feat: improve cache handling

Author: aeneasr

session/handler.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"time"
 
 	"github.com/ory/x/pointerx"
 
@@ -181,7 +182,7 @@ func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	if err != nil {
 		// We cache errors where no session was found.
 		if noSess := new(ErrNoActiveSessionFound); errors.As(err, &noSess) && noSess.credentialsMissing {
-			w.Header().Set("X-Ory-Cache-Until", "180")
+			w.Header().Set("Ory-Session-Cache-For", fmt.Sprintf("%d", int64(time.Minute.Seconds())))
 		}
 
 		h.r.Audit().WithRequest(r).WithError(err).Info("No valid session cookie found.")
@@ -206,7 +207,7 @@ func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, ps httprouter.P
 
 	// Set userId as the X-Kratos-Authenticated-Identity-Id header.
 	w.Header().Set("X-Kratos-Authenticated-Identity-Id", s.Identity.ID.String())
-	w.Header().Set("X-Ory-Cache-Until", fmt.Sprintf("%d", s.ExpiresAt.Unix()))
+	w.Header().Set("Ory-Session-Cache-For", fmt.Sprintf("%d", int64(s.ExpiresAt.Sub(time.Now()).Seconds())))
 
 	if err := h.r.SessionManager().RefreshCookie(r.Context(), w, r, s); err != nil {
 		h.r.Audit().WithRequest(r).WithError(err).Info("Could not re-issue cookie.")

session/handler_test.go

@@ -150,7 +150,7 @@ func TestSessionWhoAmI(t *testing.T) {
 		res, err := client.Get(ts.URL + RouteWhoami)
 		require.NoError(t, err)
 		assertNoCSRFCookieInResponse(t, ts, client, res) // Test that no CSRF cookie is ever set here.
-		assert.NotEmpty(t, res.Header.Get("X-Ory-Session-Expires-At"))
+		assert.NotEmpty(t, res.Header.Get("Ory-Session-Cache-For"))
 
 		// Set cookie
 		reg.CSRFHandler().IgnorePath("/set")
@@ -175,7 +175,7 @@ func TestSessionWhoAmI(t *testing.T) {
 
 				assert.EqualValues(t, http.StatusOK, res.StatusCode)
 				assert.NotEmpty(t, res.Header.Get("X-Kratos-Authenticated-Identity-Id"))
-				assert.NotEmpty(t, res.Header.Get("X-Ory-Session-Expires-At"))
+				assert.NotEmpty(t, res.Header.Get("Ory-Session-Cache-For"))
 
 				assert.Empty(t, gjson.GetBytes(body, "identity.credentials"))
 				assert.Equal(t, "mp", gjson.GetBytes(body, "identity.metadata_public.public").String(), "%s", body)