Prevent api responses that depend on current_user from being cached #43737
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
During the caching-focused HoC bug bash, there were several reports of “stale” state being shown in the browser (e.g. page displaying as signed-in when the user had signed out). During the investigation, we discovered a general problem where the responses to asynchronous requests from the client, typically to /api endpoints were being cached by the browser and then being reused when the back button was hit (and possibly other scenarios).
I'm looking for feedback on the tradeoff between completeness of fix and risk. The most complete fix would be to prevent caching in the base classes and affect all APIs. The most targeted fix would be to change only the APIs where we know there to be an issue. This PR currently represents something in the middle -- I've audited our APIs to determine which ones are likely to return incorrect data because the response changes depending on
current_user
. (Note that it does not include APIs wherecurrent_user
is only used to determine authorization.)Links
Testing story
Deployment strategy
Follow-up work
Privacy
Security
Caching
PR Checklist: