Diff

mod_http_oauth2/mod_http_oauth2.lua @ 5509:ae007be8a6bd

mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749 These are mostly for the various Client-facing endpoints, so the chance of browsers being involved is slightly lower than with the User-facing authorization endpoint, which already sent the Cache-Control header. Thanks to OAuch for pointing out.
author Kim Alvefur <zash@zash.se>
date Fri, 02 Jun 2023 08:59:59 +0200
parent 5502:fd4d89a5b8db
child 5510:a49d73e4262e
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 02 08:59:29 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 02 08:59:59 2023 +0200
@@ -66,6 +66,7 @@
 			["Referrer-Policy"] = "no-referrer";
 			["X-Frame-Options"] = "DENY";
 			["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private";
+			["Pragma"] = "no-cache";
 		};
 		body = _render_html(template, data);
 	};
@@ -360,6 +361,8 @@
 	return {
 		status_code = 303;
 		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
 			location = url.build(redirect);
 		};
 	}
@@ -382,6 +385,8 @@
 	return {
 		status_code = 303;
 		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
 			location = url.build(redirect);
 		};
 	}
@@ -620,6 +625,8 @@
 	return {
 		status_code = 303;
 		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
 			location = redirect_uri;
 		};
 	};
@@ -660,6 +667,8 @@
 	local credentials = get_request_credentials(event.request);
 
 	event.response.headers.content_type = "application/json";
+	event.response.headers.cache_control = "no-store";
+	event.response.headers.pragma = "no-cache";
 	local params = http.formdecode(event.request.body);
 	if not params then
 		return oauth_error("invalid_request");
@@ -774,6 +783,8 @@
 
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
+	response.headers.cache_control = "no-store";
+	response.headers.pragma = "no-cache";
 	if request.headers.authorization then
 		local credentials = get_request_credentials(request);
 		if not credentials or credentials.type ~= "basic" then
@@ -966,7 +977,11 @@
 
 	return {
 		status_code = 201;
-		headers = { content_type = "application/json" };
+		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
+			content_type = "application/json";
+		};
 		body = json.encode(response);
 	};
 end