Got depends on this indirectly through cacheable-request. In fact, I specifically wrote cacheable-request for use in Got.

Just letting you know as I'm not sure if you're aware and it's quite a popular project so you might want to list it here.

When we get a new policy from

const {policy, modified} = oldPolicy.revalidatedPolicy(newRequest, newResponse);

The returned policy has shared, cacheHeuristic, immutableMinTimeToLive, ignoreCargoCult set to default. Ideally they should be set as same as original policy.

There are a lot of falsey checks in this library rather than undefined checks. Here's one, for example. I'm wondering if these should be switched to null/undefined checks (x == null) as it appears that empty header values are valid according to the HTTP RFC. I'm wondering this is that I'm working with an API that is behaving weirdly (returns Pragma: no-cache alongside Cache-Control: ) when I send over a Cache-Control: max-age=3600 header in the request, which is causing this library to consider the response to not be cacheable. Thx!

I am trying to implement cache in a custom Node.js proxy that is running across multiple machines. The problem is the satisfiesWithoutRevalidation method – it assumes that CachePolicy object is aware of previous requests, which might not be the case.

What would be the risk of using CachePolicy without satisfiesWithoutRevalidation? Effectively, if I want to rely only on Cache-Control as dictated by the response.

The spec requires that a 113 warning code be added to the response if revalidation used heuristics. There doesn't seem to be any way for external libraries to detect whether http-cache-semantics used these heuristics, either.

Not always of course, but in some cases timeToLive() returns floats.
Which makes sense since in maxAge() there's a division by 1000 and then later a multiplication by 1000 done by timeToLive(), yet the code ignores computers' struggle with float arithmetic.
Since the doc mentions timeToLive() returns time in milliseconds, one would expect it to return an integer.

Math.round() in the correct spot or some other solution would be appreciated, let me know what you think.

The readme says that "immutableMinTimeToLive is a number of milliseconds", but it's compared against values which are in seconds (e.g. Math.max(defaultMinTtl, (expires - dateValue) / 1000)) and returned from maxAge which on other paths returns values in seconds.

In my opinion, the implementation is reasonable so it's the documentation which is wrong; what do you think?

The default value is 24 * 3600 * 1000, which is either one day or 1,000 days depending on the answer to this question. I don't see anything in the RFC guiding how clients should behave if max-age is not set but immutable is. Since "hours * seconds * milliseconds" order makes a little more sense than "hours * seconds * days", I'm guessing it was supposed to be one day, in which case the default value is wrong too.

While you're looking at the documentation for this option:

• The link to "per RFC" is dead. I believe at this point you want to link to https://tools.ietf.org/html/rfc8246.
• Please document the default value for this option, whatever you decide it should have been.

1. The README at https://github.com/kornelski/rusty-http-cache-semantics is very much not up to date with the API.
2. The "homepage" link at https://crates.io/crates/http-cache-semantics points to the JS repo. At least the "repository" link is correct.
3. Please enable issues for the Rust repo.

ORIGINAL POLICY {
  'content-type': 'application/json',
  'last-modified': 'Wed, 27 Nov 2019 01:56:57 GMT',
  'content-encoding': 'gzip',
  age: '449457',
  date: 'Sun, 08 Dec 2019 14:21:24 GMT',
  warning: '113 - "rfc7234 5.5.4"'
}
REVALIDATED POLICY modified=false {
  age: '449457',
  date: 'Sun, 08 Dec 2019 14:21:24 GMT'
}

I just placed

console.log('ORIGINAL POLICY', CachePolicy.fromObject(revalidate.cachePolicy).responseHeaders());
console.log('REVALIDATED POLICY', `modified=${revalidatedPolicy.modified}`,  revalidatedPolicy.policy.responseHeaders());

after this line:

https://github.com/lukechilds/cacheable-request/blob/147924989daf078b071be3aa4ad67cc6702512f0/src/index.js#L87

I will include some reproducible code soon.

using reference:
"http-cache-semantics": "3.8.0",
causes the following error:

ERROR in bundle.js from UglifyJs
SyntaxError: Unexpected character '`' [./~/http-cache-semantics/node4/index.js:279,0]
[13:41:33] Finished 'buildWebpack' after 39 s
[13:41:33] Finished 'html' after 40 s

Hi there, on npm this is marked as BSD-2-Clause
https://www.npmjs.com/package/http-cache-semantics
Can a LICENSE file be added in here for reference, with similar information?

Hi @kornelski, thanks for your work on this library, it looks fantastic.

For my use case, I would need the library to support these two Cache-Control directives. From MDN:

• stale-while-revalidate=<seconds>: Indicates that the client is willing to accept a stale response while asynchronously checking in the background for a fresh one. The seconds value indicates for how long the client is willing to accept a stale response.
• stale-if-error=<seconds>: Indicates that the client is willing to accept a stale response if the check for a fresh one fails.

I think it could be implemented in the following way:

• satisfiesWithoutRevalidation() would check the stale-if-error directive and return true if the response is a 5XX and the stale response can be used.
• A new method satisfiesWithRevalidation() would check the stale-while-revalidate directive and return true if the stale response can be used while revalidating in the background. The caller would be expected to make the request while also using the cached response.

If you're open to these enhancements, I'd be happy to work on them.

cache-control: max-age=600, must-revalidate, post-check=0, pre-check=0, public
date: Mon, 15 Jul 2019 11:42:17 GMT
pragma: no-cache

From this website:

https://www.odeon.co.uk/booking/init/MjkxMjQwMDAwMjNJV0ZDT1BGIzEwMiMxODQ5Ng==/

Not sure what is the expected behaviour here, but I would expect that given that pragma: no-cache is present, then it should't be safe to cache the response regardless of cache-control. Meanwhile,

> cachePolicy.storable()
true
> cachePolicy.timeToLive()
600000

curl -v https://www.reservaentradas.com/cines
< HTTP/1.1 200 OK
< Date: Wed, 05 Feb 2020 18:51:26 GMT
< Server: Apache/2.2.22 (Debian)
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Vary: Accept-Encoding
< Cache-Control: max-age=0, no-cache
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=utf-8
<

Produces error:

TypeError: header.trim is not a function
          at parseCacheControl (/Users/gajus/Documents/dev/rayroute/rayman/node_modules/http-cache-semantics/index.js:62:26)
          at new CachePolicy (/Users/gajus/Documents/dev/rayroute/rayman/node_modules/http-cache-semantics/index.js:119:23)
          at action (/Users/gajus/Documents/dev/rayroute/rayman/src/interceptors/createCacheInterceptor/index.js:68:27)
          at Object.responseActions (/Users/gajus/Documents/dev/rayroute/rayman/node_modules/@rayroute/raygun/src/factories/createInterceptorActions.js:152:22)
          at processTicksAndRejections (internal/process/task_queues.js:97:5)
          at handleRequest (/Users/gajus/Documents/dev/rayroute/rayman/node_modules/@rayroute/raygun/src/factories/createRequestHandler.js:69:28)

A cache MUST invalidate the effective Request URI (Section 5.5 of [RFC7230]) as well as the URI(s) in the Location and Content-Location response header fields (if present) when a non-error status code is received in response to an unsafe request method.

However, a cache MUST NOT invalidate a URI from a Location or Content-Location response header field if the host part of that URI differs from the host part in the effective request URI (Section 5.5 of [RFC7230]). This helps prevent denial-of-service attacks.

A cache MUST invalidate the effective request URI (Section 5.5 of [RFC7230]) when it receives a non-error response to a request with a method whose safety is unknown.

http://httpwg.org/specs/rfc7234.html#invalidation

The cache control RFC states in section 5.2.2.2:

If the no-cache response directive specifies one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, any header fields in the response that have the field-name(s) listed MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response.

Specifically, from what I have seen, if a no-cache value appears in the Cache-Control header then it does not appear to be cached, even if the no-cache value specifies a header field. There is an opportunity to abide by the MAY clause in the spec, where the response can still be cached (except for the specified field(s)).

For example, if we see no-cache: set-cookie it is possible, according to the spec, that the response can be cached EXCEPT for Set-Cookie header(s).

I'm opening this issue to look into whether this part of the spec can be implemented in the library so that the response can still be cached.

Currently 301 redirects are not cached at all unless the website returns a satisfying cache-control header. This is not how browsers work.

https://stackoverflow.com/questions/9130422/how-long-do-browsers-cache-http-301s

There should be a setting to cache 301 redirects for an arbitrary default time.

Request headers:

{
  host: '127.0.0.1:3050',
  'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) ' +
    'AppleWebKit/537.36 (KHTML, like Gecko) ' +
    'Chrome/75.0.3770.100 Safari/537.36',
  accept: '*/*',
  'accept-encoding': 'gzip',
  'proxy-connection': 'Keep-Alive',
  'cache-control': 'max-age=2'
}

cachePolicy.storable() true
cachePolicy.timeToLive() 3599997

I expect timeToLive to be 2000 regardless of the response headers.

Hey, this might be because I'm using this library incorrectly, so sorry in advance if that's the case.

It looks like this library tries to access header objects as if they were in a traditional object literal (https://github.com/kornelski/http-cache-semantics/blob/master/index.js#L137)

But, the Response object uses the Headers object. The Headers object requires developers to retrieve headers with the .get method.

This means that this library can't read headers, and thus can't determine if something can be cached properly. Take the following example:

const uri = "https://httpbin.org/response-headers?cache-control=max-age%3D604800";
const request = new Request(uri);
const response = await fetch(request);
const policy = new CachePolicy(request, response, options);
const newRequest = new Request(uri);
// Returns false because "maxAge" is 0 because the library can't read the headers
console.log(policy.satisfiesWithoutRevalidation(newRequest));

I am using this library in a NodeJS environment using Request, fetch, and Response from cross-fetch.

Am I using this wrong?

Hi, love this library! A great addition would be a brief sample implementation of how to use policy.useStaleWhileRevalidate() in the readme. I haven't quite got my head around how to use it in combination with satisfiesWithoutRevalidation.

Basically, I'd like to know when to kick off a background request in order to update the cache, but it's still ok to use the value that's already in the cache.

I'm following your code example for revalidation https://www.npmjs.com/package/http-cache-semantics#revalidatedpolicyrevalidationrequest-revalidationresponse

My newResponse.status is 304, I pass the response to oldPolicy.revalidatedPolicy() and get a new policy in return.

Now policy.storable() returns false and policy.timeToLive() returns 0, due to this condition evaluating to false because this._status is 304.

This makes the example code kinda funky, because you're caching the response in letsPretendThisIsSomeCache with a 0 ttl.

Since the resource was successfully revalidated, I expect storable() to return true and timeToLive() to return some non zero number. Is this intended?

Node.js v4 official support ends on April 30th. This project follows the official long-term support schedule, so it will remove Node.js v4 compatibility on that day.

Please upgrade to Node 8 ASAP. This is not a drill.

HTTP libraries unzip the content, so the body in JS isn't strictly the same as body HTTP RFC is talking about.

Thank you so much for this, you rock! It made my life so much easier when writing https://github.com/lukechilds/cacheable-request

I just wondered if you'd want to link to cacheable-request in this readme? A lot of people who find this module may well just want to implement this over http.request or similar and I've already done the work for them in cacheable-request.

I'm making authenticated github api requests and want them cached with got and cacheable-request libraries. Github returns Cache-Control: private, but I expect it still to be cached when I pass shared: false in opts. It's not getting cached.

Here's the response headers, maybe someone can help me how I can make it cacheable?

{ server: 'GitHub.com',
  date: 'Sat, 21 Apr 2018 12:14:45 GMT',
  'content-type': 'application/json; charset=utf-8',
  'transfer-encoding': 'chunked',
  connection: 'close',
  status: '200 OK',
  'x-ratelimit-limit': '5000',
  'x-ratelimit-remaining': '4836',
  'x-ratelimit-reset': '1524313615',
  'cache-control': 'private, max-age=60, s-maxage=60',
  vary: 'Accept, Authorization, Cookie, X-GitHub-OTP',
  etag: 'W/"4876f954d40e3efc6d32aab08b9bdc47"',
  'x-oauth-scopes': 'public_repo, read:user, repo:invite, repo:status, repo_deployment',
  'x-accepted-oauth-scopes': '',
  'x-github-media-type': 'github.v3',
  link: '<https://api.github.com/user/4757745/starred?per_page=1&page=2>; rel="next", <https://api.github.com/user/4757745/starred?per_page=1&page=1120>; rel="last"',
  'access-control-expose-headers': 'ETag, Link, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval',
  'access-control-allow-origin': '*',
  'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
  'x-frame-options': 'deny',
  'x-content-type-options': 'nosniff',
  'x-xss-protection': '1; mode=block',
  'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
  'content-security-policy': 'default-src \'none\'',
  'x-runtime-rack': '0.051653',
  'content-encoding': 'gzip',
  'x-github-request-id': 'C6EE:12E7:3E6CA0D:87F0004:5ADB2B35' }

ps: beginning of story: sindresorhus/got#480

Hello, could you please tag v4.1.1 on GitHub?
Thank you

Hey, I completely agree with the justification provided in the README, but dropping support for this option is a breaking change, in the SemVer sense of "a change that requires downstream users to alter their code in order to continue working properly with the library".

This broke a few of my tests, and I now have to go and figure out whether I want to pin the version to 4.0, alter the tests to provide an accurate date header, or just live with the red CI. My case is not so horrible, since it does work fine except in the synthetic edge cases that the test is (no longer) exercising, but it's entirely possible that someone using this library had production code broken as a result.

I recommend reverting this change in a 4.1.1 release, and then re-publishing it in a 5.0.0 release. There are two reasonable ways to do this:

legacy branch

This is the approach I typically use when I am on the other end of an issue like this.

git checkout -b v4-legacy
git reset --hard eb7028f13f1b2e6978834c9a51b9d3f0d733ab77
# add `"publishConfig": { "tag": "legacy" }` to package.json
git commit -m "publish to 'legacy' tag on npm"
npm version 4.1.1
npm publish
git checkout master
npm version major # bumps to 5.0.0
npm publish

Thereafter, any patches you want to land on the v4 branch (where server date is trusted) you can do on the v4-legacy branch, and npm publish, without worrying that it clobbers the "real" latest release on npm.

revert and re-revert

This is a simpler single-branch approach if you're pretty sure you're not going to ever have to touch v4 again.

git revert ed83aec75be817967cdac2663907d060fdc6adc3
git revert 1b359803db768e0b3f5f8051aa3ea50e27c8d096
git revert 2c2fac2d9763137795cac524db2593de9cba70ac
npm version 4.1.1
npm publish
# re-land the commits that you just reverted
# note that the last one will have a conflict on the package.json version,
# which will have to be resolved by setting it back to 4.1.1 instead of 4.1.0
git cherry-pick 2c2fac2d9763137795cac524db2593de9cba70ac
git cherry-pick 1b359803db768e0b3f5f8051aa3ea50e27c8d096
git cherry-pick ed83aec75be817967cdac2663907d060fdc6adc3
npm version 5.0.0

And never look back.

I see there is an array statusCodeCacheableByDefault in code but is it possible to specify our own list?

Lot of people should use this to cache on their own servers and not mean to use this as shared cache. Probably the shared=false should be default for this library.