fix(admin): no-store on middleware admin deny/redirect responses
The defense-in-depth admin guard in middleware short-circuits before the route handlers' jsonNoStore runs, so its 401/403 JSON denials (and auth redirects) were served without Cache-Control: no-store. Stamp no-store in withCookies so every admin deny/redirect response is non-cacheable, completing Finding #4 for the middleware-originated admin responses.
This commit is contained in:
Gerhard Scheikl
+4
-1
@@ -34,9 +34,12 @@ export async function middleware(request: NextRequest) {
|
|||||||
// Carry any cookies Supabase rotated onto the working `response` over to a
|
// Carry any cookies Supabase rotated onto the working `response` over to a
|
||||||
// deny/redirect response, so a refreshed session/refresh token is always
|
// deny/redirect response, so a refreshed session/refresh token is always
|
||||||
// persisted — otherwise a fresh NextResponse would drop them and a
|
// persisted — otherwise a fresh NextResponse would drop them and a
|
||||||
// concurrent request could spuriously 401.
|
// concurrent request could spuriously 401. Also stamp `no-store` so these
|
||||||
|
// admin deny/redirect responses (which short-circuit before the route's
|
||||||
|
// own jsonNoStore runs) are never cached by intermediaries or the browser.
|
||||||
const withCookies = (res: NextResponse): NextResponse => {
|
const withCookies = (res: NextResponse): NextResponse => {
|
||||||
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
|
response.cookies.getAll().forEach((cookie) => res.cookies.set(cookie));
|
||||||
|
res.headers.set('Cache-Control', 'no-store');
|
||||||
return res;
|
return res;
|
||||||
};
|
};
|
||||||
if (!user) {
|
if (!user) {
|
||||||
|
|||||||
Reference in New Issue
Block a user