Middlware: Prevented caching of all app requests

Previously we'd prevent caching of authed responses for security (prevent back cache or proxy caching) but caching could still be an issue in non-auth scenarios due to CSRF (eg. returning to login screen after session expiry). For #4600
2024-11-22 15:26:43 +08:00 · 2023-10-23 13:32:15 +01:00 · 2023-10-23 13:32:15 +01:00 · 7c4dc981cd
commit 7c4dc981cd
parent 9b4f1fb981
3 changed files with 12 additions and 11 deletions
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@ -15,6 +15,7 @@ class Kernel extends HttpKernel
        \Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
        \BookStack\Http\Middleware\TrimStrings::class,
        \BookStack\Http\Middleware\TrustProxies::class,
+        \BookStack\Http\Middleware\PreventResponseCaching::class,
    ];

    /**
@ -30,7 +31,6 @@ class Kernel extends HttpKernel
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \BookStack\Http\Middleware\VerifyCsrfToken::class,
-            \BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
            \BookStack\Http\Middleware\CheckEmailConfirmed::class,
            \BookStack\Http\Middleware\RunThemeActions::class,
            \BookStack\Http\Middleware\Localization::class,
@ -40,7 +40,6 @@ class Kernel extends HttpKernel
            \BookStack\Http\Middleware\EncryptCookies::class,
            \BookStack\Http\Middleware\StartSessionIfCookieExists::class,
            \BookStack\Http\Middleware\ApiAuthenticate::class,
-            \BookStack\Http\Middleware\PreventAuthenticatedResponseCaching::class,
            \BookStack\Http\Middleware\CheckEmailConfirmed::class,
        ],
    ];
--- a/app/Http/Middleware/PreventAuthenticatedResponseCaching.php
+++ b/app/Http/Middleware/PreventAuthenticatedResponseCaching.php
@ -5,7 +5,7 @@ namespace BookStack\Http\Middleware;
 use Closure;
 use Symfony\Component\HttpFoundation\Response;

-class PreventAuthenticatedResponseCaching
+class PreventResponseCaching
 {
    /**
     * Handle an incoming request.
@ -20,11 +20,8 @@ class PreventAuthenticatedResponseCaching
        /** @var Response $response */
        $response = $next($request);

-        if (!user()->isGuest()) {
-            $response->headers->set('Cache-Control', 'max-age=0, no-store, private');
-            $response->headers->set('Pragma', 'no-cache');
-            $response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
-        }
+        $response->headers->set('Cache-Control', 'no-cache, no-store, private');
+        $response->headers->set('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');

        return $response;
    }
--- a/tests/SecurityHeaderTest.php
+++ b/tests/SecurityHeaderTest.php
@ -139,12 +139,17 @@ class SecurityHeaderTest extends TestCase
        $this->assertEquals('frame-src \'self\' https://example.com https://diagrams.example.com', $scriptHeader);
    }

-    public function test_cache_control_headers_are_strict_on_responses_when_logged_in()
+    public function test_cache_control_headers_are_set_on_responses()
    {
+        // Public access
+        $resp = $this->get('/');
+        $resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
+        $resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
+
+        // Authed access
        $this->asEditor();
        $resp = $this->get('/');
-        $resp->assertHeader('Cache-Control', 'max-age=0, no-store, private');
-        $resp->assertHeader('Pragma', 'no-cache');
+        $resp->assertHeader('Cache-Control', 'no-cache, no-store, private');
        $resp->assertHeader('Expires', 'Sun, 12 Jul 2015 19:01:00 GMT');
    }