From 1adb6e7b3f821c07f72628bd754c721be4c78cfc Mon Sep 17 00:00:00 2001
From: Gerhard Scheikl <hatl@hatl.at>
Date: Sun, 31 May 2026 13:51:25 +0200
Subject: [PATCH] fix(admin): no-store on middleware admin deny/redirect
 responses

The defense-in-depth admin guard in middleware short-circuits before the
route handlers' jsonNoStore runs, so its 401/403 JSON denials (and auth
redirects) were served without Cache-Control: no-store. Stamp no-store in
withCookies so every admin deny/redirect response is non-cacheable,
completing Finding #4 for the middleware-originated admin responses.
---
 middleware.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/middleware.ts b/middleware.ts
index 835f36e..c668db9 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -34,9 +34,12 @@ export async function middleware(request: NextRequest) {
     // Carry any cookies Supabase rotated onto the working `response` over to a
     // deny/redirect response, so a refreshed session/refresh token is always
     // persisted — otherwise a fresh NextResponse would drop them and a
-    // concurrent request could spuriously 401.
+    // concurrent request could spuriously 401. Also stamp `no-store` so these
+    // admin deny/redirect responses (which short-circuit before the route's
+    // own jsonNoStore runs) are never cached by intermediaries or the browser.
     const withCookies = (res: NextResponse): NextResponse => {
       response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
+      res.headers.set('Cache-Control', 'no-store');
       return res;
     };
     if (!user) {