Set cache-control no-cache for private resources

Forces the browser to revalidate the cached item with the server, ensuring you don't pull the wrong records from the browser cache.

Fixes #5175

api/src/middleware/cache.ts

@@ -18,12 +18,17 @@ const checkCacheMiddleware: RequestHandler = asyncHandler(async (req, res, next)
 	const cachedData = await cache.get(key);
 
 	if (cachedData) {
-		// Set cache-control header
-		if (env.CACHE_AUTO_PURGE !== true) {
+		// Set cache-control header, but only for the public role
+		if (env.CACHE_AUTO_PURGE !== true && !!req.accountability?.role === false) {
 			const expiresAt = await cache.get(`${key}__expires_at`);
 			const maxAge = `max-age=${expiresAt - Date.now()}`;
-			const access = !!req.accountability?.role === false ? 'public' : 'private';
-			res.setHeader('Cache-Control', `${access}, ${maxAge}`);
+			res.setHeader('Cache-Control', `public, ${maxAge}`);
+		} else {
+			// This indicates that the browser/proxy is allowed to cache, but has to revalidate with
+			// the server before use. At this point, we don't include Last-Modified, so it'll always
+			// recreate the local cache. This does NOT mean that cache is disabled all together, as
+			// Directus is still pulling the value from it's internal cache.
+			res.setHeader('Cache-Control', 'no-cache');
 		}
 
 		return res.json(cachedData);