🐛 bug: Respect Authorization when caching responses (#3905)

gaby · web-flow · commit c235f85741e2 · 2025-11-28T10:37:52.000+01:00
diff --git a/middleware/cache/cache.go b/middleware/cache/cache.go
@@ -124,6 +124,8 @@ func New(config ...Config) fiber.Handler {
 
 	// Return new handler
 	return func(c fiber.Ctx) error {
+		hasAuthorization := len(c.Request().Header.Peek(fiber.HeaderAuthorization)) > 0
+
 		// Refrain from caching
 		if hasRequestDirective(c, noStore) {
 			return c.Next()
@@ -178,6 +180,15 @@ func New(config ...Config) fiber.Handler {
 					storedBytes -= size
 				}
 			} else if e.exp != 0 && !hasRequestDirective(c, noCache) {
+				if hasAuthorization && !e.shareable {
+					if cfg.Storage != nil {
+						manager.release(e)
+					}
+					mux.Unlock()
+					c.Set(cfg.CacheHeader, cacheUnreachable)
+					return c.Next()
+				}
+
 				// Separate body value to avoid msgp serialization
 				// We can store raw bytes with Storage 👍
 				if cfg.Storage != nil {
@@ -232,8 +243,16 @@ func New(config ...Config) fiber.Handler {
 			return err
 		}
 
+		cacheControl := string(c.Response().Header.Peek(fiber.HeaderCacheControl))
+
 		// Respect server cache-control: no-store
-		if strings.Contains(utils.ToLower(string(c.Response().Header.Peek(fiber.HeaderCacheControl))), noStore) {
+		if strings.Contains(utils.ToLower(cacheControl), noStore) {
+			c.Set(cfg.CacheHeader, cacheUnreachable)
+			return nil
+		}
+
+		isSharedCacheAllowed := allowsSharedCache(cacheControl)
+		if hasAuthorization && !isSharedCacheAllowed {
 			c.Set(cfg.CacheHeader, cacheUnreachable)
 			return nil
 		}
@@ -288,6 +307,7 @@ func New(config ...Config) fiber.Handler {
 			c.Response().Header.Set(fiber.HeaderAge, "0")
 		}
 		e.age = ageVal
+		e.shareable = isSharedCacheAllowed
 
 		// Store all response headers
 		// (more: https://datatracker.ietf.org/doc/html/rfc2616#section-13.5.1)
@@ -415,3 +435,25 @@ func parseMaxAge(cc string) (time.Duration, bool) {
 	}
 	return 0, false
 }
+
+func allowsSharedCache(cc string) bool {
+	shareable := false
+
+	for part := range strings.SplitSeq(cc, ",") {
+		part = strings.TrimSpace(utils.ToLower(part))
+		switch {
+		case part == "":
+			continue
+		case part == "private":
+			return false
+		case part == "public":
+			shareable = true
+		case strings.HasPrefix(part, "s-maxage="):
+			shareable = true
+		default:
+			continue
+		}
+	}
+
+	return shareable
+}
diff --git a/middleware/cache/cache_test.go b/middleware/cache/cache_test.go
@@ -13,6 +13,7 @@ import (
 	"net/http/httptest"
 	"os"
 	"strconv"
+	"strings"
 	"testing"
 	"time"
 
@@ -1599,6 +1600,145 @@ func Test_ParseMaxAge(t *testing.T) {
 	}
 }
 
+func Test_AllowsSharedCache(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		directives string
+		expect     bool
+	}{
+		{"public", true},
+		{"private", false},
+		{"s-maxage=60", true},
+		{"public, max-age=60", true},
+		{"public, must-revalidate", true},
+		{"max-age=60", false},
+		{"no-cache", false},
+		{"no-cache, s-maxage=60", true},
+		{"", false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.directives, func(t *testing.T) {
+			t.Parallel()
+
+			got := allowsSharedCache(tt.directives)
+			require.Equal(t, tt.expect, got, "directives: %q", tt.directives)
+		})
+	}
+
+	t.Run("private overrules public", func(t *testing.T) {
+		t.Parallel()
+
+		got := allowsSharedCache(strings.ToUpper("private, public"))
+		require.False(t, got)
+	})
+}
+
+func TestCacheSkipsAuthorizationByDefault(t *testing.T) {
+	t.Parallel()
+
+	app := fiber.New()
+	app.Use(New())
+
+	var count int
+	app.Get("/", func(c fiber.Ctx) error {
+		count++
+		return c.SendString(strconv.Itoa(count))
+	})
+
+	req := httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
+	req.Header.Set(fiber.HeaderAuthorization, "Bearer token")
+
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, cacheUnreachable, resp.Header.Get("X-Cache"))
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, "1", string(body))
+
+	req = httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
+	req.Header.Set(fiber.HeaderAuthorization, "Bearer token")
+
+	resp, err = app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, cacheUnreachable, resp.Header.Get("X-Cache"))
+	body, err = io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, "2", string(body))
+}
+
+func TestCacheBypassesExistingEntryForAuthorization(t *testing.T) {
+	t.Parallel()
+
+	app := fiber.New()
+	app.Use(New())
+
+	var count int
+	app.Get("/", func(c fiber.Ctx) error {
+		count++
+		return c.SendString(strconv.Itoa(count))
+	})
+
+	nonAuthReq := httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
+
+	resp, err := app.Test(nonAuthReq)
+	require.NoError(t, err)
+	require.Equal(t, cacheMiss, resp.Header.Get("X-Cache"))
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, "1", string(body))
+
+	authReq := httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
+	authReq.Header.Set(fiber.HeaderAuthorization, "Bearer token")
+
+	resp, err = app.Test(authReq)
+	require.NoError(t, err)
+	require.Equal(t, cacheUnreachable, resp.Header.Get("X-Cache"))
+	body, err = io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, "2", string(body))
+
+	resp, err = app.Test(nonAuthReq)
+	require.NoError(t, err)
+	require.Equal(t, cacheHit, resp.Header.Get("X-Cache"))
+	body, err = io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, "1", string(body))
+}
+
+func TestCacheAllowsSharedCacheWithAuthorization(t *testing.T) {
+	t.Parallel()
+
+	app := fiber.New()
+	app.Use(New(Config{Expiration: 10 * time.Second}))
+
+	var count int
+	app.Get("/", func(c fiber.Ctx) error {
+		count++
+		c.Set(fiber.HeaderCacheControl, "public, max-age=60")
+		return c.SendString("ok")
+	})
+
+	req := httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
+	req.Header.Set(fiber.HeaderAuthorization, "Bearer token")
+
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, cacheMiss, resp.Header.Get("X-Cache"))
+
+	req = httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
+	req.Header.Set(fiber.HeaderAuthorization, "Bearer token")
+
+	resp, err = app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, cacheHit, resp.Header.Get("X-Cache"))
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+	require.Equal(t, "ok", string(body))
+	require.Equal(t, 1, count)
+}
+
 // go test -v -run=^$ -bench=Benchmark_Cache -benchmem -count=4
 func Benchmark_Cache(b *testing.B) {
 	app := fiber.New()
diff --git a/middleware/cache/manager.go b/middleware/cache/manager.go
@@ -23,6 +23,7 @@ type item struct {
 	age       uint64
 	exp       uint64
 	ttl       uint64
+	shareable bool
 	// used for finding the item in an indexed heap
 	heapidx int
 }
@@ -77,6 +78,7 @@ func (m *manager) release(e *item) {
 	e.exp = 0
 	e.ttl = 0
 	e.headers = nil
+	e.shareable = false
 	m.pool.Put(e)
 }
 
diff --git a/middleware/cache/manager_msgp.go b/middleware/cache/manager_msgp.go

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ type item struct {`
`23`	`23`	`age uint64`
`24`	`24`	`exp uint64`
`25`	`25`	`ttl uint64`
	`26`	`+ shareable bool`
`26`	`27`	`// used for finding the item in an indexed heap`
`27`	`28`	`heapidx int`
`28`	`29`	`}`
`@@ -77,6 +78,7 @@ func (m manager) release(e item) {`
`77`	`78`	`e.exp = 0`
`78`	`79`	`e.ttl = 0`
`79`	`80`	`e.headers = nil`
	`81`	`+ e.shareable = false`
`80`	`82`	`m.pool.Put(e)`
`81`	`83`	`}`
`82`	`84`