feat(core): add default cache control headers for GET endpoints (#11667)

* feat(core): add default cache control header for GET session

* feat(core): add default cache control header for GET CSRF

Author: ThangHuuVu

docs/pages/getting-started/session-management/get-session.mdx

@@ -205,3 +205,8 @@ app.get("/", (req, res) => {
 </Code>
 
 If you'd like to extend your session with more fields from your OAuth provider, for example, please check out our ["extending the session" guide](/guides/extending-the-session).
+
+<Callout>
+  By default, GET requests to the session endpoint will automatically return the
+  headers to prevent caching.
+</Callout>

packages/core/src/lib/actions/session.ts

@@ -24,7 +24,14 @@ export async function session(
 
   const response: ResponseInternal<Session | null> = {
     body: null,
-    headers: { "Content-Type": "application/json" },
+    headers: {
+      "Content-Type": "application/json",
+      ...(!isUpdate && {
+        "Cache-Control": "private, no-cache, no-store",
+        Expires: "0",
+        Pragma: "no-cache",
+      }),
+    },
     cookies,
   }
 

packages/core/src/lib/pages/index.ts

@@ -56,7 +56,12 @@ export default function renderPage(params: RenderPageParams) {
     csrf(skip: boolean, options: InternalOptions, cookies: Cookie[]) {
       if (!skip) {
         return {
-          headers: { "Content-Type": "application/json" },
+          headers: {
+            "Content-Type": "application/json",
+            "Cache-Control": "private, no-cache, no-store",
+            Expires: "0",
+            Pragma: "no-cache",
+          },
           body: { csrfToken: options.csrfToken },
           cookies,
         }

packages/core/test/actions/csrf.test.ts

@@ -0,0 +1,27 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"
+
+import {
+  makeAuthRequest,
+  testConfig,
+  assertNoCacheResponseHeaders,
+} from "../utils.js"
+
+describe("assert GET CSRF action", () => {
+  beforeEach(() => {
+    vi.resetAllMocks()
+  })
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+  it("shoud return CSRF token with no cache headers", async () => {
+    const authConfig = testConfig()
+    const { response } = await makeAuthRequest({
+      action: "csrf",
+      config: authConfig,
+    })
+    assertNoCacheResponseHeaders(response)
+    const body = await response.json()
+
+    expect(body.csrfToken).toBeDefined()
+  })
+})

packages/core/test/actions/session.test.ts

@@ -14,6 +14,7 @@ import {
   testConfig,
   AUTH_SECRET,
   SESSION_COOKIE_NAME,
+  assertNoCacheResponseHeaders,
 } from "../utils.js"
 
 const { parse: parseCookie } = cookie
@@ -94,6 +95,8 @@ describe("assert GET session action", () => {
         session: expectedSession,
         token: expectedToken,
       })
+
+      assertNoCacheResponseHeaders(response)
     })
 
     it("should return null if no JWT session in the requests cookies", async () => {
@@ -102,6 +105,8 @@ describe("assert GET session action", () => {
       })
       const actual = await response.json()
       expect(actual).toEqual(null)
+
+      assertNoCacheResponseHeaders(response)
     })
 
     it("should return null if JWT session is invalid", async () => {
@@ -113,6 +118,8 @@ describe("assert GET session action", () => {
       })
       const actual = await response.json()
       expect(actual).toEqual(null)
+
+      assertNoCacheResponseHeaders(response)
     })
 
     it("should throw invalid JWT error if salt is invalid", async () => {
@@ -132,8 +139,10 @@ describe("assert GET session action", () => {
       })
       const actual = await response.json()
 
-      expect(logger.error).toHaveBeenCalledOnce()
       expect(actual).toEqual(null)
+      expect(logger.error).toHaveBeenCalledOnce()
+
+      assertNoCacheResponseHeaders(response)
     })
   })
   describe("Database strategy", () => {
@@ -207,6 +216,8 @@ describe("assert GET session action", () => {
         email: expectedUser.email,
       })
       expect(actualBodySession.expires).toEqual(currentExpires.toISOString())
+
+      assertNoCacheResponseHeaders(response)
     })
 
     it("should return null in the response, and delete the session", async () => {
@@ -259,6 +270,8 @@ describe("assert GET session action", () => {
 
       expect(actualSessionToken).toEqual("")
       expect(actualBodySession).toEqual(null)
+
+      assertNoCacheResponseHeaders(response)
     })
   })
 })

packages/core/test/utils.ts

@@ -1,4 +1,4 @@
-import { vi } from "vitest"
+import { expect, vi } from "vitest"
 import { Auth, createActionURL } from "../src"
 
 import type { Adapter } from "../src/adapters"
@@ -93,3 +93,12 @@ export async function makeAuthRequest(params: {
     logger: config.logger,
   }
 }
+
+export const assertNoCacheResponseHeaders = (response: Response) => {
+  expect(response.headers.get("Content-Type")).toEqual("application/json")
+  expect(response.headers.get("Cache-Control")).toEqual(
+    "private, no-cache, no-store"
+  )
+  expect(response.headers.get("Expires")).toEqual("0")
+  expect(response.headers.get("Pragma")).toEqual("no-cache")
+}