From 972d84053e78fc933a69394488fec595ed2a9ec4 Mon Sep 17 00:00:00 2001
From: Steve Boyd <emteknetnz@gmail.com>
Date: Wed, 27 Jan 2021 10:32:56 +1300
Subject: [PATCH] FIX Explicitly disable browser cache on verification response

---
 .../VerificationHandlerTrait.php              |  4 ++++
 tests/php/Authenticator/LoginHandlerTest.php  | 22 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/src/RequestHandler/VerificationHandlerTrait.php b/src/RequestHandler/VerificationHandlerTrait.php
index 3b5cc741..91f2c4cd 100644
--- a/src/RequestHandler/VerificationHandlerTrait.php
+++ b/src/RequestHandler/VerificationHandlerTrait.php
@@ -4,6 +4,7 @@
 
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\HTTPResponse;
+use SilverStripe\Control\Middleware\HTTPCacheControlMiddleware;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\MFA\Exception\InvalidMethodException;
 use SilverStripe\MFA\Method\MethodInterface;
@@ -75,6 +76,9 @@ protected function createStartVerificationResponse(
         $token->reset();
         $data[$token->getName()] = $token->getValue();
 
+        // Prevent caching of response
+        HTTPCacheControlMiddleware::singleton()->disableCache(true);
+
         // Respond with our method
         return $response->setBody(json_encode($data));
     }
diff --git a/tests/php/Authenticator/LoginHandlerTest.php b/tests/php/Authenticator/LoginHandlerTest.php
index fd908236..8525706b 100644
--- a/tests/php/Authenticator/LoginHandlerTest.php
+++ b/tests/php/Authenticator/LoginHandlerTest.php
@@ -6,6 +6,7 @@
 use SilverStripe\Control\Controller;
 use SilverStripe\Control\HTTPRequest;
 use SilverStripe\Control\HTTPResponse;
+use SilverStripe\Control\Middleware\HTTPCacheControlMiddleware;
 use SilverStripe\Control\Session;
 use SilverStripe\Core\Config\Config;
 use SilverStripe\Core\Injector\Injector;
@@ -334,6 +335,27 @@ public function testStartVerificationIncludesACSRFToken()
         $this->assertTrue(SecurityToken::inst()->check($response->SecurityID));
     }
 
+    // This is testing that HTTP caching headers that disable caching are set
+    // in VerificationHandlerTrait::createStartVerificationResponse()
+    // VerificationHandlerTrait is used by LoginHandler
+    public function testStartVerificationHttpCacheHeadersDisabled()
+    {
+        /** @var Member $member */
+        SecurityToken::enable();
+        $handler = new LoginHandler('mfa', $this->createMock(MemberAuthenticator::class));
+        $member = $this->objFromFixture(Member::class, 'robbie');
+        $store = new SessionStore($member);
+        $handler->setStore($store);
+        $request = new HTTPRequest('GET', '/');
+        $request->setSession(new Session([]));
+        $request->setRouteParams(['Method' => 'basic-math']);
+        $middleware = HTTPCacheControlMiddleware::singleton();
+        $middleware->enableCache(true);
+        $this->assertSame('enabled', $middleware->getState());
+        $handler->startVerification($request);
+        $this->assertSame('disabled', $middleware->getState());
+    }
+
     public function testVerifyAssertsValidCSRFToken()
     {
         SecurityToken::enable();