I think I've said this before, but the caching advice:
> HTTP provides a built-in caching framework!
Conflicts with the authentication advice:
> each request should come with some sort authentication credentials
One of those gotchas in API design and implementation is how to provide good performance against authenticated resources.
My personal take on this is to not follow the standard HTTP caching patterns as this encourages the cache to be external - browser, proxy - to your authentication.
Instead I choose to cache behind my authentication layer, and this either means:
1. I use a plugin to Nginx or Varnish to call the authentication check before serving a cached resource.
or
2. I put my resources in a memory cache within the application.
The former has the advantage of being as HTTP pure as possible, but the disadvantage of maintaining the server extension/plugin.
The latter has the advantage of code maintainability (just the stuff in your app) but the disadvantage of not using existing tools for the caching.
Either way, if you are mixing authentication and caching the rule should always be that you cache behind your authentication layer and everything that passes through the authentication layer is explicitly marked as not-cacheable.
> HTTP provides a built-in caching framework!
Conflicts with the authentication advice:
> each request should come with some sort authentication credentials
One of those gotchas in API design and implementation is how to provide good performance against authenticated resources.
My personal take on this is to not follow the standard HTTP caching patterns as this encourages the cache to be external - browser, proxy - to your authentication.
Instead I choose to cache behind my authentication layer, and this either means:
1. I use a plugin to Nginx or Varnish to call the authentication check before serving a cached resource.
or
2. I put my resources in a memory cache within the application.
The former has the advantage of being as HTTP pure as possible, but the disadvantage of maintaining the server extension/plugin.
The latter has the advantage of code maintainability (just the stuff in your app) but the disadvantage of not using existing tools for the caching.
Either way, if you are mixing authentication and caching the rule should always be that you cache behind your authentication layer and everything that passes through the authentication layer is explicitly marked as not-cacheable.