New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache buster value doesn't change on change of plugin JavaScripts #8713
Comments
Here is the offending plugin, by the way: https://github.com/Joey3000/piwik-LoginEncrypted |
Before looking any further into it, have you checked the "Network" tab in your browser re caching headers / etag? Maybe it was still cached in your browser. |
Thanks for looking into this. I've played around a bit more with this, and here are the results. You are right, if one just navigates to the login page (e.g. signing out of Piwik after generation of new keys) the "Transferred" column in the Network tab says "cached" for the CSS, core and non-core asset files, meaning, I guess that they don't actually get requested. One can, actually, get stuck using the cached files if one then (after an unsuccessful login) gets presented an exception page due to failed decryption, and then navigates to the login page again using the "Go to Piwik" link on the exception page. But: A simple login page reload by the user (i.e. just a click on the reload arrow; not a forced reload) is enough to make the browser request and download the updated assets. Calling
to re-generate the assets right after having removed them by
makes no difference - if missing, the assets will be re-generated when the browser requests them anyway. I guess that the reason for the browser using the local cache is that the cache buster value on the HTML doesn't change, not even when one calls the above re-generation function. It looks like an MD5 hash and is equal for the CSS, the core and non-core JS minified assets, as well as other files. (A hash of all together at some point in the past?) It's always, e.g. Is there a way to trigger re-generation of the cache buster value? I can image the plugin doing, e.g.:
So that an up-to-date cache buster value exists whenever the login HTML page gets navigated to without a page reload request by the user. [Note] I don't know though, if a possible value change in between page resource requests would have a impact in general Piwik usage, not related to this plugin - e.g., due to asset absence detection after (de-)activation of a plugin. For example:
==> In case issues may occur on automatic cache buster value generation on asset absence detection, it could be done by the plugin separately on the step 3 above. |
Oops, I was wrong: the CSS asset uses a different cache buster value. But all JS page resources use a common one. And it seems to differ in some places in development mode (probably for instant change take-over, without caching):
So, the CSS minified asset cache buster value seems to be an MD5 checksum of the file content (see Is it possible to change the core and non-core minified JS asset files to content-based MD5 checksums, like with the CSS one? (Or is there a reason for the constant value?) |
I do not really remember the background of this but I think it was for performance. So far the JS files were not supposed to be changed unless a plugin was eg activated / deactivated etc and it was good enough. I wonder if a workaround for now could be to manually load this JavaScript file from JS? Similar to RequireJS does etc. It would not be ideal for sure especially since the file would be requested and loaded only after all other JS is loaded. What we could do, is to use the same cache buster for Do you think you could maybe fix it with the workaround for now? |
Nice plugin BTW 👍 |
That sounds good to me as a long-term solution. No worries, it's not a "show stopper", because the issue doesn't result a silent fail, but I output clear instructions to the user as to what to do (clear browser cache, reload the page): https://github.com/Joey3000/piwik-LoginEncrypted/blob/1.0.1/lang/en.json#L3. And it doesn't happen often - only after new encryption keys generation (on plugin installation or when a super user manually re-generates them, which is not needed often and is actually not needed ever at all - I'm going to add this point to the FAQ). Although then every user will see the issue, no just the one who triggered the key re-generation.
I'll have a look into it.
Thanks! I have to return the compliment. Piwik has been very well prepared for plugins - I see that on every turn (architecture, "how-to"s, examples in the code, etc.) - you guys are doing a great job with that. I myself am a noob with web development, although I have some background in C from a while ago, which helps. |
Thanks for the hint with loading the key JavaScript file from JS! It works flawlessly. (I used the following: https://api.jquery.com/jQuery.getScript/). The file is fetched using an AJAX GET request and jQuery even appends an always changing cache busting parameter by default. So, with that setup, Piwik does the minified JS cache buster update on plugin activation/deactivation (when the static plugin code gets added/removed to/from minified assets), which works (because the currently active plugins, with their names and versions, influence the cache buster value). P.S.: I took the liberty of modifying the issue title, so that it better reflects what is currently known. |
Nice to hear 👍 and thx for changing the title 👍 |
As far as I understand, this shouldn't occur in a standard flow when a final user installs the plugin. When developing a plugin one should use the development mode ( |
I might be missing something I need to trigger in my plugin, but it seems that plugins/Proxy or core/ProxyHttp.php don not detect removal of minified assets.
Test procedure:
Expected results:
Actual results:
2. The removed file dos not get re-generated. Piwik responds with status code 200 (OK), but a zero length body. Browser uses a locally cached copy of the above asset. Following request is can be seen in Firefox developer console:
It is only with a forced reload (Shift + reload on Firefox; whereby clearing browser cache and reloading normally would work as well, I guess) that the removed file gets re-generated in /tmp/assets and served as follows:
Please note the
Pragma: no-cache
andCache-Control: no-cache
in the browser request on the forced reload above.The real world impact is the following: I'm working on a plugin which encrypts user passwords when transmitted from browser to the Piwik server on login, which is useful when no HTTPS is possible. RSA public-key cryptography is used, whereby the public key is placed into a JS file to be served to the browser. I do that, call
to remove /tmp/assets/asset_manager_non_core_js.js, which works fine. The problem is that when a user tries to login after generation of new keys in plugin settings (or after plugin installation, upon which the keys are generated automatically), the decryption (and thus also login) fails, because the browser still uses the old asset containing the old key (or none after new installation).
I do output respective Exception message, prompting a clearing of browser cache and re-loading, which wouldn't be too bad. But what happens on the following successful login is that the user is greeted with another fear inducing WARNINGs and "report this on the Piwik forum" (one warning per failed login attempt) due to the previous Exception on the login. And that warning is not even necessarily related to the currently logged in user - it is shown on a successful login of any user, after failed attempts by any user.
I tried removing all cache:
but that had no effect apart from removing more cached files. Tried triggering re-generation of the asset file:
Which did re-generate /tmp/assets/asset_manager_non_core_js.js, but it still didn't get served.
Shouldn't plugins/Proxy or core/ProxyHttp.php detect absence of a minified asset file, trigger its generation and serve that newly generated file? Or do I miss some trigger I need to call to make that happen?
There doesn't seem to be a way to disable minification per-plugin either. Which could work as a temporary solution, but would not be ideal performance-wise, because my generated JS file changes very rarely - only when the super user decides to generate new keys.
Piwik 2.14.3, PHP 5.5.22, Apache on Debian
The text was updated successfully, but these errors were encountered: