fix: prevent browser from caching API responses

Without explicit Cache-Control headers, browsers may heuristically cache
API JSON responses. This causes stale data to be served on normal page
refresh (F5) — for example, projects newly shared with a team not
appearing until the user performs a hard refresh (Ctrl+Shift+R).

Add Cache-Control: no-store to all API responses via middleware and
configure the service worker's NetworkOnly strategy to explicitly bypass
the browser HTTP cache for API requests.

Ref: https://community.vikunja.io/t/team-members-cannot-see-project/1876
This commit is contained in:
kolaente 2026-02-24 10:37:08 +01:00
parent 19ccc3cb8e
commit a13ecbd3cc
No known key found for this signature in database
GPG Key ID: F40E70337AB24C9B
2 changed files with 17 additions and 2 deletions

View File

@ -20,10 +20,14 @@ workbox.routing.registerRoute(
new workbox.strategies.StaleWhileRevalidate(),
)
// Always send api requests through the network
// Always send api requests through the network and bypass the browser's HTTP cache
workbox.routing.registerRoute(
new RegExp('api\\/v1\\/.*$'),
new workbox.strategies.NetworkOnly(),
new workbox.strategies.NetworkOnly({
fetchOptions: {
cache: 'no-store',
},
}),
)
// This code listens for the user's confirmation to update the app.

View File

@ -283,6 +283,17 @@ func collectRoutesForAPITokens(e *echo.Echo) {
func registerAPIRoutes(a *echo.Group) {
// Prevent browsers from caching API responses. Without an explicit
// Cache-Control header browsers may heuristically cache JSON responses
// which causes stale data (e.g. newly team-shared projects not appearing
// until a hard refresh).
a.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
return func(c *echo.Context) error {
c.Response().Header().Set("Cache-Control", "no-store")
return next(c)
}
})
// This is the group with no auth
// It is its own group to be able to rate limit this based on different heuristics
n := a.Group("")