Prevent browser caching of the OAuth application detail page (#1187)

* Prevent browser caching of the OAuth application detail page * added CacheControl headers to the ApplicationDetail page * Fix call to super using wrong ApplicationDetail class * Reformated file with black and isort Co-authored-by: Ryan Ewing <ewingrya@amazon.com>
2024-05-11 05:55:09 +00:00 · 2022-06-14 12:07:15 -07:00
parent 1109acbd1a
commit 6eac62c87b
2 changed files with 15 additions and 1 deletions
--- a/peeringdb_server/views.py
+++ b/peeringdb_server/views.py
@@ -46,6 +46,7 @@ from django.utils.crypto import constant_time_compare
 from django.utils.decorators import method_decorator
 from django.utils.translation import ugettext_lazy as _
 from django.views import View
+from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie
 from django.views.decorators.http import require_http_methods
 from django_grainy.util import Permissions
@@ -635,7 +636,9 @@ oauth2_views.ApplicationRegistration = ApplicationRegistration


 class ApplicationDetail(ApplicationOwnerMixin, oauth2_views.ApplicationDetail):
-    pass
+    @never_cache
+    def get(self, request, *args, **kwargs):
+        return super(ApplicationDetail, self).get(request, *args, **kwargs)


 oauth2_views.ApplicationDetail = ApplicationDetail
--- a/tests/test_oauth2_views.py
+++ b/tests/test_oauth2_views.py
@@ -99,6 +99,15 @@ def test_app_list(oauth2_apps):
 def test_app_detail(oauth2_apps):
    override_app_model()

+    def check_cache_headers(resp):
+        assert resp.has_header("Cache-Control")
+        cache_control_header = resp.headers.get("Cache-Control")
+        assert "max-age=0" in cache_control_header
+        assert "no-cache" in cache_control_header
+        assert "no-store" in cache_control_header
+        assert "must-revalidate" in cache_control_header
+        assert "private" in cache_control_header
+
    user_app, org_app, other_app = oauth2_apps
    user = user_app.user

@@ -112,6 +121,7 @@ def test_app_detail(oauth2_apps):
    resp = client.get(url)

    assert resp.status_code == 200
+    check_cache_headers(resp)

    # detail org owned app

@@ -120,6 +130,7 @@ def test_app_detail(oauth2_apps):

    assert resp.status_code == 200
    assert f"{org_app.org.name}'s management" in resp.content.decode("utf-8")
+    check_cache_headers(resp)

    # detail unprovisioned org owned app (prohibited)