fix(security): explicitly declare cache-control header instead of using middleware

This commit reverts 1f6f389ff2
3 years ago · 38ca73c493
parent 2f2ed6c3ad
commit 38ca73c493
8 changed files with 9 additions and 18 deletions
--- a/src/controllers/404.js
+++ b/src/controllers/404.js
@ -55,7 +55,6 @@ exports.send404 = async function (req, res) {
 		});
 	}

-	await middleware.inhibitCacheAsync(req, res);
 	await middleware.buildHeaderAsync(req, res);
 	await res.render('404', {
 		path: validator.escape(path),
--- a/src/controllers/helpers.js
+++ b/src/controllers/helpers.js
@ -420,6 +420,10 @@ helpers.formatApiResponse = async (statusCode, res, payload) => {
 	}

 	if (String(statusCode).startsWith('2')) {
+		if (res.req.loggedIn) {
+			res.set('cache-control', 'private');
+		}
+
 		res.status(statusCode).json({
 			status: {
 				code: 'ok',
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@ -26,7 +26,6 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 		await require('./index').applyCSRFasync(req, res);
 	}

-	res.set('cache-control', 'private');
 	res.locals.config = await controllers.api.loadConfig(req);
 	next();
 });
--- a/src/middleware/header.js
+++ b/src/middleware/header.js
@ -45,10 +45,6 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 		return res.redirect('/');
 	}

-	if (req.loggedIn) {
-		res.set('cache-control', 'private');
-	}
-
 	res.locals.config = config;
 	next();
 });
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@ -3,7 +3,6 @@
 const os = require('os');
 const winston = require('winston');
 const _ = require('lodash');
-const util = require('util');

 const meta = require('../meta');
 const languages = require('../languages');
@ -109,13 +108,4 @@ module.exports = function (middleware) {
 			return [defaultLang];
 		}
 	}
-
-	middleware.inhibitCache = (req, res, next) => {
-		if (req.loggedIn) {
-			res.set('cache-control', 'private');
-		}
-
-		next();
-	};
-	middleware.inhibitCacheAsync = util.promisify(middleware.inhibitCache);
 };
--- a/src/middleware/render.js
+++ b/src/middleware/render.js
@ -34,6 +34,10 @@ module.exports = function (middleware) {
 				options.url = (req.baseUrl + req.path.replace(/^\/api/, ''));
 				options.bodyClass = helpers.buildBodyClass(req, res, options);

+				if (req.loggedIn) {
+					res.set('cache-control', 'private');
+				}
+
 				const buildResult = await plugins.hooks.fire(`filter:${template}.build`, { req: req, res: res, templateData: options });
 				if (res.headersSent) {
 					return;
--- a/src/routes/helpers.js
+++ b/src/routes/helpers.js
@ -18,7 +18,6 @@ function _handleArgs(middleware, middlewares, controller) {
 		middleware.authenticateRequest,
 		middleware.maintenanceMode,
 		middleware.registrationComplete,
-		middleware.inhibitCache,
 		middleware.pluginHooks,
 		...middlewares,
 	];
--- a/test/middleware.js
+++ b/test/middleware.js
@ -100,7 +100,7 @@ describe('Middlewares', () => {
 		});
 	});

-	describe('.inhibitCache (cache-control header)', () => {
+	describe('cache-control header', () => {
 		let uid;
 		let jar;