FIX: Ensure anon-cached values are never returned for API requests (#20021)

Under some situations, we would inadvertently return a public (unauthenticated) result to an authenticated API request. This commit adds the `Api-Key` header to our anonymous cache bypass logic.
2025-05-23 20:21:25 +08:00 · 2023-01-26 13:26:29 +00:00
parent e717529d80
commit 798b4bb604
2 changed files with 19 additions and 1 deletions
--- a/spec/lib/middleware/anonymous_cache_spec.rb
+++ b/spec/lib/middleware/anonymous_cache_spec.rb
@ -4,7 +4,7 @@ RSpec.describe Middleware::AnonymousCache do
  let(:middleware) { Middleware::AnonymousCache.new(lambda { |_| [200, {}, []] }) }

  def env(opts = {})
-    create_request_env(path: "http://test.com/path?bla=1").merge(opts)
+    create_request_env(path: opts.delete(:path) || "http://test.com/path?bla=1").merge(opts)
  end

  describe Middleware::AnonymousCache::Helper do
@ -38,6 +38,18 @@ RSpec.describe Middleware::AnonymousCache do
      it "is false for srv/status routes" do
        expect(new_helper("PATH_INFO" => "/srv/status").cacheable?).to eq(false)
      end
+
+      it "is false for API requests using header" do
+        expect(new_helper("HTTP_API_KEY" => "abcde").cacheable?).to eq(false)
+      end
+
+      it "is false for API requests using parameter" do
+        expect(new_helper(path: "/path?api_key=abc").cacheable?).to eq(false)
+      end
+
+      it "is false for User API requests using header" do
+        expect(new_helper("HTTP_USER_API_KEY" => "abcde").cacheable?).to eq(false)
+      end
    end

    describe "per theme cache" do
@ -322,6 +334,9 @@ RSpec.describe Middleware::AnonymousCache do
            "QUERY_STRING" => "api_key=#{api_key.key}&api_username=system",
          }
      expect(@status).to eq(200)
+
+      get "/latest", headers: { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => "system" }
+      expect(@status).to eq(200)
    end

    it "applies blocked_crawler_user_agents correctly" do