Software / code / prosody-modules
Changeset
5509:ae007be8a6bd
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749
These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.
Thanks to OAuch for pointing out.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Fri, 02 Jun 2023 08:59:59 +0200 |
| parents | 5508:56803acfa638 |
| children | 5510:a49d73e4262e |
| files | mod_http_oauth2/mod_http_oauth2.lua |
| diffstat | 1 files changed, 16 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 08:59:29 2023 +0200 +++ b/mod_http_oauth2/mod_http_oauth2.lua Fri Jun 02 08:59:59 2023 +0200 @@ -66,6 +66,7 @@ ["Referrer-Policy"] = "no-referrer"; ["X-Frame-Options"] = "DENY"; ["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private"; + ["Pragma"] = "no-cache"; }; body = _render_html(template, data); }; @@ -360,6 +361,8 @@ return { status_code = 303; headers = { + cache_control = "no-store"; + pragma = "no-cache"; location = url.build(redirect); }; } @@ -382,6 +385,8 @@ return { status_code = 303; headers = { + cache_control = "no-store"; + pragma = "no-cache"; location = url.build(redirect); }; } @@ -620,6 +625,8 @@ return { status_code = 303; headers = { + cache_control = "no-store"; + pragma = "no-cache"; location = redirect_uri; }; }; @@ -660,6 +667,8 @@ local credentials = get_request_credentials(event.request); event.response.headers.content_type = "application/json"; + event.response.headers.cache_control = "no-store"; + event.response.headers.pragma = "no-cache"; local params = http.formdecode(event.request.body); if not params then return oauth_error("invalid_request"); @@ -774,6 +783,8 @@ local function handle_revocation_request(event) local request, response = event.request, event.response; + response.headers.cache_control = "no-store"; + response.headers.pragma = "no-cache"; if request.headers.authorization then local credentials = get_request_credentials(request); if not credentials or credentials.type ~= "basic" then @@ -966,7 +977,11 @@ return { status_code = 201; - headers = { content_type = "application/json" }; + headers = { + cache_control = "no-store"; + pragma = "no-cache"; + content_type = "application/json"; + }; body = json.encode(response); }; end
