fix(admin): no-store on middleware admin deny/redirect responses
The defense-in-depth admin guard in middleware short-circuits before the route handlers' jsonNoStore runs, so its 401/403 JSON denials (and auth redirects) were served without Cache-Control: no-store. Stamp no-store in withCookies so every admin deny/redirect response is non-cacheable, completing Finding #4 for the middleware-originated admin responses.
This commit is contained in:
Gerhard Scheikl
+4
-1
@@ -34,9 +34,12 @@ export async function middleware(request: NextRequest) {
|
||||
// Carry any cookies Supabase rotated onto the working `response` over to a
|
||||
// deny/redirect response, so a refreshed session/refresh token is always
|
||||
// persisted — otherwise a fresh NextResponse would drop them and a
|
||||
// concurrent request could spuriously 401.
|
||||
// concurrent request could spuriously 401. Also stamp `no-store` so these
|
||||
// admin deny/redirect responses (which short-circuit before the route's
|
||||
// own jsonNoStore runs) are never cached by intermediaries or the browser.
|
||||
const withCookies = (res: NextResponse): NextResponse => {
|
||||
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
|
||||
res.headers.set('Cache-Control', 'no-store');
|
||||
return res;
|
||||
};
|
||||
if (!user) {
|
||||
|
||||
Reference in New Issue
Block a user