Send Vary: Authorization cache header

I don't think this is actually relevant in-app right now, but I figured sending it is More Correct, and is likely to prevent future bugs if anything (and prevent future question about why we're _not_ sending it).

I also removed the `maxAge: 0` on `currentUser`, now that I've updated Fastly to no longer default to 5-minute caching when no cache time is specified. I can see why that's a reasonable default for Fastly, but we've been pretty careful about specifying Cache-Control headers when relevant, so the extra caching is mostly incorrect.
This commit is contained in:
Emi Matchu 2021-11-23 13:00:56 -08:00
parent d4b115e805
commit 2e41f7bb0b
2 changed files with 20 additions and 10 deletions

View file

@ -74,6 +74,22 @@ const config = {
...buildLoaders(db),
};
},
formatResponse: (res, context) => {
// The Authorization header can affect the response, so we signal that here
// for caching user data! That way, login/logout will refresh user data,
// even if it was briefly cached.
//
// NOTE: Our frontend JS only sends the Authorization header for user data
// queries. For public data, the header will be absent, and different
// users will still be able to share the same public cache data.
//
// NOTE: At time of writing, I'm not sure we use this in app? I think all
// current user data queries request fields with `maxAge: 0`. But I'm
// adding it just to remove a potential surprise gotcha later!
context.response.http.headers.set("Vary", "Authorization");
return res;
},
plugins,

View file

@ -51,16 +51,10 @@ const typeDefs = gql`
"""
The currently logged-in user.
"""
# Don't allow caching of *anything* nested inside currentUser, because we
# want logins/logouts always reset user data properly.
#
# TODO: If we wanted to privately cache a currentUser field, we could
# remove the maxAge condition here, and attach user ID to the GraphQL
# request URL when sending auth headers. That way, changing user
# would send different requests and avoid the old cache hits. (But we
# should leave the scope, to emphasize that the CDN cache shouldn't
# cache it.)
currentUser: User @cacheControl(maxAge: 0, scope: PRIVATE)
# NOTE: The client might privately cache some of the data in here, which is
# okay, because we set the header "Vary: Authorization", so
# login/logout will change the local cache key!
currentUser: User @cacheControl(scope: PRIVATE)
}
`;