Fix setting cache headers to no cache for me endpoint

Author: silverbackdan

features/user/me.feature

@@ -14,6 +14,7 @@ Feature: Add a /me endpoint
     And the JSON should be valid according to the schema file "user.schema.json"
     And the JSON node "@id" should be equal to the IRI of the resource "login_user"
     And the JSON node "_metadata.mercureSubscribeTopics[0]" should be equal to "http://example.com/_/component_groups/{id}{._format}"
+    And the header "cache-control" should be equal to "max-age=0, private"
 
   @loginUser
   Scenario: I can retrieve the current logged in user object
@@ -22,6 +23,7 @@ Feature: Add a /me endpoint
     And the JSON should be valid according to the schema file "user.schema.json"
     And the JSON node "@id" should be equal to the IRI of the resource "login_user"
     And the JSON node "_metadata.mercureSubscribeTopics[0]" should be equal to "http://example.com/_/component_groups/{id}{._format}"
+    And the header "cache-control" should be equal to "max-age=0, private"
 
   Scenario: I can retrieve the current logged in user object
     When I send a "GET" request to "/me"

src/ApiPlatform/Api/IriConverter.php

@@ -66,7 +66,7 @@ private function getUserGetOperation(?Operation $operation = null): Operation
     // We want relations when they are found, to use the IRI with the path
     public function getIriFromResource($resource, int $referenceType = UrlGeneratorInterface::ABS_PATH, ?Operation $operation = null, array $context = []): ?string
     {
-        if ('me' === $operation?->getName()) {
+        if ('_api_me' === $operation?->getName()) {
             $checkOperation = $this->getUserGetOperation($operation);
             $operation = $checkOperation;
             $context['operation'] = $checkOperation;

src/ApiPlatform/Metadata/Resource/UserResourceMetadataCollectionFactory.php

@@ -13,11 +13,8 @@
 
 namespace Silverback\ApiComponentsBundle\ApiPlatform\Metadata\Resource;
 
-use ApiPlatform\Metadata\ApiResource;
 use ApiPlatform\Metadata\Get;
-use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
-use ApiPlatform\Metadata\Operations;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\ResourceMetadataCollection;
 use Silverback\ApiComponentsBundle\DataProvider\StateProvider\UserStateProvider;
@@ -28,58 +25,65 @@
  *
  * @author Daniel West <[email protected]>
  */
-class UserResourceMetadataCollectionFactory implements ResourceMetadataCollectionFactoryInterface
+readonly class UserResourceMetadataCollectionFactory implements ResourceMetadataCollectionFactoryInterface
 {
-    public function __construct(private readonly ResourceMetadataCollectionFactoryInterface $decorated)
+    public function __construct(private ResourceMetadataCollectionFactoryInterface $decorated)
     {
     }
 
     public function create(string $resourceClass): ResourceMetadataCollection
     {
-        $resourceMetadata = $this->decorated->create($resourceClass);
+        $resourceMetadataCollection = $this->decorated->create($resourceClass);
+
         if (!is_a($resourceClass, AbstractUser::class, true)) {
-            return $resourceMetadata;
+            return $resourceMetadataCollection;
         }
 
-        $input = [];
-        /** @var ApiResource $resourceMetadatum */
-        foreach ($resourceMetadata as $resourceMetadatum) {
-            $operations = $resourceMetadatum->getOperations();
-            if ($operations) {
-                $getOperation = $this->findGetOperation($operations);
-                if ($getOperation) {
-                    $newOperations = [
-                        $this->createMeOperation($getOperation),
-                    ];
-                    foreach ($newOperations as $newOperation) {
-                        $operations->add($newOperation->getName(), $newOperation);
-                    }
+        foreach ($resourceMetadataCollection as $i => $resource) {
+            $resource = $resource->withCacheHeaders([
+                'public' => false,
+                'shared_max_age' => 0,
+                'max_age' => 0,
+            ]);
+            $operations = $resource->getOperations();
+            foreach ($operations as $key => $operation) {
+                if ($operation instanceof Get) {
+                    $meOperation = $this->createMeOperation($operation);
+                    $operations->add(
+                        '_api_me',
+                        $meOperation
+                    );
                 }
+                $operations->add(
+                    $key,
+                    $operation->withCacheHeaders([
+                        'public' => false,
+                        'shared_max_age' => 0,
+                        'max_age' => 0,
+                    ])
+                );
             }
-            $input[] = $resourceMetadatum;
-        }
-
-        return new ResourceMetadataCollection($resourceClass, $input);
-    }
-
-    private function findGetOperation(Operations $operations): ?Get
-    {
-        foreach ($operations as $operation) {
-            if ($operation instanceof Get) {
-                return $operation;
-            }
+            $resourceMetadataCollection[$i] = $resource->withOperations($operations);
         }
 
-        return null;
+        return $resourceMetadataCollection;
     }
 
     private function createMeOperation(Get $operation): Operation
     {
-        return (new HttpOperation(HttpOperation::METHOD_GET, '/me{._format}'))
-            ->withName('me')
-            ->withShortName($operation->getShortName())
-            ->withClass($operation->getClass())
-            ->withSecurity('is_granted("IS_AUTHENTICATED_FULLY")')
-            ->withProvider(UserStateProvider::class);
+        return new Get(
+            uriTemplate: '/me{._format}',
+            routePrefix: $operation->getRoutePrefix(),
+            cacheHeaders: [
+                'public' => false,
+                'shared_max_age' => 0,
+                'max_age' => 0,
+            ],
+            shortName: '__api_me',
+            class: $operation->getClass(),
+            security: 'is_granted("IS_AUTHENTICATED_FULLY")',
+            name: '_api_me',
+            provider: UserStateProvider::class
+        );
     }
 }

src/EventListener/Api/UserEventListener.php

@@ -24,11 +24,11 @@
 /**
  * @author Daniel West <[email protected]>
  */
-class UserEventListener
+readonly class UserEventListener
 {
     public function __construct(
-        private readonly UserMailer $userMailer,
-        private readonly Security $security,
+        private UserMailer $userMailer,
+        private Security   $security,
     ) {
     }
 
@@ -42,7 +42,7 @@ public function onPreRead(RequestEvent $event): void
         if (
             empty($resourceClass)
             || !is_a($resourceClass, AbstractUser::class, true)
-            || 'me' !== $request->attributes->get('_api_operation_name')
+            || '_api_me' !== $request->attributes->get('_api_operation_name')
         ) {
             return;
         }
@@ -62,6 +62,20 @@ public function onPreRead(RequestEvent $event): void
         $request->attributes->set('id', $user->getUsername());
     }
 
+    public function onPostRead(RequestEvent $event): void
+    {
+        $request = $event->getRequest();
+        $class = $request->attributes->get('_api_resource_class');
+
+        if ($class === AbstractUser::class) {
+            $resources = [
+                '/me'
+            ];
+
+            $request->attributes->set('_resources', $request->attributes->get('_resources', []) + $resources);
+        }
+    }
+
     public function onPostWrite(ViewEvent $event): void
     {
         $request = $event->getRequest();

src/Resources/config/api_platform/form/resource.xml

@@ -11,7 +11,7 @@
             <operation class="ApiPlatform\Metadata\Put" />
             <operation class="ApiPlatform\Metadata\Patch" />
             <operation class="ApiPlatform\Metadata\Patch"
-                       name="submit_patch"
+                       name="_api_/forms/{id}/submit{._format}"
                        method="PATCH"
                        uriTemplate="/forms/{id}/submit{._format}"
                        read="true"
@@ -24,7 +24,7 @@
                 </requirements>
             </operation>
             <operation class="ApiPlatform\Metadata\Put"
-                       name="submit_post"
+                       name="_api_/forms/{id}/submit{._format}"
                        method="POST"
                        uriTemplate="/forms/{id}/submit{._format}"
                        read="true"

src/Resources/config/services.php

@@ -1160,7 +1160,8 @@
             ]
         )
         ->tag('kernel.event_listener', ['event' => ViewEvent::class, 'priority' => EventPriorities::POST_WRITE, 'method' => 'onPostWrite'])
-        ->tag('kernel.event_listener', ['event' => RequestEvent::class, 'priority' => EventPriorities::PRE_READ, 'method' => 'onPreRead']);
+        ->tag('kernel.event_listener', ['event' => RequestEvent::class, 'priority' => EventPriorities::PRE_READ, 'method' => 'onPreRead'])
+        ->tag('kernel.event_listener', ['event' => RequestEvent::class, 'priority' => EventPriorities::POST_READ, 'method' => 'onPostRead']);
 
     $services
         ->set(UserFactory::class)

src/Security/EventListener/AccessDeniedListener.php

@@ -33,7 +33,7 @@ public function onPostRespond(ResponseEvent $event): void
         $attributes = $this->getAttributes($request);
         if (
             !($operation = $attributes['operation'] ?? null)
-            || 'me' !== $operation->getName()
+            || '_api_me' !== $operation->getName()
             || !($response = $event->getResponse()) instanceof JWTAuthenticationFailureResponse) {
             return;
         }