[API] Add Cache-control: no-store to API responses

...instead of adding it to ad-hoc API requests.

mobile/lib/services/collections_service.dart

@@ -1100,8 +1100,7 @@ class CollectionsService {
         data: {"passHash": passwordHash},
         options: Options(
           headers: {
-            "X-Auth-Access-Token": authToken,
+            "X-Auth-Access-Token": authToken
-            "Cache-Control": "no-cache",
           },
         ),
       );

mobile/lib/utils/diff_fetcher.dart

@@ -30,7 +30,6 @@ class DiffFetcher {
 
       final headers = {
         "X-Auth-Access-Token": authToken,
-        "Cache-Control": "no-cache",
         if (authJWTToken != null) "X-Auth-Access-Token-JWT": authJWTToken,
       };
 

server/cmd/museum/main.go

@@ -369,7 +369,8 @@ func main() {
 				return base.ServerReqID()
 			},
 		}),
-		middleware.Logger(urlSanitizer), cors(), gzip.Gzip(gzip.DefaultCompression), middleware.PanicRecover())
+		middleware.Logger(urlSanitizer), cors(), cacheHeaders(),
+		gzip.Gzip(gzip.DefaultCompression), middleware.PanicRecover())
 
 	publicAPI := server.Group("/")
 	publicAPI.Use(rateLimiter.GlobalRateLimiter(), rateLimiter.APIRateLimitMiddleware(urlSanitizer))
@@ -982,6 +983,27 @@ func cors() gin.HandlerFunc {
 	}
 }
 
+func cacheHeaders() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// Add "Cache-Control: no-store" to HTTP GET API responses.
+		if c.Request.Method == http.MethodGet {
+			reqPath := urlSanitizer(c)
+			if strings.HasPrefix(reqPath, "/files/preview/") ||
+				strings.HasPrefix(reqPath, "/files/download/") ||
+				strings.HasPrefix(reqPath, "/public-collection/files/preview/") ||
+				strings.HasPrefix(reqPath, "/public-collection/files/download/") ||
+				strings.HasPrefix(reqPath, "/cast/files/preview/") ||
+				strings.HasPrefix(reqPath, "/cast/files/download/") {
+				// Exclude those that redirect to S3 for file downloads.
+			} else {
+				c.Writer.Header().Set("Cache-Control", "no-store")
+			}
+		}
+
+		c.Next()
+	}
+}
+
 var knownAPIs = make(map[string]bool)
 
 func urlSanitizer(c *gin.Context) string {

web/apps/cast/src/services/render.ts

@@ -167,7 +167,6 @@ const getEncryptedCollectionFiles = async (
             await apiURL("/cast/diff"),
             { sinceTime },
             {
-                "Cache-Control": "no-cache",
                 "X-Cast-Access-Token": castToken,
             },
         );

web/apps/photos/src/services/publicCollectionService.ts

@@ -268,7 +268,6 @@ const getPublicFiles = async (
                     sinceTime: time,
                 },
                 {
-                    "Cache-Control": "no-cache",
                     "X-Auth-Access-Token": token,
                     ...(passwordToken && {
                         "X-Auth-Access-Token-JWT": passwordToken,
@@ -320,7 +319,7 @@ export const getPublicCollection = async (
         const resp = await HTTPService.get(
             await apiURL("/public-collection/info"),
             null,
-            { "Cache-Control": "no-cache", "X-Auth-Access-Token": token },
+            { "X-Auth-Access-Token": token },
         );
         const fetchedCollection = resp.data.collection;
         const referralCode = resp.data.referralCode ?? "";
@@ -372,7 +371,7 @@ export const verifyPublicCollectionPassword = async (
             await apiURL("/public-collection/verify-password"),
             { passHash: passwordHash },
             null,
-            { "Cache-Control": "no-cache", "X-Auth-Access-Token": token },
+            { "X-Auth-Access-Token": token },
         );
         const jwtToken = resp.data.jwtToken;
         return jwtToken;