Merge pull request #1213 from thunderstore-io/cache-by-mixin

Replaced Cache-Control header definitions with generic Mixin

Author: Roffenlund

django/thunderstore/api/cyberstorm/views/community.py

@@ -1,11 +1,11 @@
 from rest_framework.generics import RetrieveAPIView
 
 from thunderstore.api.cyberstorm.serializers import CyberstormCommunitySerializer
-from thunderstore.api.utils import CyberstormAutoSchemaMixin
+from thunderstore.api.utils import CyberstormAutoSchemaMixin, PublicCacheMixin
 from thunderstore.community.models import Community
 
 
-class CommunityAPIView(CyberstormAutoSchemaMixin, RetrieveAPIView):
+class CommunityAPIView(PublicCacheMixin, CyberstormAutoSchemaMixin, RetrieveAPIView):
     lookup_url_kwarg = "community_id"
     lookup_field = "identifier"
     permission_classes = []
@@ -16,5 +16,4 @@ class CommunityAPIView(CyberstormAutoSchemaMixin, RetrieveAPIView):
 
     def get(self, *args, **kwargs):
         response = super().get(*args, **kwargs)
-        response["Cache-Control"] = "public, max-age=60"
         return response

django/thunderstore/api/cyberstorm/views/community_filters.py

@@ -8,7 +8,7 @@
     CyberstormPackageCategorySerializer,
     CyberstormPackageListingSectionSerializer,
 )
-from thunderstore.api.utils import conditional_swagger_auto_schema
+from thunderstore.api.utils import PublicCacheMixin, conditional_swagger_auto_schema
 from thunderstore.community.models import Community
 
 
@@ -17,7 +17,7 @@ class CommunityFiltersAPIViewSerializer(serializers.Serializer):
     sections = CyberstormPackageListingSectionSerializer(many=True)
 
 
-class CommunityFiltersAPIView(APIView):
+class CommunityFiltersAPIView(PublicCacheMixin, APIView):
     """
     Return info about PackageCategories and PackageListingSections so
     they can be used as filters.
@@ -40,5 +40,4 @@ def get(self, request: Request, community_id: str):
         }
 
         response = Response(self.serializer_class(filters).data)
-        response["Cache-Control"] = "public, max-age=60"
         return response

django/thunderstore/api/cyberstorm/views/community_list.py

@@ -7,6 +7,7 @@
 from thunderstore.api.ordering import StrictOrderingFilter
 from thunderstore.api.utils import (
     CyberstormAutoSchemaMixin,
+    PublicCacheMixin,
     conditional_swagger_auto_schema,
 )
 from thunderstore.community.models import Community
@@ -20,7 +21,7 @@ class CommunityListAPIQueryParams(serializers.Serializer):
     include_unlisted = serializers.BooleanField(default=False)
 
 
-class CommunityListAPIView(CyberstormAutoSchemaMixin, ListAPIView):
+class CommunityListAPIView(PublicCacheMixin, CyberstormAutoSchemaMixin, ListAPIView):
     permission_classes = []
     serializer_class = CyberstormCommunitySerializer
     pagination_class = CommunityPaginator
@@ -50,5 +51,4 @@ def get_queryset(self):
     )
     def get(self, *args, **kwargs):
         response = super().get(*args, **kwargs)
-        response["Cache-Control"] = "public, max-age=60"
         return response

django/thunderstore/api/cyberstorm/views/markdown.py

@@ -4,7 +4,7 @@
 from rest_framework import serializers
 from rest_framework.generics import RetrieveAPIView, get_object_or_404
 
-from thunderstore.api.utils import CyberstormAutoSchemaMixin
+from thunderstore.api.utils import CyberstormAutoSchemaMixin, PublicCacheMixin
 from thunderstore.markdown.templatetags.markdownify import render_markdown
 from thunderstore.repository.models import Package, PackageVersion
 
@@ -13,7 +13,9 @@ class CyberstormMarkdownResponseSerializer(serializers.Serializer):
     html = serializers.CharField()
 
 
-class PackageVersionReadmeAPIView(CyberstormAutoSchemaMixin, RetrieveAPIView):
+class PackageVersionReadmeAPIView(
+    PublicCacheMixin, CyberstormAutoSchemaMixin, RetrieveAPIView
+):
     """
     Return README.md prerendered as HTML.
 
@@ -32,7 +34,9 @@ def get_object(self):
         return {"html": render_markdown(package_version.readme)}
 
 
-class PackageVersionChangelogAPIView(CyberstormAutoSchemaMixin, RetrieveAPIView):
+class PackageVersionChangelogAPIView(
+    PublicCacheMixin, CyberstormAutoSchemaMixin, RetrieveAPIView
+):
     """
     Return CHANGELOG.md prerendered as HTML.
 
@@ -41,6 +45,8 @@ class PackageVersionChangelogAPIView(CyberstormAutoSchemaMixin, RetrieveAPIView)
 
     serializer_class = CyberstormMarkdownResponseSerializer
 
+    cache_404s = True
+
     def get_object(self):
         package_version = get_package_version(
             namespace_id=self.kwargs["namespace_id"],

django/thunderstore/api/cyberstorm/views/package_listing.py

@@ -32,6 +32,7 @@
 )
 from thunderstore.api.utils import (
     CyberstormAutoSchemaMixin,
+    PublicCacheMixin,
     conditional_swagger_auto_schema,
 )
 from thunderstore.community.models.package_listing import PackageListing

django/thunderstore/api/cyberstorm/views/package_listing_list.py

@@ -12,7 +12,7 @@
 from rest_framework.pagination import PageNumberPagination
 
 from thunderstore.api.cyberstorm.serializers import CyberstormPackagePreviewSerializer
-from thunderstore.api.utils import conditional_swagger_auto_schema
+from thunderstore.api.utils import PublicCacheMixin, conditional_swagger_auto_schema
 from thunderstore.community.consts import PackageListingReviewStatus
 from thunderstore.community.models import (
     Community,
@@ -81,7 +81,7 @@ def get_schema_fields(self, view):
         return []
 
 
-class BasePackageListAPIView(ListAPIView):
+class BasePackageListAPIView(PublicCacheMixin, ListAPIView):
     """
     Base class for community-scoped, paginated, filterable package listings.
 

django/thunderstore/api/cyberstorm/views/package_version.py

@@ -10,12 +10,13 @@
 )
 from thunderstore.api.utils import (
     CyberstormAutoSchemaMixin,
+    PublicCacheMixin,
     conditional_swagger_auto_schema,
 )
 from thunderstore.repository.models.package_version import PackageVersion
 
 
-class PackageVersionAPIView(CyberstormAutoSchemaMixin, APIView):
+class PackageVersionAPIView(PublicCacheMixin, CyberstormAutoSchemaMixin, APIView):
     @conditional_swagger_auto_schema(
         responses={200: PackageVersionResponseSerializer},
         operation_id="cyberstorm.package_version",

django/thunderstore/api/cyberstorm/views/package_version_list.py

@@ -7,7 +7,7 @@
 )
 from thunderstore.api.cyberstorm.views.markdown import get_package_version
 from thunderstore.api.pagination import PackageDependenciesPaginator
-from thunderstore.api.utils import CyberstormAutoSchemaMixin
+from thunderstore.api.utils import CyberstormAutoSchemaMixin, PublicCacheMixin
 from thunderstore.repository.models import Package, PackageVersion
 
 
@@ -19,7 +19,9 @@ class CyberstormPackageVersionSerializer(serializers.Serializer):
     install_url = serializers.CharField()
 
 
-class PackageVersionListAPIView(CyberstormAutoSchemaMixin, ListAPIView):
+class PackageVersionListAPIView(
+    PublicCacheMixin, CyberstormAutoSchemaMixin, ListAPIView
+):
     """
     Return a list of available versions of the package.
     """
@@ -36,7 +38,9 @@ def get_queryset(self):
         return package.versions.active()
 
 
-class PackageVersionDependenciesListAPIView(CyberstormAutoSchemaMixin, ListAPIView):
+class PackageVersionDependenciesListAPIView(
+    PublicCacheMixin, CyberstormAutoSchemaMixin, ListAPIView
+):
     serializer_class = CyberstormPackageDependencySerializer
     pagination_class = PackageDependenciesPaginator
 

django/thunderstore/api/cyberstorm/views/team.py

@@ -31,6 +31,7 @@
 from thunderstore.api.ordering import StrictOrderingFilter
 from thunderstore.api.utils import (
     CyberstormAutoSchemaMixin,
+    PublicCacheMixin,
     conditional_swagger_auto_schema,
 )
 from thunderstore.repository.forms import AddTeamMemberForm
@@ -52,7 +53,7 @@ def check_permissions(self, request: Request) -> None:
             raise PermissionDenied("You do not have permission to access this team.")
 
 
-class TeamAPIView(CyberstormAutoSchemaMixin, RetrieveAPIView):
+class TeamAPIView(PublicCacheMixin, CyberstormAutoSchemaMixin, RetrieveAPIView):
     serializer_class = CyberstormTeamSerializer
     queryset = Team.objects.exclude(is_active=False)
     lookup_field = "name"

django/thunderstore/api/utils.py

@@ -1,4 +1,5 @@
 from django.conf import settings
+from django.utils.cache import patch_cache_control
 from drf_yasg.utils import swagger_auto_schema, unset  # type: ignore
 
 
@@ -22,3 +23,35 @@ class CyberstormAutoSchemaMixin:  # pragma: no cover
     @conditional_swagger_auto_schema(tags=["cyberstorm"])
     def get(self, *args, **kwargs):
         return super().get(*args, **kwargs)
+
+
+class PublicCacheMixin:
+    """
+    A mixin for caching public API endpoints.
+
+    IMPORTANT: Must be before generic DRF view base classes in the inheritance list.
+
+    Example:
+        class ProductListView(PublicCacheMixin, ListAPIView):
+
+    1. Caching: Applies 'public' Cache-Control headers to the response.
+    2. Security: Explicitly clears 'authentication_classes' and 'permission_classes'
+       to override global DRF settings in settings.py. This ensures the endpoint is strictly
+       anonymous and prevents 'request.user' from being populated, which
+       mitigates the risk of caching user-specific data.
+    """
+
+    authentication_classes = []
+    permission_classes = []
+
+    cache_max_age = 60  # seconds
+    cache_404s = False
+
+    def finalize_response(self, request, response, *args, **kwargs):
+        response = super().finalize_response(request, response, *args, **kwargs)
+
+        if response.status_code == 200 or (
+            response.status_code == 404 and self.cache_404s
+        ):
+            patch_cache_control(response, public=True, max_age=self.cache_max_age)
+        return response