Skip to content

fix(pagecache): pass authenticated non-GraphQL requests in Varnish VCL#40677

Open
lbajsarowicz wants to merge 1 commit intomagento:2.4-developfrom
lbajsarowicz:fix/40673-vcl-auth-pass
Open

fix(pagecache): pass authenticated non-GraphQL requests in Varnish VCL#40677
lbajsarowicz wants to merge 1 commit intomagento:2.4-developfrom
lbajsarowicz:fix/40673-vcl-auth-pass

Conversation

@lbajsarowicz
Copy link
Copy Markdown
Contributor

@lbajsarowicz lbajsarowicz commented Apr 10, 2026

Description

Explicitly pass non-GraphQL requests carrying an Authorization header, reproducing a built-in Varnish safety rule that Magento's unconditional return (hash) bypasses.

Problem

Magento's VCL templates end vcl_recv with an unconditional return (hash). This means Varnish's built-in vcl_recv never runs, including its safety rule that passes requests with Authorization headers.

The existing bypass only covers authenticated GraphQL requests (checking for Bearer token + missing X-Magento-Cache-Id). Non-GraphQL requests with any Authorization header (e.g., REST API with Basic auth, third-party integrations) currently pass through to return (hash) and could be served from cache or pollute the cache with authenticated responses.

Solution

Add an explicit pass rule for non-GraphQL requests with an Authorization header:

if (req.url !~ "/graphql" && req.http.Authorization) {
    return (pass);
}

This preserves the existing GraphQL cache-ID logic while restoring the built-in safety behavior for all other authenticated traffic.

Files Changed

  • app/code/Magento/PageCache/etc/varnish4.vcl
  • app/code/Magento/PageCache/etc/varnish5.vcl
  • app/code/Magento/PageCache/etc/varnish6.vcl
  • app/code/Magento/PageCache/etc/varnish7.vcl

Ref #40673

⭐ Support my work

Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.

Learn more at https://github.com/sponsors/lbajsarowicz

@m2-assistant
Copy link
Copy Markdown

m2-assistant bot commented Apr 10, 2026

Hi @lbajsarowicz. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@ct-prd-pr-scan
Copy link
Copy Markdown

ct-prd-pr-scan bot commented Apr 10, 2026

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lbajsarowicz