API responses can't be cached by browsers or shared caches

[eatyourgreens]

https://github.com/zooniverse/panoptes-javascript-client/blob/8157794dfacfbc1f5d41c5730b2f47aae6fc013a/lib/auth.js#L49-L50

The auth client automatically injects an Authorization header into every request here. That's convenient for developers, who don't need to remember to add auth headers by hand.

However, responses to auth'ed requests can't be cached by shared caches or browsers (to protect end user privacy) and are sent with maxage=0. This means that large public resources, like classification workflows, can't be cached and must be requested on every use, even though they don’t require auth headers and could be served via a CDN.

[eatyourgreens]

I think the API client gets around this by maintaining its own internal resource cache, but that is also broken.

• the internal cache has no resource invalidation, so developers have to employ workarounds in order to refresh stale resources.
• resources aren’t cached by CDNs, so caching isn’t shared across individual clients, for public resources like large workflows.
• see also #207 for the problem of cached user sessions (which should not be cached by CDNs but are cached by the client, even after you log out.)