auth client adds Authorization headers to every request, disabling request caching

[eatyourgreens]

panoptes-javascript-client/lib/auth.js

Lines 49 to 50 in 8157794

	this._bearerToken = response.access_token;
	apiClient.headers.Authorization = 'Bearer ' + this._bearerToken;

The auth client automatically injects an Authorization header into every request here. That's convenient for developers, who don't need to remember to add auth headers by hand.

However, responses to auth'ed requests can't be cached by shared caches or browsers (to protect end user privacy) and are sent with maxage=0. This means that large public resources, like classification workflows, can't be cached and must be requested on every use, even though they don’t require auth headers and could be served via a CDN.

[eatyourgreens]

I think the API client gets around this by maintaining its own internal resource cache, but that is also broken.

• the internal cache has no resource invalidation, so developers have to employ workarounds in order to refresh stale resources. PFE is full of these hacks.
• resources aren’t cached by CDNs, so caching isn’t shared across individual clients, for public resources like large workflows.
• see also User sessions are cached in memory forever #207 for the problem of cached user sessions (which should not be cached by CDNs but are cached by the client, even after you log out.)

[eatyourgreens]

I think I was wrong about browsers not caching auth'ed resources. It's not explicitly prohibited (but shared caches cannot cache responses when an Authorization header is present.)

https://greenbytes.de/tech/webdav/rfc7234.html#caching.authenticated.responses