Merge commit from fork

fix(security): prevent CDN caching of session responses by validating ` __session` and `Set-Cookie`

Author: kelvinzhu-okta

src/server/auth-client.ts

@@ -32,6 +32,7 @@ import {
   removeTrailingSlash
 } from "../utils/pathUtils";
 import { toSafeRedirect } from "../utils/url-helpers";
+import { addCacheControlHeadersForSession } from "./cookies";
 import { AbstractSessionStore } from "./session/abstract-session-store";
 import { TransactionState, TransactionStore } from "./transaction-store";
 import { filterClaims } from "./user";
@@ -296,6 +297,7 @@ export class AuthClient {
         await this.sessionStore.set(req.cookies, res.cookies, {
           ...session
         });
+        addCacheControlHeadersForSession(res);
       }
 
       return res;
@@ -441,6 +443,7 @@ export class AuthClient {
 
     const res = NextResponse.redirect(url);
     await this.sessionStore.delete(req.cookies, res.cookies);
+    addCacheControlHeadersForSession(res);
 
     // Clear any orphaned transaction cookies
     await this.transactionStore.deleteAll(req.cookies, res.cookies);
@@ -567,6 +570,7 @@ export class AuthClient {
     }
 
     await this.sessionStore.set(req.cookies, res.cookies, session, true);
+    addCacheControlHeadersForSession(res);
     await this.transactionStore.delete(res.cookies, state);
 
     return res;
@@ -580,8 +584,9 @@ export class AuthClient {
         status: 401
       });
     }
-
-    return NextResponse.json(session?.user);
+    const res = NextResponse.json(session?.user);
+    addCacheControlHeadersForSession(res);
+    return res;
   }
 
   async handleAccessToken(req: NextRequest): Promise<NextResponse> {
@@ -631,6 +636,7 @@ export class AuthClient {
         ...session,
         tokenSet: updatedTokenSet
       });
+      addCacheControlHeadersForSession(res);
     }
 
     return res;

src/server/cookies.test.ts

@@ -1,7 +1,8 @@
+import { NextResponse } from "next/server";
 import { describe, expect, it } from "vitest";
 
 import { generateSecret } from "../test/utils";
-import { decrypt, encrypt } from "./cookies";
+import { addCacheControlHeadersForSession, decrypt, encrypt } from "./cookies";
 
 describe("encrypt/decrypt", async () => {
   const secret = await generateSecret(32);
@@ -53,3 +54,17 @@ describe("encrypt/decrypt", async () => {
     await expect(() => decrypt(encrypted, "")).rejects.toThrowError();
   });
 });
+
+describe("addCacheControlHeadersForSession", () => {
+  it("unconditionally adds strict cache headers", () => {
+    const res = NextResponse.next();
+
+    addCacheControlHeadersForSession(res);
+
+    expect(res.headers.get("Cache-Control")).toBe(
+      "private, no-cache, no-store, must-revalidate, max-age=0"
+    );
+    expect(res.headers.get("Pragma")).toBe("no-cache");
+    expect(res.headers.get("Expires")).toBe("0");
+  });
+});

src/server/cookies.ts

@@ -1,3 +1,4 @@
+import { NextResponse } from "next/server";
 import {
   RequestCookie,
   RequestCookies,
@@ -329,3 +330,22 @@ export function deleteChunkedCookie(
     resCookies.delete(cookie.name); // Delete each filtered cookie
   });
 }
+
+/**
+ * Unconditionally adds strict cache-control headers to the response.
+ *
+ * This ensures the response is not cached by CDNs or other shared caches.
+ * It is now the caller's responsibility to decide when to call this function.
+ *
+ * Usage:
+ * Call this function whenever a `Set-Cookie` header is being written
+ * for session management or any other sensitive data that must not be cached.
+ */
+export function addCacheControlHeadersForSession(res: NextResponse): void {
+  res.headers.set(
+    "Cache-Control",
+    "private, no-cache, no-store, must-revalidate, max-age=0"
+  );
+  res.headers.set("Pragma", "no-cache");
+  res.headers.set("Expires", "0");
+}