Merge branch '4.2' into 4

silverstripe · Jan 27, 2021 · 2bd2a80 · 2bd2a80
2 parents 1fc4e5c + acfb0f3
commit 2bd2a80
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 3 deletions.
diff --git a/src/RequestHandler/VerificationHandlerTrait.php b/src/RequestHandler/VerificationHandlerTrait.php
@@ -4,6 +4,7 @@
 
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\HTTPResponse;
+use SilverStripe\Control\Middleware\HTTPCacheControlMiddleware;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\MFA\Exception\InvalidMethodException;
 use SilverStripe\MFA\Method\MethodInterface;
@@ -75,9 +76,8 @@ protected function createStartVerificationResponse(
         $token->reset();
         $data[$token->getName()] = $token->getValue();
 
-        // prevent caching of response
-        $response->addHeader('Pragma', 'no-cache');
-        $response->addHeader('Cache-Control', 'no-store, no-cache, must-revalidate, max-age=0');
+        // Prevent caching of response
+        HTTPCacheControlMiddleware::singleton()->disableCache(true);
 
         // Respond with our method
         return $response->setBody(json_encode($data));

diff --git a/tests/php/Authenticator/LoginHandlerTest.php b/tests/php/Authenticator/LoginHandlerTest.php
@@ -6,6 +6,7 @@
 use SilverStripe\Control\Controller;
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\HTTPResponse;
+use SilverStripe\Control\Middleware\HTTPCacheControlMiddleware;
 use SilverStripe\Control\Session;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\Core\Injector\Injector;
@@ -337,6 +338,27 @@ public function testStartVerificationIncludesACSRFToken()
         $this->assertTrue(SecurityToken::inst()->check($response->SecurityID));
     }
 
+    // This is testing that HTTP caching headers that disable caching are set
+    // in VerificationHandlerTrait::createStartVerificationResponse()
+    // VerificationHandlerTrait is used by LoginHandler
+    public function testStartVerificationHttpCacheHeadersDisabled()
+    {
+        /** @var Member $member */
+        SecurityToken::enable();
+        $handler = new LoginHandler('mfa', $this->createMock(MemberAuthenticator::class));
+        $member = $this->objFromFixture(Member::class, 'robbie');
+        $store = new SessionStore($member);
+        $handler->setStore($store);
+        $request = new HTTPRequest('GET', '/');
+        $request->setSession(new Session([]));
+        $request->setRouteParams(['Method' => 'basic-math']);
+        $middleware = HTTPCacheControlMiddleware::singleton();
+        $middleware->enableCache(true);
+        $this->assertSame('enabled', $middleware->getState());
+        $handler->startVerification($request);
+        $this->assertSame('disabled', $middleware->getState());
+    }
+
     public function testVerifyAssertsValidCSRFToken()
     {
         SecurityToken::enable();