feat: add cache headers (#2817)

Author: aeneasr

session/handler.go

@@ -1,6 +1,7 @@
 package session
 
 import (
+	"fmt"
 	"net/http"
 	"strconv"
 
@@ -178,6 +179,11 @@ type toSession struct {
 func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	s, err := h.r.SessionManager().FetchFromRequest(r.Context(), r)
 	if err != nil {
+		// We cache errors where no session was found.
+		if noSess := new(ErrNoActiveSessionFound); errors.As(err, &noSess) && noSess.credentialsMissing {
+			w.Header().Set("X-Ory-Cache-Until", "180")
+		}
+
 		h.r.Audit().WithRequest(r).WithError(err).Info("No valid session cookie found.")
 		h.r.Writer().WriteError(w, r, herodot.ErrUnauthorized.WithWrap(err).WithReasonf("No valid session cookie found."))
 		return
@@ -200,6 +206,7 @@ func (h *Handler) whoami(w http.ResponseWriter, r *http.Request, ps httprouter.P
 
 	// Set userId as the X-Kratos-Authenticated-Identity-Id header.
 	w.Header().Set("X-Kratos-Authenticated-Identity-Id", s.Identity.ID.String())
+	w.Header().Set("X-Ory-Cache-Until", fmt.Sprintf("%d", s.ExpiresAt.Unix()))
 
 	if err := h.r.SessionManager().RefreshCookie(r.Context(), w, r, s); err != nil {
 		h.r.Audit().WithRequest(r).WithError(err).Info("Could not re-issue cookie.")

session/handler_test.go

@@ -150,6 +150,7 @@ func TestSessionWhoAmI(t *testing.T) {
 		res, err := client.Get(ts.URL + RouteWhoami)
 		require.NoError(t, err)
 		assertNoCSRFCookieInResponse(t, ts, client, res) // Test that no CSRF cookie is ever set here.
+		assert.NotEmpty(t, res.Header.Get("X-Ory-Session-Expires-At"))
 
 		// Set cookie
 		reg.CSRFHandler().IgnorePath("/set")
@@ -174,6 +175,7 @@ func TestSessionWhoAmI(t *testing.T) {
 
 				assert.EqualValues(t, http.StatusOK, res.StatusCode)
 				assert.NotEmpty(t, res.Header.Get("X-Kratos-Authenticated-Identity-Id"))
+				assert.NotEmpty(t, res.Header.Get("X-Ory-Session-Expires-At"))
 
 				assert.Empty(t, gjson.GetBytes(body, "identity.credentials"))
 				assert.Equal(t, "mp", gjson.GetBytes(body, "identity.metadata_public.public").String(), "%s", body)

session/manager.go

@@ -15,6 +15,9 @@ import (
 // ErrNoActiveSessionFound is returned when no active cookie session could be found in the request.
 type ErrNoActiveSessionFound struct {
 	*herodot.DefaultError `json:"error"`
+
+	// True when the request had no credentials in it.
+	credentialsMissing bool
 }
 
 // NewErrNoActiveSessionFound creates a new ErrNoActiveSessionFound
@@ -24,6 +27,13 @@ func NewErrNoActiveSessionFound() *ErrNoActiveSessionFound {
 	}
 }
 
+// NewErrNoCredentialsForSession creates a new NewErrNoCredentialsForSession
+func NewErrNoCredentialsForSession() *ErrNoActiveSessionFound {
+	e := NewErrNoActiveSessionFound()
+	e.credentialsMissing = true
+	return e
+}
+
 func (e *ErrNoActiveSessionFound) EnhanceJSONError() interface{} {
 	return e
 }

session/manager_http.go

@@ -185,7 +185,7 @@ func (s *ManagerHTTP) extractToken(r *http.Request) string {
 func (s *ManagerHTTP) FetchFromRequest(ctx context.Context, r *http.Request) (*Session, error) {
 	token := s.extractToken(r)
 	if token == "" {
-		return nil, errors.WithStack(NewErrNoActiveSessionFound())
+		return nil, errors.WithStack(NewErrNoCredentialsForSession())
 	}
 
 	se, err := s.r.SessionPersister().GetSessionByToken(ctx, token, ExpandEverything)