Arsharth/dex
1
0
Fork 0
forked from mystiq/dex
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add Cache-control headers to token responses

Browse source 
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
This commit is contained in:
m.nabokikh 2021-01-18 11:10:00 +04:00
parent 3650fe2287
commit a7978890c7
3 changed files with 24 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
server/deviceflowhandlers.go
View file

@ -140,6 +140,10 @@ func (s *Server) handleDeviceCode(w http.ResponseWriter, r *http.Request) {
PollInterval: pollIntervalSeconds, PollInterval: pollIntervalSeconds,
} }
// Device Authorization Response can contain cache control header according to
// https://tools.ietf.org/html/rfc8628#section-3.2
w.Header().Set("Cache-Control", "no-store")
enc := json.NewEncoder(w) enc := json.NewEncoder(w)
enc.SetEscapeHTML(false) enc.SetEscapeHTML(false)
enc.SetIndent("", " ") enc.SetIndent("", " ")

4
server/handlers.go
View file

@ -1476,6 +1476,10 @@ func (s *Server) writeAccessToken(w http.ResponseWriter, resp *accessTokenRespon
} }
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
w.Header().Set("Content-Length", strconv.Itoa(len(data))) w.Header().Set("Content-Length", strconv.Itoa(len(data)))
// Token response must include cache headers https://tools.ietf.org/html/rfc6749#section-5.1
w.Header().Set("Cache-Control", "no-store")
w.Header().Set("Pragma", "no-cache")
w.Write(data) w.Write(data)
} }

16
server/server_test.go
View file

@ -395,6 +395,12 @@ func makeOAuth2Tests(clientID string, clientSecret string, now func() time.Time)
} }
return fmt.Errorf("unexpected response: %s", dump) return fmt.Errorf("unexpected response: %s", dump)
} }
if resp.Header.Get("Cache-Control") != "no-store" {
return fmt.Errorf("cache-control header doesn't included in token response")
}
if resp.Header.Get("Pragma") != "no-cache" {
return fmt.Errorf("pragma header doesn't included in token response")
}
return nil return nil
}, },
}, },
@ -423,6 +429,12 @@ func makeOAuth2Tests(clientID string, clientSecret string, now func() time.Time)
} }
return fmt.Errorf("unexpected response: %s", dump) return fmt.Errorf("unexpected response: %s", dump)
} }
if resp.Header.Get("Cache-Control") != "no-store" {
return fmt.Errorf("cache-control header doesn't included in token response")
}
if resp.Header.Get("Pragma") != "no-cache" {
return fmt.Errorf("pragma header doesn't included in token response")
}
return nil return nil
}, },
}, },
@ -701,6 +713,7 @@ func TestOAuth2CodeFlow(t *testing.T) {
checkErrorResponse(err, t, tc) checkErrorResponse(err, t, tc)
return return
} }
if err != nil { if err != nil {
t.Errorf("failed to exchange code for token: %v", err) t.Errorf("failed to exchange code for token: %v", err)
return return
@ -1515,6 +1528,9 @@ func TestOAuth2DeviceFlow(t *testing.T) {
if resp.StatusCode != http.StatusOK { if resp.StatusCode != http.StatusOK {
t.Errorf("%v - Unexpected Response Type. Expected 200 got %v. Response: %v", tc.name, resp.StatusCode, string(responseBody)) t.Errorf("%v - Unexpected Response Type. Expected 200 got %v. Response: %v", tc.name, resp.StatusCode, string(responseBody))
} }
if resp.Header.Get("Cache-Control") != "no-store" {
t.Errorf("Cache-Control header doesn't exist in Device Code Response")
}
// Parse the code response // Parse the code response
var deviceCode deviceCodeResponse var deviceCode deviceCodeResponse