From e7b4cc9a9b86ef7448cb1e487c60eb273be938f4 Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Fri, 12 Jan 2024 11:47:29 -0800
Subject: [PATCH] auth: prevent caching of sign-in redirect

Add a 'Cache-Control: no-store' header to the sign-in redirect at the
start of the authentication flow. This should discourage browsers from
caching this redirect.
---
 authorize/check_response.go      |  3 ++-
 authorize/check_response_test.go | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/authorize/check_response.go b/authorize/check_response.go
index 2e931a04b..8a0827b6b 100644
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@@ -208,7 +208,8 @@ func (a *Authorize) requireLoginResponse(
 	}
 
 	return a.deniedResponse(ctx, in, http.StatusFound, "Login", map[string]string{
-		"Location": redirectTo,
+		"Cache-Control": "no-store",
+		"Location":      redirectTo,
 	})
 }
 
diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go
index 0e67833c1..83e8a11b0 100644
--- a/authorize/check_response_test.go
+++ b/authorize/check_response_test.go
@@ -266,6 +266,8 @@ func TestRequireLogin(t *testing.T) {
 			&evaluator.Request{})
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
+		testutil.AssertProtoEqual(t, mkHeader("Cache-Control", "no-store"),
+			getDeniedResponseHeader(res, "Cache-Control"))
 	})
 	t.Run("accept html", func(t *testing.T) {
 		res, err := a.requireLoginResponse(context.Background(),
@@ -283,6 +285,8 @@ func TestRequireLogin(t *testing.T) {
 			&evaluator.Request{})
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
+		testutil.AssertProtoEqual(t, mkHeader("Cache-Control", "no-store"),
+			getDeniedResponseHeader(res, "Cache-Control"))
 	})
 	t.Run("accept json", func(t *testing.T) {
 		res, err := a.requireLoginResponse(context.Background(),
@@ -300,5 +304,18 @@ func TestRequireLogin(t *testing.T) {
 			&evaluator.Request{})
 		require.NoError(t, err)
 		assert.Equal(t, http.StatusUnauthorized, int(res.GetDeniedResponse().GetStatus().GetCode()))
+		assert.Nil(t, getDeniedResponseHeader(res, "Cache-Control"))
+		assert.Nil(t, getDeniedResponseHeader(res, "Location"))
 	})
 }
+
+func getDeniedResponseHeader(
+	res *envoy_service_auth_v3.CheckResponse, header string,
+) *envoy_config_core_v3.HeaderValueOption {
+	for _, h := range res.GetDeniedResponse().GetHeaders() {
+		if h.GetHeader().GetKey() == header {
+			return h
+		}
+	}
+	return nil
+}