3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-04 10:28:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

auth: prevent caching of sign-in redirect

Browse source 
Add a 'Cache-Control: no-store' header to the sign-in redirect at the
start of the authentication flow. This should discourage browsers from
caching this redirect.
This commit is contained in:
Kenneth Jenkins 2024-01-12 11:47:29 -08:00
parent 5e0079c649
commit e7b4cc9a9b
2 changed files with 19 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
authorize/check_response.go
View file

@ -208,7 +208,8 @@ func (a *Authorize) requireLoginResponse(
}
return a.deniedResponse(ctx, in, http.StatusFound, "Login", map[string]string{
"Location": redirectTo,
"Cache-Control": "no-store",
"Location": redirectTo,
})
}

17
authorize/check_response_test.go
View file

@ -266,6 +266,8 @@ func TestRequireLogin(t *testing.T) {
&evaluator.Request{})
require.NoError(t, err)
assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
testutil.AssertProtoEqual(t, mkHeader("Cache-Control", "no-store"),
getDeniedResponseHeader(res, "Cache-Control"))
})
t.Run("accept html", func(t *testing.T) {
res, err := a.requireLoginResponse(context.Background(),
@ -283,6 +285,8 @@ func TestRequireLogin(t *testing.T) {
&evaluator.Request{})
require.NoError(t, err)
assert.Equal(t, http.StatusFound, int(res.GetDeniedResponse().GetStatus().GetCode()))
testutil.AssertProtoEqual(t, mkHeader("Cache-Control", "no-store"),
getDeniedResponseHeader(res, "Cache-Control"))
})
t.Run("accept json", func(t *testing.T) {
res, err := a.requireLoginResponse(context.Background(),
@ -300,5 +304,18 @@ func TestRequireLogin(t *testing.T) {
&evaluator.Request{})
require.NoError(t, err)
assert.Equal(t, http.StatusUnauthorized, int(res.GetDeniedResponse().GetStatus().GetCode()))
assert.Nil(t, getDeniedResponseHeader(res, "Cache-Control"))
assert.Nil(t, getDeniedResponseHeader(res, "Location"))
})
}
func getDeniedResponseHeader(
res *envoy_service_auth_v3.CheckResponse, header string,
) *envoy_config_core_v3.HeaderValueOption {
for _, h := range res.GetDeniedResponse().GetHeaders() {
if h.GetHeader().GetKey() == header {
return h
}
}
return nil
}