fix: All responses now contain headers to not cache them

ory · Aug 16, 2020 · 200e37d · 200e37d
1 parent c80d0d4
commit 200e37d
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -267,7 +267,7 @@ func authorizeHandlerFunc(rw http.ResponseWriter, req *http.Request) {
 	// Normally, this would be the place where you would check if the user is logged in and gives his consent.
 	// We're simplifying things and just checking if the request includes a valid username and password
 	if req.Form.Get("username") != "peter" {
-		rw.Header().Set("Content-Type", "text/html; charset=utf-8")
+		rw.Header().Set("Content-Type", "text/html;charset=UTF-8")
 		rw.Write([]byte(`<h1>Login page</h1>`))
 		rw.Write([]byte(`
 			<p>Howdy! This is the log in page. For this example, it is enough to supply the username.</p>

diff --git a/access_error.go b/access_error.go
@@ -33,6 +33,8 @@ func (f *Fosite) WriteAccessError(rw http.ResponseWriter, _ AccessRequester, err
 
 func (f *Fosite) writeJsonError(rw http.ResponseWriter, err error) {
 	rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+	rw.Header().Set("Cache-Control", "no-store")
+	rw.Header().Set("Pragma", "no-cache")
 
 	rfcerr := ErrorToRFC6749Error(err)
 	if !f.SendDebugMessagesToClients {

diff --git a/authorize_error.go b/authorize_error.go
@@ -32,6 +32,9 @@ import (
 func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequester, err error) {
 	rfcerr := ErrorToRFC6749Error(err)
 	if !ar.IsRedirectURIValid() {
+		rw.Header().Set("Cache-Control", "no-store")
+		rw.Header().Set("Pragma", "no-cache")
+
 		if !f.SendDebugMessagesToClients {
 			rfcerr.Debug = ""
 		}
@@ -42,7 +45,7 @@ func (f *Fosite) WriteAuthorizeError(rw http.ResponseWriter, ar AuthorizeRequest
 			return
 		}
 
-		rw.Header().Set("Content-Type", "application/json")
+		rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
 		rw.WriteHeader(rfcerr.Code)
 		rw.Write(js)
 		return

diff --git a/introspection_response_writer.go b/introspection_response_writer.go
@@ -61,7 +61,9 @@ func (f *Fosite) WriteIntrospectionError(rw http.ResponseWriter, err error) {
 		return
 	}
 
-	rw.Header().Set("Content-Type", "application/json")
+	rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+	rw.Header().Set("Cache-Control", "no-store")
+	rw.Header().Set("Pragma", "no-cache")
 	_ = json.NewEncoder(rw).Encode(struct {
 		Active bool `json:"active"`
 	}{Active: false})
@@ -207,7 +209,9 @@ func (f *Fosite) WriteIntrospectionResponse(rw http.ResponseWriter, r Introspect
 		expiresAt = r.GetAccessRequester().GetSession().GetExpiresAt(AccessToken).Unix()
 	}
 
-	rw.Header().Set("Content-Type", "application/json")
+	rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+	rw.Header().Set("Cache-Control", "no-store")
+	rw.Header().Set("Pragma", "no-cache")
 	_ = json.NewEncoder(rw).Encode(struct {
 		Active    bool     `json:"active"`
 		ClientID  string   `json:"client_id,omitempty"`

diff --git a/revoke_handler.go b/revoke_handler.go
@@ -102,6 +102,8 @@ func (f *Fosite) WriteRevocationResponse(rw http.ResponseWriter, err error) {
 	switch errors.Cause(err).Error() {
 	case ErrInvalidRequest.Error():
 		rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+		rw.Header().Set("Cache-Control", "no-store")
+		rw.Header().Set("Pragma", "no-cache")
 
 		js, err := json.Marshal(ErrInvalidRequest)
 		if err != nil {
@@ -113,6 +115,8 @@ func (f *Fosite) WriteRevocationResponse(rw http.ResponseWriter, err error) {
 		rw.Write(js)
 	case ErrInvalidClient.Error():
 		rw.Header().Set("Content-Type", "application/json;charset=UTF-8")
+		rw.Header().Set("Cache-Control", "no-store")
+		rw.Header().Set("Pragma", "no-cache")
 
 		js, err := json.Marshal(ErrInvalidClient)
 		if err != nil {