auth client adds Authorization headers to every request, disabling request caching

zooniverse / panoptes-javascript-client

A Javascript client for accessing the Panoptes API

https://zooniverse.github.io/panoptes-javascript-client

Apache License 2.0

6 stars 6 forks source link

auth client adds Authorization headers to every request, disabling request caching #250

Open eatyourgreens opened 1 month ago

eatyourgreens commented 1 month ago

https://github.com/zooniverse/panoptes-javascript-client/blob/8157794dfacfbc1f5d41c5730b2f47aae6fc013a/lib/auth.js#L49-L50

The auth client automatically injects an Authorization header into every request here. That's convenient for developers, who don't need to remember to add auth headers by hand.

However, responses to auth'ed requests can't be cached by shared caches or browsers (to protect end user privacy) and are sent with maxage=0. This means that large public resources, like classification workflows, can't be cached and must be requested on every use, even though they don’t require auth headers and could be served via a CDN.

eatyourgreens commented 1 month ago

I think the API client gets around this by maintaining its own internal resource cache, but that is also broken.

the internal cache has no resource invalidation, so developers have to employ workarounds in order to refresh stale resources. PFE is full of these hacks.
resources aren’t cached by CDNs, so caching isn’t shared across individual clients, for public resources like large workflows.
see also #207 for the problem of cached user sessions (which should not be cached by CDNs but are cached by the client, even after you log out.)

eatyourgreens commented 2 days ago

I think I was wrong about browsers not caching auth'ed resources. It's not explicitly prohibited (but shared caches cannot cache responses when an Authorization header is present.)

https://greenbytes.de/tech/webdav/rfc7234.html#caching.authenticated.responses