[fix] Ensure private cache when something is returned from getSession…

… hook (#5640) * [fix] Ensure private cache when something is returned from getSession hook Fixes #4268 * simplify Co-authored-by: Simon Holthausen <[email protected]>
sveltejs · Jul 20, 2022 · 400f415 · 400f415
1 parent 286d756
commit 400f415
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 10 deletions.
diff --git a/.changeset/silly-otters-knock.md b/.changeset/silly-otters-knock.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+Ensure private cache when something is returned from getSession hook
diff --git a/packages/kit/src/runtime/server/page/render.js b/packages/kit/src/runtime/server/page/render.js
@@ -107,20 +107,15 @@ export async function render_response({
 		}
 
 		const session = writable($session);
+		// Even if $session isn't accessed, it still ends up serialized in the rendered HTML
+		is_private = is_private || (cache?.private ?? (!!$session && Object.keys($session).length > 0));
 
 		/** @type {Record<string, any>} */
 		const props = {
 			stores: {
 				page: writable(null),
 				navigating: writable(null),
-				/** @type {import('svelte/store').Writable<App.Session>} */
-				session: {
-					...session,
-					subscribe: (fn) => {
-						is_private = cache?.private ?? true;
-						return session.subscribe(fn);
-					}
-				},
+				session,
 				updated
 			},
 			/** @type {import('types').Page} */

diff --git a/packages/kit/test/apps/basics/src/app.d.ts b/packages/kit/test/apps/basics/src/app.d.ts
@@ -9,8 +9,8 @@ declare namespace App {
 	interface Platform {}
 
 	interface Session {
-		answer: number;
-		calls: number;
+		answer?: number;
+		calls?: number;
 	}
 
 	interface Stuff {

diff --git a/packages/kit/test/apps/basics/src/hooks.js b/packages/kit/test/apps/basics/src/hooks.js
@@ -4,6 +4,11 @@ import { sequence } from '../../../../src/hooks';
 
 /** @type {import('@sveltejs/kit').GetSession} */
 export function getSession(request) {
+	if (request.url.href.includes('caching') && !request.url.href.includes('session')) {
+		// necessary, else some caching tests fail
+		return {};
+	}
+
 	return {
 		answer: request.locals.answer,
 		calls: 0

diff --git a/packages/kit/test/apps/basics/src/routes/caching/private/has-session.svelte b/packages/kit/test/apps/basics/src/routes/caching/private/has-session.svelte
@@ -0,0 +1,15 @@
+<script context="module">
+	/** @type {import('@sveltejs/kit').Load} */
+	export async function load({ url }) {
+		return {
+			cache: {
+				maxage: 30,
+				private: url.searchParams.has('private')
+					? url.searchParams.get('private') === 'true'
+					: undefined
+			}
+		};
+	}
+</script>
+
+<h1>this page will be private even if $session is not used, but a session is return from hooks.js#getSession</h1>
diff --git a/packages/kit/test/apps/basics/test/server.test.js b/packages/kit/test/apps/basics/test/server.test.js
@@ -28,6 +28,13 @@ test.describe('Caching', () => {
 		expect(response.headers()['cache-control']).toBe('private, max-age=30');
 	});
 
+	test('sets cache-control: private even if page doesnt use session but one exists and cache.private is unset', async ({
+		request
+	}) => {
+		const response = await request.get('/caching/private/has-session');
+		expect(response.headers()['cache-control']).toBe('private, max-age=30');
+	});
+
 	test('sets cache-control: private if page uses fetch and cache.private is unset', async ({
 		request
 	}) => {
@@ -66,6 +73,13 @@ test.describe('Caching', () => {
 		expect(response.headers()['cache-control']).toBe('public, max-age=30');
 	});
 
+	test('sets cache-control: public if page has session and cache.private is false', async ({
+		request
+	}) => {
+		const response = await request.get('/caching/private/has-session?private=false');
+		expect(response.headers()['cache-control']).toBe('public, max-age=30');
+	});
+
 	test('sets cache-control: public if page uses fetch and cache.private is false', async ({
 		request
 	}) => {