apostrophe 3.15.0 → 3.16.0

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 3.16.0 (2022-03-18)
+
+### Adds
+
+* Offers a simple way to set a Cache-Control max-age for Apostrophe page and GET REST API responses for pieces and pages.
+* API keys and bearer tokens "win" over session cookies when both are present. Since API keys and bearer tokens are explicitly added to the request at hand, it never makes sense to ignore them in favor of a cookie, which is implicit. This also simplifies automated testing.
+* `data-apos-test=""` selectors for certain elements frequently selected in QA tests, such as `data-apos-test="adminBar"`.
+* To speed up functional tests, an `insecurePasswords` option has been added to the login module. This option is deliberately named to discourage use for any purpose other than functional tests in which repeated password hashing would unduly limit performance. Normally password hashing is intentionally difficult to slow down brute force attacks, especially if a database is compromised.
+
+### Fixes
+
+* `POST`ing a new child page with `_targetId: '_home'` now works properly in combination with `_position: 'lastChild'`.
+
 ## 3.15.0 (2022-03-02)
 
 ### Adds

package/modules/@apostrophecms/admin-bar/ui/apos/components/TheAposAdminBar.vue

@@ -1,12 +1,12 @@
 <template>
-  <div class="apos-admin-bar-wrapper" :class="themeClass">
+  <div data-apos-test="adminBar" class="apos-admin-bar-wrapper" :class="themeClass">
     <div class="apos-admin-bar-spacer" ref="spacer" />
     <nav class="apos-admin-bar" ref="adminBar">
       <div class="apos-admin-bar__row">
         <AposLogoPadless class="apos-admin-bar__logo" />
         <TheAposAdminBarMenu :items="items" />
         <TheAposAdminBarLocale v-if="hasLocales()" />
-        <TheAposAdminBarUser class="apos-admin-bar__user" />
+        <TheAposAdminBarUser data-apos-test="authenticatedUserMenuTrigger" class="apos-admin-bar__user" />
       </div>
       <TheAposContextBar @mounted="setSpacer" />
     </nav>

package/modules/@apostrophecms/admin-bar/ui/src/index.js

@@ -0,0 +1,26 @@
+/**
+ * If the page delivers a logged-out content but we know from session storage that a user is logged-in,
+ * we force-refresh the page to bypass the cache, in order to get the logged-in content (with admin UI).
+ */
+export default function() {
+  const isLoggedOutPageContent = !(apos.login && apos.login.user);
+  const isLoggedInCookie = apos.util.getCookie(`${self.apos.shortName}.loggedIn`) === 'true';
+
+  if (!isLoggedOutPageContent || !isLoggedInCookie) {
+    sessionStorage.setItem('aposRefreshedPages', '{}');
+
+    return;
+  }
+
+  const refreshedPages = JSON.parse(sessionStorage.aposRefreshedPages || '{}');
+
+  // Avoid potential refresh loops
+  if (!refreshedPages[location.href]) {
+    refreshedPages[location.href] = true;
+    sessionStorage.setItem('aposRefreshedPages', JSON.stringify(refreshedPages));
+
+    console.info('Received logged-out content from cache while logged-in, refreshing the page');
+
+    location.reload();
+  }
+};

package/modules/@apostrophecms/login/index.js

@@ -45,6 +45,7 @@ const cuid = require('cuid');
 const expressSession = require('express-session');
 
 const loginAttemptsNamespace = '@apostrophecms/loginAttempt';
+const loggedInCookieName = 'loggedIn';
 
 module.exports = {
   cascades: [ 'requirements' ],
@@ -151,6 +152,9 @@ module.exports = {
             expireCookie.expires = new Date(0);
             const name = self.apos.modules['@apostrophecms/express'].sessionOptions.name;
             req.res.header('set-cookie', expireCookie.serialize(name, 'deleted'));
+
+            // TODO: get cookie name from config
+            req.res.cookie(`${self.apos.shortName}.${loggedInCookieName}`, 'false');
           }
         },
         // invokes the `props(req, user)` function for the requirement specified by
@@ -789,7 +793,12 @@ module.exports = {
       },
       passportSession: {
         before: '@apostrophecms/i18n',
-        middleware: self.passport.session()
+        middleware: (() => {
+          // Wrap the passport middleware so that if the apikey or bearer token
+          // middleware already supplied req.user, that wins (explicit wins over implicit)
+          const passportSession = self.passport.session();
+          return (req, res, next) => req.user ? next() : passportSession(req, res, next);
+        })()
       },
       honorLoginInvalidBefore: {
         before: '@apostrophecms/i18n',
@@ -812,6 +821,17 @@ module.exports = {
             return next();
           }
         }
+      },
+      addLoggedInCookie: {
+        before: '@apostrophecms/i18n',
+        middleware(req, res, next) {
+          // TODO: get cookie name from config
+          const cookieName = `${self.apos.shortName}.${loggedInCookieName}`;
+          if (req.user && req.cookies[cookieName] !== 'true') {
+            res.cookie(cookieName, 'true');
+          }
+          return next();
+        }
       }
     };
   }

package/modules/@apostrophecms/login/ui/apos/components/TheAposLogin.vue

@@ -2,6 +2,7 @@
   <transition name="fade-stage">
     <div
       class="apos-login apos-theme-dark"
+      data-apos-test="loginForm"
       v-show="loaded"
       :class="themeClass"
     >
@@ -35,6 +36,7 @@
                 <!-- TODO -->
                 <!-- <a href="#" class="apos-login__link">Forgot Password</a> -->
                 <AposButton
+                  data-apos-test="loginSubmit"
                   :busy="busy"
                   :disabled="disabled"
                   type="primary"

package/modules/@apostrophecms/module/index.js

@@ -177,6 +177,11 @@ module.exports = {
           return async function(req, res) {
             try {
               const result = await fn(req);
+
+              if (req.method === 'GET' && req.user) {
+                res.header('Cache-Control', 'no-store');
+              }
+
               res.status(200);
               res.send(result);
             } catch (err) {
@@ -446,6 +451,27 @@ module.exports = {
         );
       },
 
+      setMaxAge(req, maxAge) {
+        if (typeof maxAge !== 'number') {
+          self.apos.util.warnDev(`"maxAge" property must be defined as a number in the "${self.__meta.name}" module's cache options"`);
+          return;
+        }
+
+        // A cookie in session doesn't mean we can't cache, nor an empty flash or passport object.
+        // Other session properties must be assumed to be specific to the user, with a possible
+        // impact on the response, and thus mean this request must not be cached.
+        // Same rule as in [express-cache-on-demand](https://github.com/apostrophecms/express-cache-on-demand/blob/master/index.js#L102)
+        const isSessionClearForCaching = Object.entries(req.session).every(([ key, val ]) =>
+          key === 'cookie' || (
+            (key === 'flash' || key === 'passport') && _.isEmpty(val)
+          )
+        );
+        const isSafeToCache = !req.user && isSessionClearForCaching;
+        const cacheControlValue = isSafeToCache ? `max-age=${maxAge}` : 'no-store';
+
+        req.res.header('Cache-Control', cacheControlValue);
+      },
+
       // Call from init once if this module implements the `getBrowserData` method.
       // The data returned by `getBrowserData(req)` will then be available on
       // `apos.modules['your-module-name']` in the browser.

package/modules/@apostrophecms/page/index.js

@@ -119,6 +119,10 @@ module.exports = {
               project: self.getAllProjection()
             }).toObject();
 
+            if (self.options.cache && self.options.cache.api) {
+              self.setMaxAge(req, self.options.cache.api.maxAge);
+            }
+
             if (!page) {
               throw self.apos.error('notfound');
             }
@@ -137,6 +141,11 @@ module.exports = {
             }
           } else {
             const result = await self.getRestQuery(req).and({ level: 0 }).toObject();
+
+            if (self.options.cache && self.options.cache.api) {
+              self.setMaxAge(req, self.options.cache.api.maxAge);
+            }
+
             if (!result) {
               throw self.apos.error('notfound');
             }
@@ -168,6 +177,11 @@ module.exports = {
           self.publicApiCheck(req);
           const criteria = self.getIdCriteria(_id);
           const result = await self.getRestQuery(req).and(criteria).toObject();
+
+          if (self.options.cache && self.options.cache.api) {
+            self.setMaxAge(req, self.options.cache.api.maxAge);
+          }
+
           if (!result) {
             throw self.apos.error('notfound');
           }
@@ -220,7 +234,7 @@ module.exports = {
         }
 
         return self.withLock(req, async () => {
-          const targetPage = await self.findForEditing(req, targetId ? { _id: targetId } : { level: 0 }).ancestors(true).permission('edit').toObject();
+          const targetPage = await self.findForEditing(req, targetId ? self.getIdCriteria(targetId) : { level: 0 }).ancestors(true).permission('edit').toObject();
           if (!targetPage) {
             throw self.apos.error('notfound');
           }
@@ -1415,6 +1429,10 @@ database.`);
         await self.emit('serveQuery', query);
         req.data.bestPage = await query.toObject();
         self.evaluatePageMatch(req);
+
+        if (self.options.cache && self.options.cache.page) {
+          self.setMaxAge(req, self.options.cache.page.maxAge);
+        }
       },
       // Normalize req.slug to account for unneeded trailing whitespace,
       // trailing slashes other than the root, and double slash based open

package/modules/@apostrophecms/piece-type/index.js

@@ -200,6 +200,11 @@ module.exports = {
           if (query.get('countsResults')) {
             result.counts = query.get('countsResults');
           }
+
+          if (self.options.cache && self.options.cache.api) {
+            self.setMaxAge(req, self.options.cache.api.maxAge);
+          }
+
           return result;
         }
       ],
@@ -209,6 +214,11 @@ module.exports = {
           _id = self.inferIdLocaleAndMode(req, _id);
           self.publicApiCheck(req);
           const doc = await self.getRestQuery(req).and({ _id }).toObject();
+
+          if (self.options.cache && self.options.cache.api) {
+            self.setMaxAge(req, self.options.cache.api.maxAge);
+          }
+
           if (!doc) {
             throw self.apos.error('notfound');
           }

package/modules/@apostrophecms/task/index.js

@@ -193,6 +193,12 @@ module.exports = {
           res: {
             redirect(url) {
               req.res.redirectedTo = url;
+            },
+            header(key, value) {
+              req.res.headers = {
+                ...(req.res.headers || {}),
+                [key]: value
+              };
             }
           },
           t(key, options = {}) {

package/modules/@apostrophecms/template/index.js

@@ -643,6 +643,7 @@ module.exports = {
           modules: {},
           prefix: req.prefix,
           sitePrefix: self.apos.prefix,
+          shortName: self.apos.shortName,
           locale: req.locale,
           csrfCookieName: self.apos.csrfCookieName,
           tabId: self.apos.util.generateId(),

package/modules/@apostrophecms/ui/ui/apos/components/AposContextMenu.vue

@@ -16,6 +16,7 @@
       <!-- TODO refactor buttons to take a single config obj -->
       <AposButton
         class="apos-context-menu__btn"
+        data-apos-test="contextMenuTrigger"
         @click.stop="buttonClicked($event)"
         v-bind="button"
         :state="buttonState"

package/modules/@apostrophecms/ui/ui/apos/components/AposContextMenuDialog.vue

@@ -19,6 +19,7 @@
           <AposContextMenuItem
             v-for="item in menu"
             :key="item.action"
+            :data-apos-test-context-menu-item="item.action"
             :menu-item="item"
             @clicked="menuItemClicked"
             :open="isOpen"

package/modules/@apostrophecms/user/index.js

@@ -432,7 +432,12 @@ module.exports = {
 
       // Initialize the [credential](https://npmjs.org/package/credential) module.
       initializeCredential() {
-        self.pw = credential();
+        self.pw = credential({
+          // For efficient unit tests only. Reducing the work factor
+          // for actual credentials increases the speed of brute force attacks
+          // if the database is ever compromised
+          work: self.options.insecurePasswords ? 0.01 : 1
+        });
       },
 
       // Implement the `@apostrophecms/user:add` command line task.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.15.0",
+  "version": "3.16.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {

package/test/login.js

@@ -15,7 +15,18 @@ describe('Login', function() {
 
   it('should initialize', async function() {
     apos = await t.create({
-      root: module
+      root: module,
+      modules: {
+        '@apostrophecms/express': {
+          options: {
+            apiKeys: {
+              adminApiKey: {
+                role: 'admin'
+              }
+            }
+          }
+        }
+      }
     });
 
     assert(apos.modules['@apostrophecms/login']);
@@ -39,6 +50,14 @@ describe('Login', function() {
     assert(apos.user.insert);
     const doc = await apos.user.insert(apos.task.getReq(), user);
     assert(doc._id);
+
+    const user2 = apos.user.newInstance();
+    user2.title = 'Bob Smith';
+    user2.username = 'BobSmith';
+    user2.password = 'bobsmith';
+    user2.email = 'bobsmith@aol.com';
+    user2.role = 'guest';
+    await apos.user.insert(apos.task.getReq(), user2);
   });
 
   it('should throttle login attempts and show a proper error when the limit is reached', async function () {
@@ -84,6 +103,8 @@ describe('Login', function() {
   });
 
   it('should be able to login a user with their username', async function() {
+    const getLoggedInCookieValue =
+      jar => jar.toJSON().cookies.find(cookie => cookie.key === `${apos.options.shortName}.loggedIn`).value;
 
     const jar = apos.http.jar();
 
@@ -118,6 +139,8 @@ describe('Login', function() {
     );
 
     assert(page.match(/logged in/));
+    assert(page.match(/Harry Putter/));
+    assert(getLoggedInCookieValue(jar) === 'true');
 
     // otherwise logins are not remembered in a session
     await apos.http.post(
@@ -141,6 +164,7 @@ describe('Login', function() {
 
     // are we back to being able to log in?
     assert(page.match(/logged out/));
+    assert(getLoggedInCookieValue(jar) === 'false');
   });
 
   it('should be able to login a user with their email', async function() {
@@ -386,4 +410,41 @@ describe('Login', function() {
 
   });
 
+  it('api key should beat session when both are present', async function() {
+    const jar = apos.http.jar();
+    await apos.http.post(
+      '/api/v1/@apostrophecms/login/login',
+      {
+        method: 'POST',
+        body: {
+          username: 'BobSmith',
+          password: 'bobsmith',
+          session: true
+        },
+        jar
+      }
+    );
+
+    const page = await apos.http.get(
+      '/',
+      {
+        jar
+      }
+    );
+    assert(page.match(/logged in/));
+    assert(page.match(/Bob Smith/));
+
+    const page2 = await apos.http.get(
+      '/',
+      {
+        jar,
+        headers: {
+          Authorization: 'ApiKey adminApiKey'
+        }
+      }
+    );
+    assert(page2.match(/logged in/));
+    assert(!page2.match(/Bob Smith/));
+    assert(page2.match(/System Task/));
+  });
 });

package/test/modules/@apostrophecms/home-page/views/page.html

@@ -2,7 +2,7 @@
 <h4>Home Page Template</h4>
 {# This is necessary to the login.js tests. -Tom #}
 {% if data.user %}
-  logged in
+  logged in as {{ data.user.title }}
 {% else %}
   logged out
 {% endif %}

package/test/modules/@apostrophecms/user/index.js

@@ -0,0 +1,7 @@
+module.exports = {
+  options: {
+    // Accelerates unit tests while still testing all the same
+    // functionality. Unsafe for other uses
+    insecurePasswords: true
+  }
+};

package/test/pages-public-api.js

@@ -68,4 +68,37 @@ describe('Pages Public API', function() {
     // But projection did apply
     assert(!home.searchSummary);
   });
+
+  it('should not set a "max-age" cache-control value when retrieving pages, when cache option is not set, with a public API projection', async () => {
+    apos.page.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+
+    const response1 = await apos.http.get('/api/v1/@apostrophecms/page', { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${response1.body._id}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === undefined);
+    assert(response2.headers['cache-control'] === undefined);
+  });
+
+  it('should set a "max-age" cache-control value when retrieving pages, with a public API projection', async () => {
+    apos.page.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+    apos.page.options.cache = {
+      api: {
+        maxAge: 1111
+      }
+    };
+
+    const response1 = await apos.http.get('/api/v1/@apostrophecms/page', { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${response1.body._id}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'max-age=1111');
+    assert(response2.headers['cache-control'] === 'max-age=1111');
+
+    delete apos.page.options.cache;
+  });
 });

package/test/pages-rest.js

@@ -282,6 +282,15 @@ describe('Pages REST', function() {
     assert(draftItems.result.ok === 1);
     assert(draftItems.insertedCount === 7);
 
+    // Change the rank of the archive pages to preserve the constraint that it comes last
+    await apos.doc.db.updateMany({
+      type: '@apostrophecms/archive-page'
+    }, {
+      $set: {
+        rank: 3
+      }
+    });
+
     const items = await apos.doc.db.insertMany(testItems);
 
     assert(items.result.ok === 1);
@@ -430,7 +439,7 @@ describe('Pages REST', function() {
     // Is the rank correct?
     const home = await apos.http.get('/api/v1/@apostrophecms/page', {});
     assert(home._children);
-    assert(home._children[3]._id === 'cousin:en:published');
+    assert(home._children[1]._id === 'cousin:en:published');
   });
 
   it('is able to move root/cousin before root/parent/child', async function() {
@@ -587,6 +596,33 @@ describe('Pages REST', function() {
     assert.strictEqual(page.path, `${homeId.replace(':en:published', '')}/another-parent/parent/sibling`);
   });
 
+  it('is able to make a subpage of the homepage at the last index with _position: lastChild', async function() {
+    const body = {
+      slug: '/third-new',
+      visibility: 'public',
+      type: 'test-page',
+      title: 'Third New',
+      _targetId: '_home',
+      _position: 'lastChild'
+    };
+
+    const page = await apos.http.post('/api/v1/@apostrophecms/page', {
+      body,
+      jar
+    });
+
+    assert(page);
+    assert(page.title === 'Third New');
+    // Is the path generally correct?
+    assert.strictEqual(page.path, `${homeId.replace(':en:published', '')}/${page._id.replace(':en:published', '')}`);
+    const home = await apos.http.get('/api/v1/@apostrophecms/page?children=1', {
+      jar
+    });
+    assert(home);
+    assert(home._children);
+    assert(home._children[3]._id === page._id);
+  });
+
   it('can use PUT to modify a page', async function() {
     const page = await apos.http.get('/api/v1/@apostrophecms/page/sibling:en:published', { jar });
     assert(page);

package/test/pages.js

@@ -4,6 +4,7 @@ const _ = require('lodash');
 
 let apos;
 let homeId;
+const apiKey = 'this is a test api key';
 
 describe('Pages', function() {
 
@@ -19,6 +20,15 @@ describe('Pages', function() {
     apos = await t.create({
       root: module,
       modules: {
+        '@apostrophecms/express': {
+          options: {
+            apiKeys: {
+              [apiKey]: {
+                role: 'admin'
+              }
+            }
+          }
+        },
         '@apostrophecms/page': {
           options: {
             park: [],
@@ -31,7 +41,11 @@ describe('Pages', function() {
                 name: 'test-page',
                 label: 'Test Page'
               }
-            ]
+            ],
+            publicApiProjection: {
+              title: 1,
+              _url: 1
+            }
           }
         },
         'test-page': {
@@ -481,4 +495,166 @@ describe('Pages', function() {
     }
   });
 
+  it('should not set a cache-control value when retrieving pages, when cache option is not set', async () => {
+    const response1 = await apos.http.get('/api/v1/@apostrophecms/page', { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${homeId}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === undefined);
+    assert(response2.headers['cache-control'] === undefined);
+  });
+
+  it('should not set a cache-control value when retrieving pages, when "api" cache option is not set', async () => {
+    apos.page.options.cache = {
+      page: {
+        maxAge: 5555
+      }
+    };
+
+    const response1 = await apos.http.get('/api/v1/@apostrophecms/page', { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${homeId}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === undefined);
+    assert(response2.headers['cache-control'] === undefined);
+
+    delete apos.page.options.cache;
+  });
+
+  it('should set a "max-age" cache-control value when retrieving pieces, when "api" cache option is set', async () => {
+    apos.page.options.cache = {
+      api: {
+        maxAge: 4444
+      }
+    };
+
+    const response1 = await apos.http.get('/api/v1/@apostrophecms/page', { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${homeId}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'max-age=4444');
+    assert(response2.headers['cache-control'] === 'max-age=4444');
+
+    delete apos.page.options.cache;
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pages, when user is connected', async () => {
+    const jar = apos.http.jar();
+    const user = apos.user.newInstance();
+
+    user.title = 'admin';
+    user.username = 'admin';
+    user.password = 'admin';
+    user.email = 'ad@min.com';
+    user.role = 'admin';
+
+    await apos.user.insert(apos.task.getReq(), user);
+    await apos.http.post('/api/v1/@apostrophecms/login/login', {
+      body: {
+        username: 'admin',
+        password: 'admin',
+        session: true
+      },
+      jar
+    });
+
+    const response1 = await apos.http.get('/api/v1/@apostrophecms/page', {
+      fullResponse: true,
+      jar
+    });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${homeId}`, {
+      fullResponse: true,
+      jar
+    });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pages, when "api" cache option is set, when user is connected', async () => {
+    apos.page.options.cache = {
+      api: {
+        maxAge: 4444
+      }
+    };
+
+    const jar = apos.http.jar();
+
+    await apos.http.post('/api/v1/@apostrophecms/login/login', {
+      body: {
+        username: 'admin',
+        password: 'admin',
+        session: true
+      },
+      jar
+    });
+
+    const response1 = await apos.http.get('/api/v1/@apostrophecms/page', {
+      fullResponse: true,
+      jar
+    });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${homeId}`, {
+      fullResponse: true,
+      jar
+    });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+
+    delete apos.page.options.cache;
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pages, when user is connected using an api key', async () => {
+    const response1 = await apos.http.get(`/api/v1/@apostrophecms/page?apiKey=${apiKey}`, { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${homeId}?apiKey=${apiKey}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pages, when "api" cache option is set, when user is connected using an api key', async () => {
+    apos.page.options.cache = {
+      api: {
+        maxAge: 4444
+      }
+    };
+
+    const response1 = await apos.http.get(`/api/v1/@apostrophecms/page?apiKey=${apiKey}`, { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/@apostrophecms/page/${homeId}?apiKey=${apiKey}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+
+    delete apos.page.options.cache;
+  });
+
+  it('should not set a cache-control value when serving a page, when cache option is not set', async () => {
+    const response = await apos.http.get('/', { fullResponse: true });
+
+    assert(response.headers['cache-control'] === undefined);
+  });
+
+  it('should not set a cache-control value when serving a page, when "page" cache option is not set', async () => {
+    apos.page.options.cache = {
+      api: {
+        maxAge: 4444
+      }
+    };
+    const response = await apos.http.get('/', { fullResponse: true });
+
+    assert(response.headers['cache-control'] === undefined);
+
+    delete apos.page.options.cache;
+  });
+
+  it('should set a cache-control value when serving a page, when "page" cache option is set', async () => {
+    apos.page.options.cache = {
+      page: {
+        maxAge: 5555
+      }
+    };
+    const response = await apos.http.get('/', { fullResponse: true });
+
+    assert(response.headers['cache-control'] === 'max-age=5555');
+
+    delete apos.page.options.cache;
+  });
+
 });

package/test/pieces-public-api.js

@@ -78,4 +78,37 @@ describe('Pieces Public API', function() {
     assert(!response.results[0].foo);
   });
 
+  it('should not set a "max-age" cache-control value when retrieving pieces, when cache option is not set, with a public API projection', async () => {
+    apos.thing.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+
+    const response1 = await apos.http.get('/api/v1/thing', { fullResponse: true });
+    const response2 = await apos.http.get('/api/v1/thing/testThing:en:published', { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === undefined);
+    assert(response2.headers['cache-control'] === undefined);
+  });
+
+  it('should set a "max-age" cache-control value when retrieving pieces, with a public API projection', async () => {
+    apos.thing.options.publicApiProjection = {
+      title: 1,
+      _url: 1
+    };
+    apos.thing.options.cache = {
+      api: {
+        maxAge: 2222
+      }
+    };
+
+    const response1 = await apos.http.get('/api/v1/thing', { fullResponse: true });
+    const response2 = await apos.http.get('/api/v1/thing/testThing:en:published', { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'max-age=2222');
+    assert(response2.headers['cache-control'] === 'max-age=2222');
+
+    delete apos.thing.options.cache;
+  });
+
 });

package/test/pieces.js

@@ -1280,4 +1280,122 @@ describe('Pieces', function() {
     assert(existingPiece.title === 'new product name');
     assert(existingPiece.color === 'red');
   });
+
+  it('should not set a cache-control value when retrieving pieces, when cache option is not set', async () => {
+    const response1 = await apos.http.get('/api/v1/thing', { fullResponse: true });
+    const response2 = await apos.http.get('/api/v1/thing/testThing:en:published', { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === undefined);
+    assert(response2.headers['cache-control'] === undefined);
+  });
+
+  it('should not set a cache-control value when retrieving pieces, when "api" cache option is not set', async () => {
+    apos.thing.options.cache = {
+      page: {
+        maxAge: 5555
+      }
+    };
+
+    const response1 = await apos.http.get('/api/v1/thing', { fullResponse: true });
+    const response2 = await apos.http.get('/api/v1/thing/testThing:en:published', { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === undefined);
+    assert(response2.headers['cache-control'] === undefined);
+
+    delete apos.thing.options.cache;
+  });
+
+  it('should set a "max-age" cache-control value when retrieving pieces, when "api" cache option is set', async () => {
+    apos.thing.options.cache = {
+      api: {
+        maxAge: 3333
+      }
+    };
+
+    const response1 = await apos.http.get('/api/v1/thing', { fullResponse: true });
+    const response2 = await apos.http.get('/api/v1/thing/testThing:en:published', { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'max-age=3333');
+    assert(response2.headers['cache-control'] === 'max-age=3333');
+
+    delete apos.thing.options.cache;
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pieces, when user is connected', async () => {
+    await apos.http.post('/api/v1/@apostrophecms/login/login', {
+      body: {
+        username: 'admin',
+        password: 'admin',
+        session: true
+      },
+      jar
+    });
+
+    const response1 = await apos.http.get('/api/v1/thing', {
+      fullResponse: true,
+      jar
+    });
+    const response2 = await apos.http.get('/api/v1/thing/testThing:en:published', {
+      fullResponse: true,
+      jar
+    });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pieces, when "api" cache option is set, when user is connected', async () => {
+    apos.thing.options.cache = {
+      api: {
+        maxAge: 3333
+      }
+    };
+
+    await apos.http.post('/api/v1/@apostrophecms/login/login', {
+      body: {
+        username: 'admin',
+        password: 'admin',
+        session: true
+      },
+      jar
+    });
+
+    const response1 = await apos.http.get('/api/v1/thing', {
+      fullResponse: true,
+      jar
+    });
+    const response2 = await apos.http.get('/api/v1/thing/testThing:en:published', {
+      fullResponse: true,
+      jar
+    });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+
+    delete apos.thing.options.cache;
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pieces, when user is connected using an api key', async () => {
+    const response1 = await apos.http.get(`/api/v1/thing?apiKey=${apiKey}`, { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/thing/testThing:en:published?apiKey=${apiKey}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+  });
+
+  it('should set a "no-store" cache-control value when retrieving pieces, when "api" cache option is set, when user is connected using an api key', async () => {
+    apos.thing.options.cache = {
+      api: {
+        maxAge: 3333
+      }
+    };
+
+    const response1 = await apos.http.get(`/api/v1/thing?apiKey=${apiKey}`, { fullResponse: true });
+    const response2 = await apos.http.get(`/api/v1/thing/testThing:en:published?apiKey=${apiKey}`, { fullResponse: true });
+
+    assert(response1.headers['cache-control'] === 'no-store');
+    assert(response2.headers['cache-control'] === 'no-store');
+
+    delete apos.thing.options.cache;
+  });
 });

package/test/templates.js

@@ -115,6 +115,7 @@ describe('Templates', function() {
     assert($body.length);
     const aposData = JSON.parse($body.attr('data-apos'));
     assert(aposData);
+    assert(aposData.shortName);
     assert(aposData.csrfCookieName);
     assert(!aposData.modules['@apostrophecms/admin-bar']);
     assert(result.indexOf('<title>I am the title</title>') !== -1);
@@ -129,6 +130,7 @@ describe('Templates', function() {
     assert($body.length);
     const aposData = JSON.parse($body.attr('data-apos'));
     assert(aposData);
+    assert(aposData.shortName);
     assert(aposData.modules['@apostrophecms/admin-bar'].items.length);
     assert(result.indexOf('<title>I am the title</title>') !== -1);
     assert(result.indexOf('<h2>I am the main content</h2>') !== -1);