Fix Authorization header caching in PublicCacheStrategy according to HTTP Caching RFC 9111#200
Conversation
Co-authored-by: Kevinrob <4509277+Kevinrob@users.noreply.github.com>
|
@copilot You need to make changes to |
…PublicCacheStrategy per RFC 9111 Co-authored-by: Kevinrob <4509277+Kevinrob@users.noreply.github.com>
You're absolutely right! I've moved the Authorization header caching logic from PrivateCacheStrategy to PublicCacheStrategy. The RFC 9111 Section 3.5 restrictions apply to shared caches (PublicCacheStrategy), not private caches (PrivateCacheStrategy). Changes made in commit f4d4720:
Warning Firewall rules blocked me from connecting to one or more addressesI tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
There was a problem hiding this comment.
Pull Request Overview
This PR implements RFC 9111 Section 3.5 compliance for HTTP caching behavior regarding Authorization headers. The changes ensure that shared caches (PublicCacheStrategy) properly restrict caching of authenticated requests unless explicitly allowed by specific cache directives, while preserving normal caching behavior for private caches (PrivateCacheStrategy).
- Added Authorization header validation in PublicCacheStrategy that only allows caching when response contains
public,must-revalidate, ors-maxagedirectives - Created comprehensive test suite covering both public and private cache strategies with various Authorization header scenarios
- Maintained backward compatibility by preserving existing caching behavior for non-authenticated requests
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/Strategy/PublicCacheStrategy.php | Implements RFC 9111 Section 3.5 Authorization header caching restrictions for shared caches |
| tests/AuthorizationCacheTest.php | Comprehensive test coverage for Authorization header caching behavior across both cache strategies |
Problem
According to HTTP Caching RFC 9111 Section 3.5, shared caches should not cache requests containing
Authorizationheader unless specific cache directives explicitly allow it. The restriction applies to shared caches (PublicCacheStrategy), not private caches (PrivateCacheStrategy).The original implementation incorrectly applied this restriction to private caches, when it should only apply to shared caches.
Solution
Implemented RFC 9111 Section 3.5 compliance in
PublicCacheStrategy(shared cache) while preserving normal caching behavior inPrivateCacheStrategy(private cache):public,must-revalidate, ors-maxagedirectivesChanges
Test Coverage
✅ PublicCacheStrategy + Authorization + max-age only → NOT cached (RFC compliant)
✅ PublicCacheStrategy + Authorization + public/must-revalidate/s-maxage → Cached
✅ PrivateCacheStrategy + Authorization → Normal caching behavior (allowed)
✅ Edge cases: no-store precedence, case sensitivity, multiple directives
Backward Compatibility
All existing caching behavior is preserved. This correctly implements RFC 9111 shared cache rules without breaking changes.
💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.