Branch/Environment/Version
- Branch/Version: tyk-gateway:v4.3.2
- Environment: On-prem
Describe the bug
I have a Graphql API that can receive the same query several times but returns different info based on the received bearer token.
I have configured my API as a GraphQL one, and I’m using Federation, so I have a single entry point in a different subgraph by API.
The problem is that if I perform two requests(almost at the same time) with different bearer tokens in a short period (less than one second), one of them does not reach the API; it is answered by Tyk cache, mixing up the info, showing to one user the other one info(Because of the bearer token) which is a big security problem for us.
I do not have any cache option in my API definition; I added a new one for testing to try to avoid this behavior, and adding the cache option with a header specification does not work either.
Reproduction steps
- You need to have a GraphQL API and return some basic info extracted from the Bearer token received in the request.
- Set your API JSON with GraphQL using a subgraph.
- Perform several requests(almost simultaneously) using the same query but with different bearer tokens.
- One of the received answers should be mixed with another.
This is my current API config.
Actual behavior
One of the performed requests received the info related to another request.
Expected behavior
Every request should receive the answer according to its bearer token.
Screenshots/Video
Configuration (tyk config file):
Additional context
I’ve tried using specific cache options like this in my API definition, but it did not work.
“cache_options”: {
“cache_timeout”: 60,
“enable_cache”: true,
“cache_all_safe_requests”: false,
“cache_response_codes”: [200],
“enable_upstream_cache_control”: false,
“cache_control_ttl_header”: “”,
“cache_by_headers”: [“Authorization”]
},
I tried recent versions of Tyk, and I got the same behavior.
I need to know if it is a bug; if not, I need to know how to avoid it using another configuration.