Merge pull request #707 from mozilla-services/vary-header

Add a Vary header for Authorization. Fixes Kinto/kinto#593
mozilla-services · May 17, 2016 · 386e076 · 386e076
2 parents 5104083 + 42e528c
commit 386e076
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 9 deletions.
diff --git a/cliquet/__init__.py b/cliquet/__init__.py
@@ -51,6 +51,7 @@
         'cliquet.initialization.setup_permission',
         'cliquet.initialization.setup_cache',
         'cliquet.initialization.setup_requests_scheme',
+        'cliquet.initialization.setup_vary_headers',
         'cliquet.initialization.setup_version_redirection',
         'cliquet.initialization.setup_deprecation',
         'cliquet.initialization.setup_authentication',
@@ -101,7 +102,7 @@ class Service(CorniceService):
     patching the default cornice service (which would impact other uses of it)
     """
     default_cors_headers = ('Backoff', 'Retry-After', 'Alert',
-                            'Content-Length')
+                            'Content-Length', 'Vary')
 
     def error_handler(self, error):
         return errors.json_error_handler(error)

diff --git a/cliquet/initialization.py b/cliquet/initialization.py
@@ -140,6 +140,20 @@ def on_new_request(event):
         config.add_subscriber(on_new_request, NewRequest)
 
 
+def setup_vary_headers(config):
+    """Add Vary headers to each response."""
+    settings = config.get_settings()
+
+    vary = aslist(settings.get('vary', 'Authorization'))
+
+    def on_new_request(event):
+        def vary_callback(request, response):
+            response.vary = vary
+        event.request.add_response_callback(vary_callback)
+
+    config.add_subscriber(on_new_request, NewRequest)
+
+
 def setup_deprecation(config):
     config.add_tween("cliquet.initialization._end_of_life_tween_factory")
 

diff --git a/cliquet/tests/resource/test_views_cors.py b/cliquet/tests/resource/test_views_cors.py
@@ -147,11 +147,11 @@ def test_collection_get_exposes_every_possible_header(self):
         self.assert_expose_headers('GET', self.collection_url, [
             'Alert', 'Backoff', 'ETag', 'Last-Modified', 'Next-Page',
             'Retry-After', 'Total-Records', 'Content-Length',
-            'Cache-Control', 'Expires', 'Pragma'])
+            'Cache-Control', 'Expires', 'Pragma', 'Vary'])
 
     def test_hello_endpoint_exposes_only_minimal_set_of_headers(self):
         self.assert_expose_headers('GET', '/', [
-            'Alert', 'Backoff', 'Retry-After', 'Content-Length'])
+            'Alert', 'Backoff', 'Retry-After', 'Content-Length', 'Vary'])
 
     def test_record_get_exposes_only_used_headers(self):
         body = {'data': MINIMALIST_RECORD}
@@ -163,22 +163,26 @@ def test_record_get_exposes_only_used_headers(self):
         self.assert_expose_headers('GET', record_url, [
             'Alert', 'Backoff', 'ETag', 'Retry-After',
             'Last-Modified', 'Content-Length',
-            'Cache-Control', 'Expires', 'Pragma'])
+            'Cache-Control', 'Expires', 'Pragma', 'Vary'])
 
     def test_record_post_exposes_only_minimal_set_of_headers(self):
         body = {'data': MINIMALIST_RECORD}
-        self.assert_expose_headers('POST_JSON', '/mushrooms', [
-            'Alert', 'Backoff', 'Retry-After', 'Content-Length'], body=body)
+        self.assert_expose_headers('POST_JSON', '/mushrooms',
+                                   ['Alert', 'Backoff', 'Retry-After',
+                                    'Content-Length', 'Vary'],
+                                   body=body)
 
     def test_present_on_bad_id_400_errors(self):
         body = {'data': {'name': 'Amanite'}}
         self.assert_expose_headers('PUT_JSON', '/mushrooms/wrong=ids', [
-            'Alert', 'Backoff', 'Retry-After', 'Content-Length'],
+            'Alert', 'Backoff', 'Retry-After', 'Content-Length', 'Vary'],
             body=body, status=400)
 
     def test_present_on_unknown_url(self):
-        self.assert_expose_headers('PUT_JSON', '/unknown', [
-            'Alert', 'Backoff', 'Retry-After', 'Content-Length'], status=404)
+        self.assert_expose_headers('PUT_JSON', '/unknown',
+                                   ['Alert', 'Backoff', 'Retry-After',
+                                    'Content-Length', 'Vary'],
+                                   status=404)
 
 
 class CORSMaxAgeTest(BaseWebTest, unittest.TestCase):

diff --git a/cliquet/tests/test_views_hello.py b/cliquet/tests/test_views_hello.py
@@ -63,6 +63,11 @@ def test_if_user_authenticated_userid_is_provided(self):
         self.assertTrue(userid.startswith('basicauth:'),
                         '"%s" does not start with "basicauth:"' % userid)
 
+    def test_vary_header_is_present(self):
+        response = self.app.get('/', headers=self.headers)
+        self.assertIn('Vary', response.headers)
+        self.assertIn('Authorization', response.headers['Vary'])
+
     def test_return_http_api_version_when_set(self):
         with mock.patch.dict(
                 self.app.app.registry.settings,