[API] Add Cache-control: no-store to API responses

...instead of adding it to ad-hoc API requests.
2025-08-08 07:28:26 +00:00 · 2024-11-27 08:16:04 +05:30 · 2024-11-27 08:16:04 +05:30 · 3049c25db8
commit 3049c25db8
parent 4138b4da51
5 changed files with 26 additions and 8 deletions
--- a/mobile/lib/services/collections_service.dart
+++ b/mobile/lib/services/collections_service.dart
@ -1100,8 +1100,7 @@ class CollectionsService {
        data: {"passHash": passwordHash},
        options: Options(
          headers: {
-            "X-Auth-Access-Token": authToken,
-            "Cache-Control": "no-cache",
+            "X-Auth-Access-Token": authToken
          },
        ),
      );
--- a/mobile/lib/utils/diff_fetcher.dart
+++ b/mobile/lib/utils/diff_fetcher.dart
@ -30,7 +30,6 @@ class DiffFetcher {

      final headers = {
        "X-Auth-Access-Token": authToken,
-        "Cache-Control": "no-cache",
        if (authJWTToken != null) "X-Auth-Access-Token-JWT": authJWTToken,
      };

--- a/server/cmd/museum/main.go
+++ b/server/cmd/museum/main.go
@ -369,7 +369,8 @@ func main() {
 				return base.ServerReqID()
 			},
 		}),
-		middleware.Logger(urlSanitizer), cors(), gzip.Gzip(gzip.DefaultCompression), middleware.PanicRecover())
+		middleware.Logger(urlSanitizer), cors(), cacheHeaders(),
+		gzip.Gzip(gzip.DefaultCompression), middleware.PanicRecover())

 	publicAPI := server.Group("/")
 	publicAPI.Use(rateLimiter.GlobalRateLimiter(), rateLimiter.APIRateLimitMiddleware(urlSanitizer))
@ -982,6 +983,27 @@ func cors() gin.HandlerFunc {
 	}
 }

+func cacheHeaders() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Add "Cache-Control: no-store" to HTTP GET API responses.
+		if c.Request.Method == http.MethodGet {
+			reqPath := urlSanitizer(c)
+			if strings.HasPrefix(reqPath, "/files/preview/") ||
+				strings.HasPrefix(reqPath, "/files/download/") ||
+				strings.HasPrefix(reqPath, "/public-collection/files/preview/") ||
+				strings.HasPrefix(reqPath, "/public-collection/files/download/") ||
+				strings.HasPrefix(reqPath, "/cast/files/preview/") ||
+				strings.HasPrefix(reqPath, "/cast/files/download/") {
+				// Exclude those that redirect to S3 for file downloads.
+			} else {
+				c.Writer.Header().Set("Cache-Control", "no-store")
+			}
+		}
+
+		c.Next()
+	}
+}
+
 var knownAPIs = make(map[string]bool)

 func urlSanitizer(c *gin.Context) string {
--- a/web/apps/cast/src/services/render.ts
+++ b/web/apps/cast/src/services/render.ts
@ -167,7 +167,6 @@ const getEncryptedCollectionFiles = async (
            await apiURL("/cast/diff"),
            { sinceTime },
            {
-                "Cache-Control": "no-cache",
                "X-Cast-Access-Token": castToken,
            },
        );
--- a/web/apps/photos/src/services/publicCollectionService.ts
+++ b/web/apps/photos/src/services/publicCollectionService.ts
@ -268,7 +268,6 @@ const getPublicFiles = async (
                    sinceTime: time,
                },
                {
-                    "Cache-Control": "no-cache",
                    "X-Auth-Access-Token": token,
                    ...(passwordToken && {
                        "X-Auth-Access-Token-JWT": passwordToken,
@ -320,7 +319,7 @@ export const getPublicCollection = async (
        const resp = await HTTPService.get(
            await apiURL("/public-collection/info"),
            null,
-            { "Cache-Control": "no-cache", "X-Auth-Access-Token": token },
+            { "X-Auth-Access-Token": token },
        );
        const fetchedCollection = resp.data.collection;
        const referralCode = resp.data.referralCode ?? "";
@ -372,7 +371,7 @@ export const verifyPublicCollectionPassword = async (
            await apiURL("/public-collection/verify-password"),
            { passHash: passwordHash },
            null,
-            { "Cache-Control": "no-cache", "X-Auth-Access-Token": token },
+            { "X-Auth-Access-Token": token },
        );
        const jwtToken = resp.data.jwtToken;
        return jwtToken;