Merge pull request #1948 from flant/add-cache-headers

Add Cache-control headers to token responses
This commit is contained in:
Márk Sági-Kazár 2021-01-23 14:13:51 +01:00 committed by GitHub
commit 186a719ecb
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 24 additions and 0 deletions

View file

@ -140,6 +140,10 @@ func (s *Server) handleDeviceCode(w http.ResponseWriter, r *http.Request) {
PollInterval: pollIntervalSeconds,
}
// Device Authorization Response can contain cache control header according to
// https://tools.ietf.org/html/rfc8628#section-3.2
w.Header().Set("Cache-Control", "no-store")
enc := json.NewEncoder(w)
enc.SetEscapeHTML(false)
enc.SetIndent("", " ")

View file

@ -1476,6 +1476,10 @@ func (s *Server) writeAccessToken(w http.ResponseWriter, resp *accessTokenRespon
}
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Content-Length", strconv.Itoa(len(data)))
// Token response must include cache headers https://tools.ietf.org/html/rfc6749#section-5.1
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("Pragma", "no-cache")
w.Write(data)
}

View file

@ -395,6 +395,12 @@ func makeOAuth2Tests(clientID string, clientSecret string, now func() time.Time)
}
return fmt.Errorf("unexpected response: %s", dump)
}
if resp.Header.Get("Cache-Control") != "no-store" {
return fmt.Errorf("cache-control header doesn't included in token response")
}
if resp.Header.Get("Pragma") != "no-cache" {
return fmt.Errorf("pragma header doesn't included in token response")
}
return nil
},
},
@ -423,6 +429,12 @@ func makeOAuth2Tests(clientID string, clientSecret string, now func() time.Time)
}
return fmt.Errorf("unexpected response: %s", dump)
}
if resp.Header.Get("Cache-Control") != "no-store" {
return fmt.Errorf("cache-control header doesn't included in token response")
}
if resp.Header.Get("Pragma") != "no-cache" {
return fmt.Errorf("pragma header doesn't included in token response")
}
return nil
},
},
@ -701,6 +713,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
checkErrorResponse(err, t, tc)
return
}
if err != nil {
t.Errorf("failed to exchange code for token: %v", err)
return
@ -1515,6 +1528,9 @@ func TestOAuth2DeviceFlow(t *testing.T) {
if resp.StatusCode != http.StatusOK {
t.Errorf("%v - Unexpected Response Type. Expected 200 got %v. Response: %v", tc.name, resp.StatusCode, string(responseBody))
}
if resp.Header.Get("Cache-Control") != "no-store" {
t.Errorf("Cache-Control header doesn't exist in Device Code Response")
}
// Parse the code response
var deviceCode deviceCodeResponse