Don't cache requests without a SID header (#1056)

Prevents unauthenticated requests becoming cached for all users. The Request-Token is not as random as we thought. It is calculated by `(CurrentRequestId + 1) & 0xFFFFFF | (UnixTime(DateTime.UtcNow) << 24)` which could mean that two clients making a series of unauthenticated requests at the same time could receive the same token, i.e. it is not actually pseudo- random as originally assumed.
SapiensAnatis · Aug 29, 2024 · 9edc0d1 · 9edc0d1
1 parent cebfe78
commit 9edc0d1
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/DragaliaAPI/DragaliaAPI/Infrastructure/OutputCaching/RepeatedRequestPolicy.cs b/DragaliaAPI/DragaliaAPI/Infrastructure/OutputCaching/RepeatedRequestPolicy.cs
@@ -76,6 +76,12 @@ private static bool GetShouldCache(OutputCacheContext context)
             return false;
         }
 
+        // We do not want to cache requests globally - make sure this request can be keyed to a particular user.
+        if (!request.Headers.ContainsKey(Headers.SessionId))
+        {
+            return false;
+        }
+
         return true;
     }
 }