As I was making progress with my module to implement Hawk protocol as an authentication option, I had to implement the Authentication Provider which would be the main component of the module. The provider would validate and authenticate any incoming Hawk request. In order to test the provider, I enabled Drupal 8's REST module. The REST module can be configured to accept any and all available authentication providers, so I set /node/<node id> route to accept hawk authentication for GET and POST request and I only granted authenticated users permission to GET and POST on nodes. That way I could differentiate whether a user is being properly identified using Hawk or not.
In order to test the above, I created a simple PHP script sending a GET request to my node with just two headers, Accept: application/json in order to invoke REST and Hawk's Authorization header.
But it failed catastrophically!
Initially I sent the wrong authorization header and it returned 403 forbidden, well and good. Then I tried sending the correct one and it still returned the old 403 forbidden page. I was stumped. Hawk's provider wasn't even being called, putting breakpoints gave no results and I had no idea what was going wrong. I asked in #drupal-contribute IRC and someone (sorry! I don't remember the username) suggested it's probably being cached by Drupal's PageCache. It caches based on the current URL and content-type.
And it indeed was!
Drupal was caching the first request I made to the node which returned a 403 forbidden and was returning the same response for all subsequent requests, regardless of any change in headers since the URL and content type remained the same. A simple solution was to simply append ?time=<unix timestamp> at the end of the URL so that it looked similar to /node/4?time=<timestamp>. This guaranteed an unique URL everytime a request was being made and bypassed the PageCache.
For now I'm sticking to this temporary solution, maybe it won't be as relevant in real world usage as it was during my tinkering. If I can figure out a better solution I'll include it within my module.
PS: This is an extra from the weekly updates I thought was worth sharing, the next one for week 5 will come later.