching, or the authentication, but full disclosure.

  • Status changed to Postponed: needs info about 1 year ago
  • πŸ‡³πŸ‡±Netherlands bbrala Netherlands

    Can you reproduce this on a clean drupal install? I tried and couldn't.

  • πŸ‡ΊπŸ‡ΈUnited States markusa

    Well now I feel dumb, I can't replicate on a local instance, something Nginx-y perhaps.

    Changing to support request. Thanks for your time.

  • Status changed to Closed: works as designed about 1 year ago
  • πŸ‡³πŸ‡±Netherlands bbrala Netherlands

    Ok great, and thank you for following up the issue! That helps loads :)

  • πŸ‡ΊπŸ‡ΈUnited States markusa

    For anyone finding this via Google.
    In the Nginx config for the site, had to turn off fastcgi_cache .. I didn't dig deeper yet as to why or how to conditionally enable that.
    fastcgi_cache off;

Production build 0.69.0 2024