sets cache private when cookies set. Closes hapijs#1241

jmonster · Jan 4, 2014 · e83ad60 · e83ad60
1 parent af87c76
commit e83ad60
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 8 deletions.
diff --git a/lib/response/headers.js b/lib/response/headers.js
@@ -23,7 +23,6 @@ exports.apply = function (request, next) {
         response._header('location', internals.location(response.settings.location, request));
     }
 
-    internals.cache(response, request);
     internals.cors(response, request);
     internals.content(response, request);
     internals.state(response, request, function (err) {
@@ -32,7 +31,8 @@ exports.apply = function (request, next) {
             return next(err);
         }
 
-        internals.auth(request, next);
+        internals.cache(response, request);
+        internals.auth(request, next);              // Must be last in case requires access to headers
     });
 };
 
@@ -59,7 +59,7 @@ internals.cache = function (response, request) {
     // Set header
 
     if (ttl) {
-        var privacy = (request.route.cache && request.route.cache.privacy) || 'default';
+        var privacy = (response.headers['set-cookie'] ? 'private' : (request.route.cache && request.route.cache.privacy) || 'default');
         response._header('cache-control', 'max-age=' + Math.floor(ttl / 1000) + ', must-revalidate' + (privacy !== 'default' ? ', ' + privacy : ''));
     }
     else if ((!response._payload.headers ||                 // Pass-through
@@ -144,8 +144,6 @@ internals.content = function (response, request) {
 
 internals.state = function (response, request, next) {
 
-    // Merge response cookies with request cookies (set while response wasn't ready)
-
     var names = {};
     var states = [];
 

diff --git a/test/integration/proxy.js b/test/integration/proxy.js
@@ -282,7 +282,7 @@ describe('Proxy', function () {
             expect(res.statusCode).to.equal(200);
             expect(res.payload).to.contain('John Doe');
             expect(res.headers['set-cookie']).to.deep.equal(['test=123', 'auto=xyz']);
-            expect(res.headers['cache-control']).to.equal('max-age=2, must-revalidate');
+            expect(res.headers['cache-control']).to.equal('max-age=2, must-revalidate, private');
 
             server.inject('/profile', function (res) {
 
@@ -605,7 +605,7 @@ describe('Proxy', function () {
         server.inject('/cachedItem', function (res) {
 
             expect(res.statusCode).to.equal(200);
-            expect(res.headers['cache-control']).to.equal('max-age=2, must-revalidate');
+            expect(res.headers['cache-control']).to.equal('max-age=2, must-revalidate, private');
             done();
         });
     });

diff --git a/test/integration/response.js b/test/integration/response.js
@@ -58,7 +58,7 @@ describe('Response', function () {
                 expect(res.statusCode).to.equal(200);
                 expect(res.result).to.exist;
                 expect(res.result).to.equal('text');
-                expect(res.headers['cache-control']).to.equal('max-age=1, must-revalidate');
+                expect(res.headers['cache-control']).to.equal('max-age=1, must-revalidate, private');
                 expect(res.headers['content-type']).to.equal('text/plain; something=something, charset=ISO-8859-1');
                 expect(res.headers['access-control-allow-origin']).to.equal('*');
                 expect(res.headers['access-control-allow-credentials']).to.not.exist;