[HttpClient] Don't store response with authentication headers in shared mode

Author: Lctrs

CachingHttpClient.php

@@ -687,16 +687,21 @@ private function isServerResponseCacheable(int $statusCode, array $requestHeader
             return false;
         }
 
-        if (
-            $this->sharedCache
-            && !isset($cacheControl['public']) && !isset($cacheControl['s-maxage']) && !isset($cacheControl['must-revalidate'])
-            && isset($requestHeaders['authorization'])
-        ) {
-            return false;
-        }
+        if ($this->sharedCache) {
+            if (
+                !isset($cacheControl['public']) && !isset($cacheControl['s-maxage']) && !isset($cacheControl['must-revalidate'])
+                && isset($requestHeaders['authorization'])
+            ) {
+                return false;
+            }
 
-        if ($this->sharedCache && isset($cacheControl['private'])) {
-            return false;
+            if (isset($cacheControl['private'])) {
+                return false;
+            }
+
+            if (isset($responseHeaders['authentication-info']) || isset($responseHeaders['set-cookie']) || isset($responseHeaders['www-authenticate'])) {
+                return false;
+            }
         }
 
         // Conditionals require an explicit expiration

Tests/CachingHttpClientTest.php

@@ -473,6 +473,62 @@ public function testAPrivateCacheStoresAResponseWithPrivateDirective()
         self::assertSame('foo', $response->getContent());
     }
 
+    public function testASharedCacheDoesntStoreAResponseWithAuthenticationHeader()
+    {
+        $mockClient = new MockHttpClient([
+            new MockResponse('foo', [
+                'http_code' => 200,
+                'response_headers' => [
+                    'Cache-Control' => 'max-age=300',
+                    'Set-Cookie' => 'foo=bar',
+                ],
+            ]),
+            new MockResponse('bar'),
+        ]);
+
+        $client = new CachingHttpClient(
+            $mockClient,
+            $this->cacheAdapter,
+            sharedCache: true,
+        );
+
+        $response = $client->request('GET', 'http://example.com/foo-bar');
+        self::assertSame(200, $response->getStatusCode());
+        self::assertSame('foo', $response->getContent());
+
+        $response = $client->request('GET', 'http://example.com/foo-bar');
+        self::assertSame(200, $response->getStatusCode());
+        self::assertSame('bar', $response->getContent());
+    }
+
+    public function testAPrivateCacheStoresAResponseWithAuthenticationHeader()
+    {
+        $mockClient = new MockHttpClient([
+            new MockResponse('foo', [
+                'http_code' => 200,
+                'response_headers' => [
+                    'Cache-Control' => 'max-age=300',
+                    'Set-Cookie' => 'foo=bar',
+                ],
+            ]),
+            new MockResponse('should not be served'),
+        ]);
+
+        $client = new CachingHttpClient(
+            $mockClient,
+            $this->cacheAdapter,
+            sharedCache: false,
+        );
+
+        $response = $client->request('GET', 'http://example.com/foo-bar');
+        self::assertSame(200, $response->getStatusCode());
+        self::assertSame('foo', $response->getContent());
+
+        $response = $client->request('GET', 'http://example.com/foo-bar');
+        self::assertSame(200, $response->getStatusCode());
+        self::assertSame('foo', $response->getContent());
+    }
+
     public function testCacheMissAfterInvalidation()
     {
         $mockClient = new MockHttpClient([