Software /
code /
prosody-modules
Diff
mod_http_oauth2/mod_http_oauth2.lua @ 5509:ae007be8a6bd
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749
These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.
Thanks to OAuch for pointing out.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 02 Jun 2023 08:59:59 +0200 |
parent | 5502:fd4d89a5b8db |
child | 5510:a49d73e4262e |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 08:59:29 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 08:59:59 2023 +0200 @@ -66,6 +66,7 @@ ["Referrer-Policy"] = "no-referrer"; ["X-Frame-Options"] = "DENY"; ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private"; + ["Pragma"] = "no-cache"; }; body = _render_html(template, data); }; @@ -360,6 +361,8 @@ return { status_code = 303; headers = { + cache_control = "no-store"; + pragma = "no-cache"; location = url.build(redirect); }; } @@ -382,6 +385,8 @@ return { status_code = 303; headers = { + cache_control = "no-store"; + pragma = "no-cache"; location = url.build(redirect); }; } @@ -620,6 +625,8 @@ return { status_code = 303; headers = { + cache_control = "no-store"; + pragma = "no-cache"; location = redirect_uri; }; }; @@ -660,6 +667,8 @@ local credentials = get_request_credentials(event.request); event.response.headers.content_type = "application/json"; + event.response.headers.cache_control = "no-store"; + event.response.headers.pragma = "no-cache"; local params = http.formdecode(event.request.body); if not params then return oauth_error("invalid_request"); @@ -774,6 +783,8 @@ local function handle_revocation_request(event) local request, response = event.request, event.response; + response.headers.cache_control = "no-store"; + response.headers.pragma = "no-cache"; if request.headers.authorization then local credentials = get_request_credentials(request); if not credentials or credentials.type ~= "basic" then @@ -966,7 +977,11 @@ return { status_code = 201; - headers = { content_type = "application/json" }; + headers = { + cache_control = "no-store"; + pragma = "no-cache"; + content_type = "application/json"; + }; body = json.encode(response); }; end