Fix uncacheable 404s on /info/:gem_name causing bot-driven 503s (#6382)

* Don't provide a CSP none on API endpoints & cache compact index 404s in Fastly

* Add todo to remove skip session in api controller

* Update app/controllers/api/compact_index_controller.rb

Co-authored-by: Jenny Shen <42748004+jenshenny@users.noreply.github.com>

* Add `info/<gem_name>` surrogate key

* Set action_name in the surrogate key

---------

Co-authored-by: Jenny Shen <42748004+jenshenny@users.noreply.github.com>

Author: colby-swandale

app/controllers/api/base_controller.rb

@@ -1,8 +1,10 @@
 # frozen_string_literal: true
 
 class Api::BaseController < ApplicationController
+  content_security_policy false
+
   skip_before_action :verify_authenticity_token
-  after_action :skip_session
+  after_action :skip_session # TODO: verify if this is still needed now that CSP is disabled for API controllers
 
   rescue_from(Pundit::NotAuthorizedError) do |e|
     render_forbidden(e.policy.error)

app/controllers/api/compact_index_controller.rb

@@ -29,6 +29,14 @@ def info
 
   private
 
+  def find_rubygem_by_name
+    super
+    return if @rubygem
+
+    cache_expiry_headers(fastly_expiry: 600)
+    set_surrogate_key "#{action_name}/404 #{action_name}/#{gem_name}"
+  end
+
   def render_range(response_body)
     headers["ETag"] = %("#{Digest::MD5.hexdigest(response_body)}")
     digest = Digest::SHA256.base64digest(response_body)

test/integration/api/compact_index_test.rb

@@ -210,6 +210,11 @@ def digest(body)
 
     assert_response :not_found
     assert_nil @response.headers["ETag"]
+    assert_nil @response.headers["Set-Cookie"], "Expected no Set-Cookie on /info 404"
+    assert_includes @response.headers["Cache-Control"], "public"
+    assert_match(/max-age=60/, @response.headers["Cache-Control"])
+    assert_match(/max-age=600/, @response.headers["Surrogate-Control"])
+    assert_equal "info/404 info/donotexist", @response.headers["Surrogate-Key"]
   end
 
   test "/info with gzip" do