Problem/Motivation

Drupal caches requests served by the module. We should disable caching when the request has X-AUTH-TOKEN, otherwise, requests without a token might still return sensitive data because of the cache.

Steps to reproduce

  • Make a request with a token generated by the module
  • Remove the X-AUTH-TOKEN header and then do the request once again
  • Observe that Drupal return data that shouldn't be returned without a token.
CommentFileSizeAuthor
#2 disable-pagecache-3179031-2.patch1.42 KBalt.dev

Issue fork rest_api_access_token-3179031

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

alt.local created an issue. See original summary.

alt.dev’s picture

alt.dev commented
Issue summary: View changes
Status: Active » Needs review
StatusFileSize
new disable-pagecache-3179031-2.patch1.42 KB

Here is a patch that resolves this issue.

The patch was created in contributing with @bohart so it would be great if he will get a credit as well.

marcinkazmierski made their first commit to this issue’s fork.

marcinkazmierski opened merge request !2

marcinkazmierski closed merge request !2

marcinkazmierski’s picture

marcinkazmierski commented
Status: Needs review » Fixed
marcinkazmierski’s picture

marcinkazmierski commented
Status: Fixed » Closed (fixed)