Define a custom max age on a request is not respected.
It s usually not a big deal except when it comes to custom access routes.

When i have a endpoint with GET and custom access (in my case it s a JWT Bearer Token), if the JWT is not valid, the endpoint is stuck in 403 cache.

I discovered that the method setResponseHeaders of RequestHandler class is responsible.
The X-TTL header is defined to a specific TTL no matter what is configured for the endpoint.

We should be able to respect the max-age defined.
However, it seems easier to say that done.
I have an idea for how to fix this but i am bit afraid of the side effects.

CommentFileSizeAuthor
#3 3561176-3.patch776 bytesarnaud-brugnon
#2 3561176.patch1.06 KBshumer

Issue fork adv_varnish-3561176

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

arnaud-brugnon created an issue. See original summary.

shumer’s picture

shumer commented
StatusFileSize
new 3561176.patch1.06 KB

Hello,

if you can try to apply this patch and give a feedback would be nice.

What Changed:
The setResponseHeaders() method now respects the Cache-Control max-age directive if it's already set in the response before applying the configured TTL.

How it works now:
1. The code extracts the TTL from the configured cache settings as before
2. It checks if the response already has a Cache-Control header with a max-age directive
3. If found, it extracts the max-age value and uses it for the X-TTL header instead

arnaud-brugnon’s picture

arnaud-brugnon commented
StatusFileSize
new 3561176-3.patch776 bytes

I have to admit it s a bit ugly.
I thought about something easier

shumer’s picture

shumer commented
Assigned: Unassigned » shumer
shumer’s picture

shumer commented

After computing TTL from config, check the response's Cache-Control header for two explicit directives:

  • no-store → set TTL to 0 (response must not be cached at all)
  • s-maxage=N → if N is less than the configured TTL, use N instead

We deliberately check s-maxage (shared cache directive) rather than max-age, because Drupal core sets max-age=0 on all dynamic cacheable responses by default - if we respected it, nothing would ever be cached by Varnish. The s-maxage directive, on the other hand, is explicitly set by application code specifically for shared caches like Varnish.

How to use: If your endpoint needs to prevent Varnish caching (e.g. error responses, JWT failures), set Cache-Control: no-store on the response. If you need a custom TTL shorter than the module default, use s-maxage:

<?php
$response->headers->set('Cache-Control', 'public, s-maxage=300');
?>

shumer opened merge request !31

  • 46e04f46 committed on 4.x 
    feat: #3561176 Custom max-age is not respected
shumer’s picture

shumer commented
Status: Active » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

  • 56fc6295 committed on 4.x 
    feat: #3561176 Custom max-age is not respected

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.