Support » Plugin: WP REST Cache » ‘private’ cache for rest endpoints with an Authorization header?

  • Resolved arifba

    (@arifba)


    Hi – great plugin, was trying to use litespeed cache for this but was overly complicated and not actually working predictably, but this plugin which works a charm.

    Question – we use memberpress to hide some post content and thus, 2 wp rest endpoints could return different data for 2 different users. The users authenticate via an Bearer Authorization token.

    Is there a way to scope the cached calls per user? Or do you see another way around this issue?

    Thanks.

    • This topic was modified 7 months ago by arifba.
    • This topic was modified 7 months ago by arifba.
Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author Richard Korthuis

    (@rockfire)

    Hi @arifba

    Thank you for using our plugin!

    At this point we do not have any mechanism to distinguish between different users / roles. We do have plans to build an addon for support of authentication methods and distinguishing between the users / roles. This is however a long-term plan, so don’t expect it soon 🙁

    There is one way you could do this, but keep in mind this isn’t the cleanest method. You could cache the authentication header with the cache, so a different authentication header for the same endpoint will result in a seperate cache record. This can be done in two ways:
    1. Go to Settings > WP REST Cache and add authorization to the Global cacheable request headers.
    2. Use the hook wp_rest_cache/cacheable_request_headers to specify per endpoint which request headers should be used:

    function wprc_add_cacheable_request_headers( $cacheable_headers ) {
        // add the authorization header for the pages endpoint
        $cacheable_headers['wp/v2/pages'] = 'authorization';
        return $cacheable_headers;
    }
    add_filter('wp_rest_cache/cacheable_request_headers', 'wprc_add_cacheable_request_headers', 10, 1);

    Please keep in mind that when you delete or reset a authentication token, the caches aren’t flushed automatically. So they can still request the cached data with the invalid authentication token. You would have to flush the specific cache records manually (or programmatically).

    Awesome Richard, thanks for the workaround options.

    Hi folks,

    Just looking at the same scenario @arifba asked about initially and the workaround @rockfire has suggested and actually I think this is a pretty good method. For me I’m happy to work through the possible request types and decide how each should be cached if at all.

    @rockfire are you able to give an example of how a cached item could be queried and removed? e.g. if I could hook into when a token has expired, is there a way I can query for and remove everything with that token in the cached header?

    Cheers,

    Plugin Author Richard Korthuis

    (@rockfire)

    Hi @dominic_ks

    Thank you for using our plugin!

    Unfortunately at this time we don’t have a function to query a cached item by its cached request headers. You could however do this yourself, all you need to know is that the cached request headers are stored json encoded in the column request_headers of the table wp_wrc_caches.

    Now if you only have the authorization header set to be cached and you use basic authorization you could have a query like this:
    SELECT cache_key FROM wp_wrc_caches WHERE request_headers = '{"Authorization":"Basic V1BfUkVTVF9DQUNIRV9URVNUOlRISVNfSVNfTk9UX1JFQUw="}'
    If you cache multiple request headers it would be something like this:
    SELECT cache_key FROM wp_wrc_caches WHERE request_headers LIKE '%"Authorization":"Basic V1BfUkVTVF9DQUNIRV9URVNUOlRISVNfSVNfTk9UX1JFQUw="%'
    Next you can loop through the cache keys you get from running this query and delete them one-by-one:
    \WP_Rest_Cache_Plugin\Includes\Caching\Caching::get_instance()->delete_cache('<cache_key>');

    Hi @rockfire,

    Thanks very much for this, this looks like it will give me exactly what I need.

    Is this plugin on GitHub? I’ll inevitably be creating some wrapper function(s) for this so I’ll be happy to contribute them to the plugin if you are open to that.

    Cheers,

    Plugin Author Richard Korthuis

    (@rockfire)

    Hi @dominic_ks

    No unfortunately the plugin is in a private bitbucket repository at this moment. We do have plans to make it publically available, but we first have to tackle some issues (we use bitbucket pipelines for deployment which we don’t want public (yet)).

    Hi @rockfire,

    Just been working on this and have a good method for flushing caches when a JWT is found to be expired.

    I am however finding that when a request is cached with a header it is not flushed automatically when that post, or a post of that type for list queries, is saved.

    e.g. say I’m caching requests to /wp/v2/posts with the authorization header, if I save a post that cache is not flushed.

    Assume this isn’t something you’re expecting to be the case?

    Cheers,

    OK, just further on that, I think I’ve got a different issue so opening a new thread for that:

Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.