# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1685689199 -7200
# Node ID ae007be8a6bd929f6f52edd7a4d62ff5069f2409
# Parent  56803acfa638771777e759cc1f0c7dc7b72f76fa
mod_http_oauth2: Add Cache-Control and Pragma headers per by RFC 6749

These are mostly for the various Client-facing endpoints, so the chance
of browsers being involved is slightly lower than with the User-facing
authorization endpoint, which already sent the Cache-Control header.

Thanks to OAuch for pointing out.

diff -r 56803acfa638 -r ae007be8a6bd mod_http_oauth2/mod_http_oauth2.lua
--- a/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 02 08:59:29 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua	Fri Jun 02 08:59:59 2023 +0200
@@ -66,6 +66,7 @@
 			["Referrer-Policy"] = "no-referrer";
 			["X-Frame-Options"] = "DENY";
 			["Cache-Control"] = (sensitive and "no-store" or "no-cache")..", private";
+			["Pragma"] = "no-cache";
 		};
 		body = _render_html(template, data);
 	};
@@ -360,6 +361,8 @@
 	return {
 		status_code = 303;
 		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
 			location = url.build(redirect);
 		};
 	}
@@ -382,6 +385,8 @@
 	return {
 		status_code = 303;
 		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
 			location = url.build(redirect);
 		};
 	}
@@ -620,6 +625,8 @@
 	return {
 		status_code = 303;
 		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
 			location = redirect_uri;
 		};
 	};
@@ -660,6 +667,8 @@
 	local credentials = get_request_credentials(event.request);
 
 	event.response.headers.content_type = "application/json";
+	event.response.headers.cache_control = "no-store";
+	event.response.headers.pragma = "no-cache";
 	local params = http.formdecode(event.request.body);
 	if not params then
 		return oauth_error("invalid_request");
@@ -774,6 +783,8 @@
 
 local function handle_revocation_request(event)
 	local request, response = event.request, event.response;
+	response.headers.cache_control = "no-store";
+	response.headers.pragma = "no-cache";
 	if request.headers.authorization then
 		local credentials = get_request_credentials(request);
 		if not credentials or credentials.type ~= "basic" then
@@ -966,7 +977,11 @@
 
 	return {
 		status_code = 201;
-		headers = { content_type = "application/json" };
+		headers = {
+			cache_control = "no-store";
+			pragma = "no-cache";
+			content_type = "application/json";
+		};
 		body = json.encode(response);
 	};
 end