turnstile

Drupal paywall plugin
Log | Files | Refs | README | LICENSE
commit 2e4e10f0e19b8140f48a0a79c91419a2204d188c
parent 5f16d08d31b9b69c2623d2f8e6c8f9d0fdd3cb1a
Author: Christian Grothoff <christian@grothoff.org>
Date:   Wed, 20 May 2026 22:37:05 +0200

do not use Vary header on cookie, that triggers on any cookie, let Drupal handle it based on only _our_ cookie

Diffstat:

Mtaler_turnstile.module | 19+++++++++----------


1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/taler_turnstile.module b/taler_turnstile.module
@@ -116,14 +116,13 @@ function taler_turnstile_entity_view_alter(array &$build, EntityInterface $entit
   $cookies = \Drupal::service('taler_turnstile.cookie');
   if ($cookies->verify($request, $fulfillment_url)) {
     \Drupal::logger('taler_turnstile')->debug('Valid Paivana cookie, granting access to @url', ['@url' => $fulfillment_url]);
+    // The cookies cache context lets Drupal's page caches key on
+    // the access cookie and emit a properly scoped Vary header,
+    // so visitors without the cookie still see the paywall version.
+    // Marking the response 'private' keeps shared HTTP caches from
+    // handing one paying visitor's full-content response to another
+    // visitor whose request happens to lack the cookie.
     $build['#cache']['contexts'][] = 'cookies:' . TALER_TURNSTILE_COOKIE;
-    // Vary on Cookie so that when the access cookie expires (or is
-    // cleared) the next navigation to this URL misses the browser
-    // cache and re-reaches the origin to re-evaluate the paywall.
-    // 'private' keeps shared caches from handing one paying
-    // visitor's full-content response to another visitor whose
-    // request happens to lack the cookie.
-    $build['#attached']['http_header'][] = ['Vary', 'Cookie', FALSE];
     $build['#attached']['http_header'][] = ['Cache-Control', 'private', TRUE];
     return;
   }
@@ -173,11 +172,11 @@ function taler_turnstile_entity_view_alter(array &$build, EntityInterface $entit
     '#paivana_uri' => $taler_uri,
     '#attached' => [
       'library' => ['taler_turnstile/payment_button'],
-      // Surface the Paivana URI as an HTTP header for non-JS clients,
-      // and let downstream caches key on the cookie.
+      // Surface the Paivana URI as an HTTP header for non-JS clients.
+      // The cookies cache context attached below already makes Drupal
+      // emit a properly scoped Vary header for downstream caches.
       'http_header' => [
         ['Paivana', $taler_uri, FALSE],
-        ['Vary', 'Cookie', FALSE],
       ],
     ],
   ];