Closed leonardr closed 3 years ago
@kristojorg, take a look at the HTTP side of this and verify that this makes sense.
Open eBooks is the only library where different patron types get assigned different root lanes. If you sign in as an Early Grades patron, you should never be shown a Middle Grades feed -- even if (this is the point of OE-25) there was a Middle Grades patron who used the device before you and cached a Middle Grades feed in the private browser cache.
With, let's say, NYPL, we have different patron types, but when you log in, everyone always gets sent the same top-level feed. So there's no issue with a cache having a copy of a feed that a patron shouldn't be shown.
Theoretically we could say that people with juvenile cards a) get sent to a special "juvenile" set of lanes and b) can't access any books that won't fit in those lanes, and at that point we'd get something more like Open eBooks, but we haven't set that policy at NYPL.
This branch fixes https://jira.nypl.org/browse/OE-25 by changing the caching rules for all CachedFeeds served for libraries that direct patrons to different lanes based on their patron type. For those libraries, all CachedFeeds are treated as private.
"Private" here refers to a concept defined in util/flask_util.py:Response as a way of bundling together a few features of HTTP. These feeds are not necessarily "private" in the sense that their contents are secret; "private" here only refers to the rules about when the feeds can be cached. Most of this branch is tweaking what exactly "private" means:
Previously, private resources were served with
Cache-Control: private
, meaning they can only be cached by the final recipient, not by intermediaries such as CDNs. This is still true.As of this branch, private resources are also served with
Vary: Authorization
, meaning they can only be cached by the credentials that requested them. This is the piece that (I hope) actually fixes OE-25.And as of this branch, private resources are not served with
Cache-Control: s-maxage
. That told intermediaries how long to cache the representation, which conflicted with theCache-Control: private
directive.