cache_spec.rb 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685
  1. # frozen_string_literal: true
  2. require 'rails_helper'
  3. module TestEndpoints
  4. # Endpoints that do not include authorization-dependent results
  5. # and should be cacheable no matter what.
  6. ALWAYS_CACHED = %w(
  7. /.well-known/host-meta
  8. /.well-known/nodeinfo
  9. /nodeinfo/2.0
  10. /manifest
  11. /custom.css
  12. /actor
  13. /api/v1/instance/extended_description
  14. /api/v1/instance/rules
  15. /api/v1/instance/peers
  16. /api/v1/instance
  17. /api/v2/instance
  18. ).freeze
  19. # Endpoints that should be cachable when accessed anonymously but have a Vary
  20. # on Cookie to prevent logged-in users from getting values from logged-out cache.
  21. COOKIE_DEPENDENT_CACHABLE = %w(
  22. /
  23. /explore
  24. /public
  25. /about
  26. /privacy-policy
  27. /directory
  28. /@alice
  29. /@alice/110224538612341312
  30. ).freeze
  31. # Endpoints that should be cachable when accessed anonymously but have a Vary
  32. # on Authorization to prevent logged-in users from getting values from logged-out cache.
  33. AUTHORIZATION_DEPENDENT_CACHABLE = %w(
  34. /api/v1/accounts/lookup?acct=alice
  35. /api/v1/statuses/110224538612341312
  36. /api/v1/statuses/110224538612341312/context
  37. /api/v1/polls/12345
  38. /api/v1/trends/statuses
  39. /api/v1/directory
  40. ).freeze
  41. # Private status that should only be returned with to a valid signature from
  42. # a specific user.
  43. # Should never be cached.
  44. REQUIRE_SIGNATURE = %w(
  45. /users/alice/statuses/110224538643211312
  46. ).freeze
  47. # Pages only available to logged-in users.
  48. # Should never be cached.
  49. REQUIRE_LOGIN = %w(
  50. /settings/preferences/appearance
  51. /settings/profile
  52. /settings/featured_tags
  53. /settings/export
  54. /relationships
  55. /filters
  56. /statuses_cleanup
  57. /auth/edit
  58. /oauth/authorized_applications
  59. /admin/dashboard
  60. ).freeze
  61. # API endpoints only available to logged-in users.
  62. # Should never be cached.
  63. REQUIRE_TOKEN = %w(
  64. /api/v1/announcements
  65. /api/v1/timelines/home
  66. /api/v1/notifications
  67. /api/v1/bookmarks
  68. /api/v1/favourites
  69. /api/v1/follow_requests
  70. /api/v1/conversations
  71. /api/v1/statuses/110224538643211312
  72. /api/v1/statuses/110224538643211312/context
  73. /api/v1/lists
  74. /api/v2/filters
  75. ).freeze
  76. # Pages that are only shown to logged-out users, and should never get cached
  77. # because of CSRF protection.
  78. REQUIRE_LOGGED_OUT = %w(
  79. /invite/abcdef
  80. /auth/sign_in
  81. /auth/sign_up
  82. /auth/password/new
  83. /auth/confirmation/new
  84. ).freeze
  85. # Non-exhaustive list of endpoints that feature language-dependent results
  86. # and thus need to have a Vary on Accept-Language
  87. LANGUAGE_DEPENDENT = %w(
  88. /
  89. /explore
  90. /about
  91. /api/v1/trends/statuses
  92. ).freeze
  93. module AuthorizedFetch
  94. # Endpoints that require a signature with AUTHORIZED_FETCH and LIMITED_FEDERATION_MODE
  95. # and thus should not be cached in those modes.
  96. REQUIRE_SIGNATURE = %w(
  97. /users/alice
  98. ).freeze
  99. end
  100. module DisabledAnonymousAPI
  101. # Endpoints that require a signature with DISALLOW_UNAUTHENTICATED_API_ACCESS
  102. # and thus should not be cached in this mode.
  103. REQUIRE_TOKEN = %w(
  104. /api/v1/custom_emojis
  105. ).freeze
  106. end
  107. end
  108. describe 'Caching behavior' do
  109. shared_examples 'cachable response' do
  110. it 'does not set cookies' do
  111. expect(response.cookies).to be_empty
  112. end
  113. it 'sets public cache control' do
  114. # expect(response.cache_control[:max_age]&.to_i).to be_positive
  115. expect(response.cache_control[:public]).to be_truthy
  116. expect(response.cache_control[:private]).to be_falsy
  117. expect(response.cache_control[:no_store]).to be_falsy
  118. expect(response.cache_control[:no_cache]).to be_falsy
  119. end
  120. end
  121. shared_examples 'non-cacheable response' do
  122. it 'sets private cache control' do
  123. expect(response.cache_control[:private]).to be_truthy
  124. expect(response.cache_control[:no_store]).to be_truthy
  125. end
  126. end
  127. shared_examples 'non-cacheable error' do
  128. it 'does not return HTTP success' do
  129. expect(response).to_not have_http_status(200)
  130. end
  131. it 'does not have cache headers' do
  132. expect(response.cache_control[:public]).to be_falsy
  133. end
  134. end
  135. shared_examples 'language-dependent' do
  136. it 'has a Vary on Accept-Language' do
  137. expect(response.headers['Vary']&.split(',')&.map { |x| x.strip.downcase }).to include('accept-language')
  138. end
  139. end
  140. # Enable CSRF protection like it is in production, as it can cause cookies
  141. # to be set and thus mess with cache.
  142. around do |example|
  143. old = ActionController::Base.allow_forgery_protection
  144. ActionController::Base.allow_forgery_protection = true
  145. example.run
  146. ActionController::Base.allow_forgery_protection = old
  147. end
  148. let(:alice) { Fabricate(:account, username: 'alice') }
  149. let(:user) { Fabricate(:user, role: UserRole.find_by(name: 'Moderator')) }
  150. before do
  151. # rubocop:disable Style/NumericLiterals
  152. status = Fabricate(:status, account: alice, id: 110224538612341312)
  153. Fabricate(:status, account: alice, id: 110224538643211312, visibility: :private)
  154. Fabricate(:invite, code: 'abcdef')
  155. Fabricate(:poll, status: status, account: alice, id: 12345)
  156. # rubocop:enable Style/NumericLiterals
  157. user.account.follow!(alice)
  158. end
  159. context 'when anonymously accessed' do
  160. TestEndpoints::ALWAYS_CACHED.each do |endpoint|
  161. describe endpoint do
  162. before { get endpoint }
  163. it_behaves_like 'cachable response'
  164. it_behaves_like 'language-dependent' if TestEndpoints::LANGUAGE_DEPENDENT.include?(endpoint)
  165. end
  166. end
  167. TestEndpoints::COOKIE_DEPENDENT_CACHABLE.each do |endpoint|
  168. describe endpoint do
  169. before { get endpoint }
  170. it_behaves_like 'cachable response'
  171. it 'has a Vary on Cookie' do
  172. expect(response.headers['Vary']&.split(',')&.map { |x| x.strip.downcase }).to include('cookie')
  173. end
  174. it_behaves_like 'language-dependent' if TestEndpoints::LANGUAGE_DEPENDENT.include?(endpoint)
  175. end
  176. end
  177. TestEndpoints::AUTHORIZATION_DEPENDENT_CACHABLE.each do |endpoint|
  178. describe endpoint do
  179. before { get endpoint }
  180. it_behaves_like 'cachable response'
  181. it 'has a Vary on Authorization' do
  182. expect(response.headers['Vary']&.split(',')&.map { |x| x.strip.downcase }).to include('authorization')
  183. end
  184. it_behaves_like 'language-dependent' if TestEndpoints::LANGUAGE_DEPENDENT.include?(endpoint)
  185. end
  186. end
  187. TestEndpoints::REQUIRE_LOGGED_OUT.each do |endpoint|
  188. describe endpoint do
  189. before { get endpoint }
  190. it_behaves_like 'non-cacheable response'
  191. end
  192. end
  193. (TestEndpoints::REQUIRE_SIGNATURE + TestEndpoints::REQUIRE_LOGIN + TestEndpoints::REQUIRE_TOKEN).each do |endpoint|
  194. describe endpoint do
  195. before { get endpoint }
  196. it_behaves_like 'non-cacheable error'
  197. end
  198. end
  199. describe '/api/v1/instance/domain_blocks' do
  200. around do |example|
  201. old_setting = Setting.show_domain_blocks
  202. Setting.show_domain_blocks = show_domain_blocks
  203. example.run
  204. Setting.show_domain_blocks = old_setting
  205. end
  206. before { get '/api/v1/instance/domain_blocks' }
  207. context 'when set to be publicly-available' do
  208. let(:show_domain_blocks) { 'all' }
  209. it_behaves_like 'cachable response'
  210. end
  211. context 'when allowed for local users only' do
  212. let(:show_domain_blocks) { 'users' }
  213. it_behaves_like 'non-cacheable error'
  214. end
  215. context 'when disabled' do
  216. let(:show_domain_blocks) { 'disabled' }
  217. it_behaves_like 'non-cacheable error'
  218. end
  219. end
  220. end
  221. context 'when logged in' do
  222. before do
  223. sign_in user, scope: :user
  224. # Unfortunately, devise's `sign_in` helper causes the `session` to be
  225. # loaded in the next request regardless of whether it's actually accessed
  226. # by the client code.
  227. #
  228. # So, we make an extra query to clear issue a session cookie instead.
  229. #
  230. # A less resource-intensive way to deal with that would be to generate the
  231. # session cookie manually, but this seems pretty involved.
  232. get '/'
  233. end
  234. TestEndpoints::ALWAYS_CACHED.each do |endpoint|
  235. describe endpoint do
  236. before { get endpoint }
  237. it_behaves_like 'cachable response'
  238. it_behaves_like 'language-dependent' if TestEndpoints::LANGUAGE_DEPENDENT.include?(endpoint)
  239. end
  240. end
  241. TestEndpoints::COOKIE_DEPENDENT_CACHABLE.each do |endpoint|
  242. describe endpoint do
  243. before { get endpoint }
  244. it_behaves_like 'non-cacheable response'
  245. it 'has a Vary on Cookie' do
  246. expect(response.headers['Vary']&.split(',')&.map { |x| x.strip.downcase }).to include('cookie')
  247. end
  248. end
  249. end
  250. TestEndpoints::REQUIRE_LOGIN.each do |endpoint|
  251. describe endpoint do
  252. before { get endpoint }
  253. it_behaves_like 'non-cacheable response'
  254. it 'returns HTTP success' do
  255. expect(response).to have_http_status(200)
  256. end
  257. end
  258. end
  259. TestEndpoints::REQUIRE_LOGGED_OUT.each do |endpoint|
  260. describe endpoint do
  261. before { get endpoint }
  262. it_behaves_like 'non-cacheable error'
  263. end
  264. end
  265. end
  266. context 'with an auth token' do
  267. let!(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') }
  268. TestEndpoints::ALWAYS_CACHED.each do |endpoint|
  269. describe endpoint do
  270. before do
  271. get endpoint, headers: { 'Authorization' => "Bearer #{token.token}" }
  272. end
  273. it_behaves_like 'cachable response'
  274. it_behaves_like 'language-dependent' if TestEndpoints::LANGUAGE_DEPENDENT.include?(endpoint)
  275. end
  276. end
  277. TestEndpoints::AUTHORIZATION_DEPENDENT_CACHABLE.each do |endpoint|
  278. describe endpoint do
  279. before do
  280. get endpoint, headers: { 'Authorization' => "Bearer #{token.token}" }
  281. end
  282. it_behaves_like 'non-cacheable response'
  283. it 'has a Vary on Authorization' do
  284. expect(response.headers['Vary']&.split(',')&.map { |x| x.strip.downcase }).to include('authorization')
  285. end
  286. end
  287. end
  288. (TestEndpoints::REQUIRE_LOGGED_OUT + TestEndpoints::REQUIRE_TOKEN).each do |endpoint|
  289. describe endpoint do
  290. before do
  291. get endpoint, headers: { 'Authorization' => "Bearer #{token.token}" }
  292. end
  293. it_behaves_like 'non-cacheable response'
  294. it 'returns HTTP success' do
  295. expect(response).to have_http_status(200)
  296. end
  297. end
  298. end
  299. describe '/api/v1/instance/domain_blocks' do
  300. around do |example|
  301. old_setting = Setting.show_domain_blocks
  302. Setting.show_domain_blocks = show_domain_blocks
  303. example.run
  304. Setting.show_domain_blocks = old_setting
  305. end
  306. before do
  307. get '/api/v1/instance/domain_blocks', headers: { 'Authorization' => "Bearer #{token.token}" }
  308. end
  309. context 'when set to be publicly-available' do
  310. let(:show_domain_blocks) { 'all' }
  311. it_behaves_like 'cachable response'
  312. end
  313. context 'when allowed for local users only' do
  314. let(:show_domain_blocks) { 'users' }
  315. it_behaves_like 'non-cacheable response'
  316. it 'returns HTTP success' do
  317. expect(response).to have_http_status(200)
  318. end
  319. end
  320. context 'when disabled' do
  321. let(:show_domain_blocks) { 'disabled' }
  322. it_behaves_like 'non-cacheable error'
  323. end
  324. end
  325. end
  326. context 'with a Signature header' do
  327. let(:remote_actor) { Fabricate(:account, domain: 'example.org', uri: 'https://example.org/remote', protocol: :activitypub) }
  328. let(:dummy_signature) { 'dummy-signature' }
  329. before do
  330. remote_actor.follow!(alice)
  331. end
  332. describe '/actor' do
  333. before do
  334. get '/actor', sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  335. end
  336. it_behaves_like 'cachable response'
  337. it 'returns HTTP success' do
  338. expect(response).to have_http_status(200)
  339. end
  340. end
  341. TestEndpoints::REQUIRE_SIGNATURE.each do |endpoint|
  342. describe endpoint do
  343. before do
  344. get endpoint, sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  345. end
  346. it_behaves_like 'non-cacheable response'
  347. it 'returns HTTP success' do
  348. expect(response).to have_http_status(200)
  349. end
  350. end
  351. end
  352. end
  353. context 'when enabling AUTHORIZED_FETCH mode' do
  354. around do |example|
  355. ClimateControl.modify AUTHORIZED_FETCH: 'true' do
  356. example.run
  357. end
  358. end
  359. context 'when not providing a Signature' do
  360. describe '/actor' do
  361. before do
  362. get '/actor', headers: { 'Accept' => 'application/activity+json' }
  363. end
  364. it_behaves_like 'cachable response'
  365. it 'returns HTTP success' do
  366. expect(response).to have_http_status(200)
  367. end
  368. end
  369. (TestEndpoints::REQUIRE_SIGNATURE + TestEndpoints::AuthorizedFetch::REQUIRE_SIGNATURE).each do |endpoint|
  370. describe endpoint do
  371. before do
  372. get endpoint, headers: { 'Accept' => 'application/activity+json' }
  373. end
  374. it_behaves_like 'non-cacheable error'
  375. end
  376. end
  377. end
  378. context 'when providing a Signature' do
  379. let(:remote_actor) { Fabricate(:account, domain: 'example.org', uri: 'https://example.org/remote', protocol: :activitypub) }
  380. let(:dummy_signature) { 'dummy-signature' }
  381. before do
  382. remote_actor.follow!(alice)
  383. end
  384. describe '/actor' do
  385. before do
  386. get '/actor', sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  387. end
  388. it_behaves_like 'cachable response'
  389. it 'returns HTTP success' do
  390. expect(response).to have_http_status(200)
  391. end
  392. end
  393. (TestEndpoints::REQUIRE_SIGNATURE + TestEndpoints::AuthorizedFetch::REQUIRE_SIGNATURE).each do |endpoint|
  394. describe endpoint do
  395. before do
  396. get endpoint, sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  397. end
  398. it_behaves_like 'non-cacheable response'
  399. it 'returns HTTP success' do
  400. expect(response).to have_http_status(200)
  401. end
  402. end
  403. end
  404. end
  405. end
  406. context 'when enabling LIMITED_FEDERATION_MODE mode' do
  407. around do |example|
  408. ClimateControl.modify LIMITED_FEDERATION_MODE: 'true' do
  409. old_whitelist_mode = Rails.configuration.x.whitelist_mode
  410. Rails.configuration.x.whitelist_mode = true
  411. example.run
  412. Rails.configuration.x.whitelist_mode = old_whitelist_mode
  413. end
  414. end
  415. context 'when not providing a Signature' do
  416. describe '/actor' do
  417. before do
  418. get '/actor', headers: { 'Accept' => 'application/activity+json' }
  419. end
  420. it_behaves_like 'cachable response'
  421. it 'returns HTTP success' do
  422. expect(response).to have_http_status(200)
  423. end
  424. end
  425. (TestEndpoints::REQUIRE_SIGNATURE + TestEndpoints::AuthorizedFetch::REQUIRE_SIGNATURE).each do |endpoint|
  426. describe endpoint do
  427. before do
  428. get endpoint, headers: { 'Accept' => 'application/activity+json' }
  429. end
  430. it_behaves_like 'non-cacheable error'
  431. end
  432. end
  433. end
  434. context 'when providing a Signature from an allowed domain' do
  435. let(:remote_actor) { Fabricate(:account, domain: 'example.org', uri: 'https://example.org/remote', protocol: :activitypub) }
  436. let(:dummy_signature) { 'dummy-signature' }
  437. before do
  438. DomainAllow.create!(domain: remote_actor.domain)
  439. remote_actor.follow!(alice)
  440. end
  441. describe '/actor' do
  442. before do
  443. get '/actor', sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  444. end
  445. it_behaves_like 'cachable response'
  446. it 'returns HTTP success' do
  447. expect(response).to have_http_status(200)
  448. end
  449. end
  450. (TestEndpoints::REQUIRE_SIGNATURE + TestEndpoints::AuthorizedFetch::REQUIRE_SIGNATURE).each do |endpoint|
  451. describe endpoint do
  452. before do
  453. get endpoint, sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  454. end
  455. it_behaves_like 'non-cacheable response'
  456. it 'returns HTTP success' do
  457. expect(response).to have_http_status(200)
  458. end
  459. end
  460. end
  461. end
  462. context 'when providing a Signature from a non-allowed domain' do
  463. let(:remote_actor) { Fabricate(:account, domain: 'example.org', uri: 'https://example.org/remote', protocol: :activitypub) }
  464. let(:dummy_signature) { 'dummy-signature' }
  465. describe '/actor' do
  466. before do
  467. get '/actor', sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  468. end
  469. it_behaves_like 'cachable response'
  470. it 'returns HTTP success' do
  471. expect(response).to have_http_status(200)
  472. end
  473. end
  474. (TestEndpoints::REQUIRE_SIGNATURE + TestEndpoints::AuthorizedFetch::REQUIRE_SIGNATURE).each do |endpoint|
  475. describe endpoint do
  476. before do
  477. get endpoint, sign_with: remote_actor, headers: { 'Accept' => 'application/activity+json' }
  478. end
  479. it_behaves_like 'non-cacheable error'
  480. end
  481. end
  482. end
  483. end
  484. context 'when enabling DISALLOW_UNAUTHENTICATED_API_ACCESS' do
  485. around do |example|
  486. ClimateControl.modify DISALLOW_UNAUTHENTICATED_API_ACCESS: 'true' do
  487. example.run
  488. end
  489. end
  490. context 'when anonymously accessed' do
  491. TestEndpoints::ALWAYS_CACHED.each do |endpoint|
  492. describe endpoint do
  493. before { get endpoint }
  494. it_behaves_like 'cachable response'
  495. it_behaves_like 'language-dependent' if TestEndpoints::LANGUAGE_DEPENDENT.include?(endpoint)
  496. end
  497. end
  498. TestEndpoints::REQUIRE_LOGGED_OUT.each do |endpoint|
  499. describe endpoint do
  500. before { get endpoint }
  501. it_behaves_like 'non-cacheable response'
  502. end
  503. end
  504. (TestEndpoints::REQUIRE_TOKEN + TestEndpoints::AUTHORIZATION_DEPENDENT_CACHABLE + TestEndpoints::DisabledAnonymousAPI::REQUIRE_TOKEN).each do |endpoint|
  505. describe endpoint do
  506. before { get endpoint }
  507. it_behaves_like 'non-cacheable error'
  508. end
  509. end
  510. end
  511. context 'with an auth token' do
  512. let!(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id, scopes: 'read') }
  513. TestEndpoints::ALWAYS_CACHED.each do |endpoint|
  514. describe endpoint do
  515. before do
  516. get endpoint, headers: { 'Authorization' => "Bearer #{token.token}" }
  517. end
  518. it_behaves_like 'cachable response'
  519. it_behaves_like 'language-dependent' if TestEndpoints::LANGUAGE_DEPENDENT.include?(endpoint)
  520. end
  521. end
  522. TestEndpoints::AUTHORIZATION_DEPENDENT_CACHABLE.each do |endpoint|
  523. describe endpoint do
  524. before do
  525. get endpoint, headers: { 'Authorization' => "Bearer #{token.token}" }
  526. end
  527. it_behaves_like 'non-cacheable response'
  528. it 'has a Vary on Authorization' do
  529. expect(response.headers['Vary']&.split(',')&.map { |x| x.strip.downcase }).to include('authorization')
  530. end
  531. end
  532. end
  533. (TestEndpoints::REQUIRE_LOGGED_OUT + TestEndpoints::REQUIRE_TOKEN + TestEndpoints::DisabledAnonymousAPI::REQUIRE_TOKEN).each do |endpoint|
  534. describe endpoint do
  535. before do
  536. get endpoint, headers: { 'Authorization' => "Bearer #{token.token}" }
  537. end
  538. it_behaves_like 'non-cacheable response'
  539. it 'returns HTTP success' do
  540. expect(response).to have_http_status(200)
  541. end
  542. end
  543. end
  544. end
  545. end
  546. end