Skip to content

Commit

Permalink
FIX Explicitly disable browser cache on verification response
Browse files Browse the repository at this point in the history
  • Loading branch information
emteknetnz committed Jan 26, 2021
1 parent 0eebc31 commit 972d840
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/RequestHandler/VerificationHandlerTrait.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

use SilverStripe\Control\HTTPRequest;
use SilverStripe\Control\HTTPResponse;
use SilverStripe\Control\Middleware\HTTPCacheControlMiddleware;
use SilverStripe\Core\Config\Config;
use SilverStripe\MFA\Exception\InvalidMethodException;
use SilverStripe\MFA\Method\MethodInterface;
Expand Down Expand Up @@ -75,6 +76,9 @@ protected function createStartVerificationResponse(
$token->reset();
$data[$token->getName()] = $token->getValue();

// Prevent caching of response
HTTPCacheControlMiddleware::singleton()->disableCache(true);

// Respond with our method
return $response->setBody(json_encode($data));
}
Expand Down
22 changes: 22 additions & 0 deletions tests/php/Authenticator/LoginHandlerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
use SilverStripe\Control\Controller;
use SilverStripe\Control\HTTPRequest;
use SilverStripe\Control\HTTPResponse;
use SilverStripe\Control\Middleware\HTTPCacheControlMiddleware;
use SilverStripe\Control\Session;
use SilverStripe\Core\Config\Config;
use SilverStripe\Core\Injector\Injector;
Expand Down Expand Up @@ -334,6 +335,27 @@ public function testStartVerificationIncludesACSRFToken()
$this->assertTrue(SecurityToken::inst()->check($response->SecurityID));
}

// This is testing that HTTP caching headers that disable caching are set
// in VerificationHandlerTrait::createStartVerificationResponse()
// VerificationHandlerTrait is used by LoginHandler
public function testStartVerificationHttpCacheHeadersDisabled()
{
/** @var Member $member */
SecurityToken::enable();
$handler = new LoginHandler('mfa', $this->createMock(MemberAuthenticator::class));
$member = $this->objFromFixture(Member::class, 'robbie');
$store = new SessionStore($member);
$handler->setStore($store);
$request = new HTTPRequest('GET', '/');
$request->setSession(new Session([]));
$request->setRouteParams(['Method' => 'basic-math']);
$middleware = HTTPCacheControlMiddleware::singleton();
$middleware->enableCache(true);
$this->assertSame('enabled', $middleware->getState());
$handler->startVerification($request);
$this->assertSame('disabled', $middleware->getState());
}

public function testVerifyAssertsValidCSRFToken()
{
SecurityToken::enable();
Expand Down

0 comments on commit 972d840

Please sign in to comment.