Browser should clear cache for API responses

By default we send "private, must-revalidate, max-age=0" for regular
logged-in wiki viewing.  This changes API responses to match.

Later, someone should update the Cache-Control header generation so
that it works the same for API responses as it does for OutputPage.
This is becoming more important since we're using the API instead of
OutputPage for editing with VisualEditor.

Bug: T74480
Change-Id: Ib309df8568de2c7137b6d13b9ca4004150a772dd

diff --git a/includes/api/ApiMain.php b/includes/api/ApiMain.php
index d5cd475..9dc2411 100644 (file)
--- a/includes/api/ApiMain.php
+++ b/includes/api/ApiMain.php
@@ -658,8 +658,24 @@ class ApiMain extends ApiBase {
                        $out->addVaryHeader( 'X-Forwarded-Proto' );
                }
 
+               // The logic should be:
+               // $this->mCacheControl['max-age'] is set?
+               //    Use it, the module knows better than our guess.
+               // !$this->mModule || $this->mModule->isWriteMode(), and mCacheMode is private?
+               //    Use 0 because we can guess caching is probably the wrong thing to do.
+               // Use $this->getParameter( 'maxage' ), which already defaults to 0.
+               $maxage = 0;
+               if ( isset( $this->mCacheControl['max-age'] ) ) {
+                       $maxage = $this->mCacheControl['max-age'];
+               } elseif ( ( $this->mModule && !$this->mModule->isWriteMode() ) ||
+                       $this->mCacheMode !== 'private'
+               ) {
+                       $maxage = $this->getParameter( 'maxage' );
+               }
+               $privateCache = 'private, must-revalidate, max-age=' . $maxage;
+
                if ( $this->mCacheMode == 'private' ) {
-                       $response->header( 'Cache-Control: private' );
+                       $response->header( "Cache-Control: $privateCache" );
                        return;
                }
 
@@ -671,14 +687,14 @@ class ApiMain extends ApiBase {
                                $response->header( $out->getXVO() );
                                if ( $out->haveCacheVaryCookies() ) {
                                        // Logged in, mark this request private
-                                       $response->header( 'Cache-Control: private' );
+                                       $response->header( "Cache-Control: $privateCache" );
                                        return;
                                }
                                // Logged out, send normal public headers below
                        } elseif ( session_id() != '' ) {
                                // Logged in or otherwise has session (e.g. anonymous users who have edited)
                                // Mark request private
-                               $response->header( 'Cache-Control: private' );
+                               $response->header( "Cache-Control: $privateCache" );
 
                                return;
                        } // else no XVO and anonymous, send public headers below
@@ -702,7 +718,7 @@ class ApiMain extends ApiBase {
                        // Public cache not requested
                        // Sending a Vary header in this case is harmless, and protects us
                        // against conditional calls of setCacheMaxAge().
-                       $response->header( 'Cache-Control: private' );
+                       $response->header( "Cache-Control: $privateCache" );
 
                        return;
                }