Prevent caching of API routes with dynamic content (#922)

Silic0nS0ldier · web-flow · commit 3795c1e29eea · 2019-01-21T15:48:04.000+11:00
Prevent caching of routes with dynamic content
diff --git a/app/sprinkles/account/routes/routes.php b/app/sprinkles/account/routes/routes.php
@@ -7,6 +7,8 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 $app->group('/account', function () {
     $this->get('/captcha', 'UserFrosting\Sprinkle\Account\Controller\AccountController:imageCaptcha');
 
@@ -55,6 +57,6 @@
 
     $this->post('/settings/profile', 'UserFrosting\Sprinkle\Account\Controller\AccountController:profile')
         ->add('authGuard');
-});
+})->add(new NoCache());
 
 $app->get('/modals/account/tos', 'UserFrosting\Sprinkle\Account\Controller\AccountController:getModalAccountTos');
diff --git a/app/sprinkles/admin/routes/activities.php b/app/sprinkles/admin/routes/activities.php
@@ -7,14 +7,16 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 /**
  * Routes for administrative activity monitoring.
  */
 $app->group('/activities', function () {
     $this->get('', 'UserFrosting\Sprinkle\Admin\Controller\ActivityController:pageList')
         ->setName('uri_activities');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/api/activities', function () {
     $this->get('', 'UserFrosting\Sprinkle\Admin\Controller\ActivityController:getList');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
diff --git a/app/sprinkles/admin/routes/admin.php b/app/sprinkles/admin/routes/admin.php
@@ -7,18 +7,20 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 /**
  * Routes for administrative panel management.
  */
 $app->group('/dashboard', function () {
     $this->get('', 'UserFrosting\Sprinkle\Admin\Controller\AdminController:pageDashboard')
          ->setName('dashboard');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/api/dashboard', function () {
     $this->post('/clear-cache', 'UserFrosting\Sprinkle\Admin\Controller\AdminController:clearCache');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/modals/dashboard', function () {
     $this->get('/clear-cache', 'UserFrosting\Sprinkle\Admin\Controller\AdminController:getModalConfirmClearCache');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
diff --git a/app/sprinkles/admin/routes/groups.php b/app/sprinkles/admin/routes/groups.php
@@ -7,6 +7,8 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 /**
  * Routes for administrative group management.
  */
@@ -15,7 +17,7 @@
         ->setName('uri_groups');
 
     $this->get('/g/{slug}', 'UserFrosting\Sprinkle\Admin\Controller\GroupController:pageInfo');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/api/groups', function () {
     $this->delete('/g/{slug}', 'UserFrosting\Sprinkle\Admin\Controller\GroupController:delete');
@@ -29,12 +31,12 @@
     $this->post('', 'UserFrosting\Sprinkle\Admin\Controller\GroupController:create');
 
     $this->put('/g/{slug}', 'UserFrosting\Sprinkle\Admin\Controller\GroupController:updateInfo');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/modals/groups', function () {
     $this->get('/confirm-delete', 'UserFrosting\Sprinkle\Admin\Controller\GroupController:getModalConfirmDelete');
 
     $this->get('/create', 'UserFrosting\Sprinkle\Admin\Controller\GroupController:getModalCreate');
 
     $this->get('/edit', 'UserFrosting\Sprinkle\Admin\Controller\GroupController:getModalEdit');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
diff --git a/app/sprinkles/admin/routes/permissions.php b/app/sprinkles/admin/routes/permissions.php
@@ -7,6 +7,8 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 /**
  * Routes for administrative permission management.
  */
@@ -15,12 +17,12 @@
         ->setName('uri_permissions');
 
     $this->get('/p/{id}', 'UserFrosting\Sprinkle\Admin\Controller\PermissionController:pageInfo');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/api/permissions', function () {
     $this->get('', 'UserFrosting\Sprinkle\Admin\Controller\PermissionController:getList');
 
     $this->get('/p/{id}', 'UserFrosting\Sprinkle\Admin\Controller\PermissionController:getInfo');
 
     $this->get('/p/{id}/users', 'UserFrosting\Sprinkle\Admin\Controller\PermissionController:getUsers');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
diff --git a/app/sprinkles/admin/routes/roles.php b/app/sprinkles/admin/routes/roles.php
@@ -7,6 +7,8 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 /**
  * Routes for administrative role management.
  */
@@ -15,7 +17,7 @@
         ->setName('uri_roles');
 
     $this->get('/r/{slug}', 'UserFrosting\Sprinkle\Admin\Controller\RoleController:pageInfo');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/api/roles', function () {
     $this->delete('/r/{slug}', 'UserFrosting\Sprinkle\Admin\Controller\RoleController:delete');
@@ -33,7 +35,7 @@
     $this->put('/r/{slug}', 'UserFrosting\Sprinkle\Admin\Controller\RoleController:updateInfo');
 
     $this->put('/r/{slug}/{field}', 'UserFrosting\Sprinkle\Admin\Controller\RoleController:updateField');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/modals/roles', function () {
     $this->get('/confirm-delete', 'UserFrosting\Sprinkle\Admin\Controller\RoleController:getModalConfirmDelete');
@@ -43,4 +45,4 @@
     $this->get('/edit', 'UserFrosting\Sprinkle\Admin\Controller\RoleController:getModalEdit');
 
     $this->get('/permissions', 'UserFrosting\Sprinkle\Admin\Controller\RoleController:getModalEditPermissions');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
diff --git a/app/sprinkles/admin/routes/users.php b/app/sprinkles/admin/routes/users.php
@@ -7,6 +7,8 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 /**
  * Routes for administrative user management.
  */
@@ -15,7 +17,7 @@
         ->setName('uri_users');
 
     $this->get('/u/{user_name}', 'UserFrosting\Sprinkle\Admin\Controller\UserController:pageInfo');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/api/users', function () {
     $this->delete('/u/{user_name}', 'UserFrosting\Sprinkle\Admin\Controller\UserController:delete');
@@ -37,7 +39,7 @@
     $this->put('/u/{user_name}', 'UserFrosting\Sprinkle\Admin\Controller\UserController:updateInfo');
 
     $this->put('/u/{user_name}/{field}', 'UserFrosting\Sprinkle\Admin\Controller\UserController:updateField');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
 
 $app->group('/modals/users', function () {
     $this->get('/confirm-delete', 'UserFrosting\Sprinkle\Admin\Controller\UserController:getModalConfirmDelete');
@@ -49,4 +51,4 @@
     $this->get('/password', 'UserFrosting\Sprinkle\Admin\Controller\UserController:getModalEditPassword');
 
     $this->get('/roles', 'UserFrosting\Sprinkle\Admin\Controller\UserController:getModalEditRoles');
-})->add('authGuard');
+})->add('authGuard')->add(new NoCache());
diff --git a/app/sprinkles/admin/src/Controller/PermissionController.php b/app/sprinkles/admin/src/Controller/PermissionController.php
@@ -140,11 +140,9 @@ public function getUsers(Request $request, Response $response, $args)
 
         $sprunje = $classMapper->createInstance('permission_user_sprunje', $classMapper, $params);
 
-        $response = $sprunje->toResponse($response);
-
         // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
         // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
-        return $response;
+        return $sprunje->toResponse($response);
     }
 
     /**
diff --git a/app/sprinkles/admin/src/Controller/UserController.php b/app/sprinkles/admin/src/Controller/UserController.php
@@ -834,11 +834,9 @@ public function getPermissions(Request $request, Response $response, $args)
         $params['user_id'] = $user->id;
         $sprunje = $classMapper->createInstance('user_permission_sprunje', $classMapper, $params);
 
-        $response = $sprunje->toResponse($response);
-
         // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
         // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
-        return $response;
+        return $sprunje->toResponse($response);
     }
 
     /**
diff --git a/app/sprinkles/core/routes/routes.php b/app/sprinkles/core/routes/routes.php
@@ -7,6 +7,8 @@
  * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
  */
 
+use UserFrosting\Sprinkle\Core\Util\NoCache;
+
 global $app;
 $config = $app->getContainer()->get('config');
 
@@ -16,7 +18,8 @@
 
 $app->get('/about', 'UserFrosting\Sprinkle\Core\Controller\CoreController:pageAbout')->add('checkEnvironment');
 
-$app->get('/alerts', 'UserFrosting\Sprinkle\Core\Controller\CoreController:jsonAlerts');
+$app->get('/alerts', 'UserFrosting\Sprinkle\Core\Controller\CoreController:jsonAlerts')
+    ->add(new NoCache());
 
 $app->get('/legal', 'UserFrosting\Sprinkle\Core\Controller\CoreController:pageLegal');
 
diff --git a/app/sprinkles/core/src/Bakery/BuildAssets.php b/app/sprinkles/core/src/Bakery/BuildAssets.php
@@ -90,7 +90,9 @@ protected function npmInstall($force)
         chdir($this->buildPath);
 
         // Delete troublesome package-lock.json
-        if (file_exists('package-lock.json')) unlink('package-lock.json');
+        if (file_exists('package-lock.json')) {
+            unlink('package-lock.json');
+        }
 
         // Skip if lockfile indicates previous run
         if (!$force && file_exists('package.lock') && filemtime('package.json') < filemtime('package.lock') - 1) {
diff --git a/app/sprinkles/core/src/Util/NoCache.php b/app/sprinkles/core/src/Util/NoCache.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * UserFrosting (http://www.userfrosting.com)
+ *
+ * @link      https://github.com/userfrosting/UserFrosting
+ * @copyright Copyright (c) 2019 Alexander Weissman
+ * @license   https://github.com/userfrosting/UserFrosting/blob/master/LICENSE.md (MIT License)
+ */
+
+namespace UserFrosting\Sprinkle\Core\Util;
+
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Message\ResponseInterface as Response;
+
+/**
+ * Middleware to catch requests that fail because they require user authentication.
+ *
+ * @author Alex Weissman (https://alexanderweissman.com)
+ */
+class NoCache
+{
+    /**
+     * Invoke the NoCache middleware, adding headers to the request to prevent caching.
+     *
+     * @param  Request  $request  PSR7 request
+     * @param  Response $response PSR7 response
+     * @param  callable $next     Next middleware
+     * @return Response
+     */
+    public function __invoke(Request $request, Response $response, $next)
+    {
+        $response = $response->withHeader('Cache-Control', 'no-store');
+
+        return $next($request, $response);
+    }
+}
diff --git a/app/sprinkles/core/src/Util/RawAssetBundles.php b/app/sprinkles/core/src/Util/RawAssetBundles.php
@@ -46,7 +46,7 @@ public function extend($filePath)
 
         // Process bundles
         foreach ($schema['bundle'] as $bundleName => $_) {
-            
+
             // Get collision setting.
             $collisionRule = $schema["bundle.$bundleName.options.sprinkle.onCollision"] ?: 'replace';
 
@@ -76,14 +76,15 @@ public function extend($filePath)
 
     /**
      * Adds provided bundle to provided bundle store with collision rule respected.
-     * @param string|string[] $bundle Bundle to add.
-     * @param string $name Name of bundle provided.
-     * @param string $collisionRule Rule to apply if collision is detected.
-     * @param string[string][] $bundleStore Place to add bundles (CSS or JS depending on provided store).
-     * @throws \ErrorException if collision rule is 'error' and bundle is already defined.
+     * @param  string|string[]       $bundle        Bundle to add.
+     * @param  string                $name          Name of bundle provided.
+     * @param  string                $collisionRule Rule to apply if collision is detected.
+     * @param  string[string][]      $bundleStore   Place to add bundles (CSS or JS depending on provided store).
+     * @throws \ErrorException       if collision rule is 'error' and bundle is already defined.
      * @throws \OutOfBoundsException if an invalid collision rule is provided.
      */
-    protected function addWithCollisionRule(&$bundle, $bundleName, $collisionRule, &$bundleStore) {
+    protected function addWithCollisionRule(&$bundle, $bundleName, $collisionRule, &$bundleStore)
+    {
         $standardisedBundle = $this->standardiseBundle($bundle);
         if (!array_key_exists($bundleName, $bundleStore)) {
             $bundleStore[$bundleName] = $standardisedBundle;
