Perhaps support request, but feels like a bug to me.
Problem/Motivation
Drupal caches responses to requests, even when different HTTP Basic Authentication credentials are used when making the request.
Steps to reproduce
When providing endpoints with JSON API module. Enable HTTP Basic Authentication module.
Set only authenticated users to "view content"
Create a test user.
Make request to endpoint with curl.
curl ---header 'Accept: application/vnd.api+json' --user some-user --request GET "https://yourdomain/jsonapi/node/basic-page"
Enter the wrong credentials when prompted
Will get a response without data as per permission settings for viewing content (assume authenticated user only can view content)
Execute the curl command again. This time use the correct password
Response still will not have data.
I can use the &time=[timestamp] parameter and the response is always fresh/correct.
Proposed resolution
Shouldn't the response not be cached if the request is made with different credentials?
OR
How can one make sure the response is fresh if different HTTP Basic Authentication credentials are used in a request?
Is this possible in an KernelEvents::RESPONSE Event Subscriber?