Provide more granularity for specific routes

Created on 4 November 2024, 5 months ago

Problem/Motivation

It'd be nice if we had granularity for which query strings are allowed for specific routes rather than it being a whitelist. This ensures that certain URLs aren't invalidated when not necessary.

Steps to reproduce

1. Add the page query parameter to the include list.
2. The page query parameter affects pages which don't normally make use of paginations like nodes.

Proposed resolution

Provide UI to provide granulatity of the rules on a route by route basis.

Taking inspiration from #1245482-27: URL variation DOS attack protection

Additional details:
1. Provide a way for developers or site builders to annotate routes with a list of allowed query parameters (with optional regex for allowed values, e.g. page only takes in digits)
2. Add a Routing listener service that will parse all the routes, gather these data, and store them in a KV system (remember, Drupal core has a builtin KV; don't forget default args like q and page)
3. Create an `http.middleware` tagged service coming in before the internal page cache, that will hit this KV and rewrite the inbound request accordingly, stripping unexpected args and ordering the others.

These can all be done as a submodule if the existing global behaviour is desired for your use cases, or an upgrade path can be provided to support the old global behaviour.

Remaining tasks

Provide new UI and update config schemas accordingly.

User interface changes

Provide UI for managing route specific query parameter rules.

API changes

TDB.

Feature request
Status

Active

Version

2.0

Component

Code

Created by

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @codebymikey
  • 🇦🇺Australia nterbogt

    I agree with the sentiment behind this ticket; but not necessarily the implementation.

    I'd like to see the code automatically leverage the cache `url.query_args` bubbleable metadata, so that implementing it correctly in a block or similar, automatically enables that argument in the page cache ignore.

    I haven't quite worked out how to do that yet.

    But both options have merit and it would be worth doing an analysis over which route should be taken (pun intended) :)

Production build 0.71.5 2024