Merge pull request #233 from auth0/cache-control

Prevent caching the `/me` request
auth0 · Jan 11, 2021 · 7457fd6 · 7457fd6
2 parents 5c59e68 + 0d16d03
commit 7457fd6
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/src/handlers/profile.ts b/src/handlers/profile.ts
@@ -70,6 +70,7 @@ export default function profileHandler(
       return;
     }
 
+    res.setHeader('Cache-Control', 'no-store');
     res.json(session.user);
   };
 }
diff --git a/tests/handlers/profile.test.ts b/tests/handlers/profile.test.ts
@@ -23,6 +23,14 @@ describe('profile handler', () => {
     expect(profile).toStrictEqual({ nickname: '__test_nickname__', sub: '__test_sub__' });
   });
 
+  test('should not allow caching the profile response', async () => {
+    const baseUrl = await setup(withoutApi);
+    const cookieJar = await login(baseUrl);
+
+    const { res } = await get(baseUrl, '/api/auth/me', { cookieJar, fullResponse: true });
+    expect(res.headers['cache-control']).toEqual('no-store');
+  });
+
   test('should throw if re-fetching with no Access Token', async () => {
     const afterCallback: AfterCallback = (_req, _res, session: Session): Session => {
       delete session.accessToken;