fix(security): add cache-control headers to token endpoints

internal/api/anonymous.go

@@ -58,5 +58,5 @@ func (a *API) SignupAnonymously(w http.ResponseWriter, r *http.Request) error {
 	}
 
 	metering.RecordLogin(metering.LoginTypeAnonymous, newUser.ID, nil)
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }

internal/api/helpers.go

@@ -19,6 +19,12 @@ func sendJSON(w http.ResponseWriter, status int, obj interface{}) error {
 	return shared.SendJSON(w, status, obj)
 }
 
+func sendTokenJSON(w http.ResponseWriter, status int, obj interface{}) error {
+	w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate")
+	w.Header().Set("Pragma", "no-cache")
+	return shared.SendJSON(w, status, obj)
+}
+
 func isAdmin(u *models.User, config *conf.GlobalConfiguration) bool {
 	return config.JWT.Aud == u.Aud && u.HasRole(config.JWT.AdminGroupName)
 }

internal/api/mfa.go

@@ -752,7 +752,7 @@ func (a *API) verifyTOTPFactor(w http.ResponseWriter, r *http.Request, params *V
 		Provider: metering.ProviderMFATOTP,
 	})
 
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 
 }
 
@@ -892,7 +892,7 @@ func (a *API) verifyPhoneFactor(w http.ResponseWriter, r *http.Request, params *
 		Provider: metering.ProviderMFAPhone,
 	})
 
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }
 
 func (a *API) verifyWebAuthnFactor(w http.ResponseWriter, r *http.Request, params *VerifyFactorParams) error {
@@ -1012,7 +1012,7 @@ func (a *API) verifyWebAuthnFactor(w http.ResponseWriter, r *http.Request, param
 		Provider: metering.ProviderMFAWebAuthn,
 	})
 
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }
 
 func (a *API) VerifyFactor(w http.ResponseWriter, r *http.Request) error {

internal/api/signup.go

@@ -329,7 +329,7 @@ func (a *API) Signup(w http.ResponseWriter, r *http.Request) error {
 				"immediate_login_after_signup": true,
 			},
 		})
-		return sendJSON(w, http.StatusOK, token)
+		return sendTokenJSON(w, http.StatusOK, token)
 	}
 	if user.HasBeenInvited() {
 		// Remove sensitive fields

internal/api/token.go

@@ -206,7 +206,7 @@ func (a *API) ResourceOwnerPasswordGrant(ctx context.Context, w http.ResponseWri
 	metering.RecordLogin(metering.LoginTypePassword, user.ID, &metering.LoginData{
 		Provider: provider,
 	})
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }
 
 func (a *API) PKCE(ctx context.Context, w http.ResponseWriter, r *http.Request) error {
@@ -283,7 +283,7 @@ func (a *API) PKCE(ctx context.Context, w http.ResponseWriter, r *http.Request)
 	metering.RecordLogin(metering.LoginTypePKCE, user.ID, &metering.LoginData{
 		Provider: flowState.ProviderType,
 	})
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }
 
 func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user *models.User, sessionId *uuid.UUID, authenticationMethod models.AuthenticationMethod) (string, int64, error) {

internal/api/token_oidc.go

@@ -319,5 +319,5 @@ func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.R
 		Provider: providerType,
 	})
 
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }

internal/api/token_refresh.go

@@ -27,5 +27,5 @@ func (a *API) RefreshTokenGrant(ctx context.Context, w http.ResponseWriter, r *h
 		return err
 	}
 
-	return sendJSON(w, http.StatusOK, tokenResponse)
+	return sendTokenJSON(w, http.StatusOK, tokenResponse)
 }

internal/api/verify.go

@@ -307,7 +307,7 @@ func (a *API) verifyPost(w http.ResponseWriter, r *http.Request, params *VerifyP
 		Provider: provider,
 	})
 
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }
 
 func (a *API) signupVerify(r *http.Request, ctx context.Context, conn *storage.Connection, user *models.User) (*models.User, error) {

internal/api/web3.go

@@ -200,7 +200,7 @@ func (a *API) web3GrantSolana(ctx context.Context, w http.ResponseWriter, r *htt
 		},
 	})
 
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }
 
 func (a *API) web3GrantEthereum(ctx context.Context, w http.ResponseWriter, r *http.Request, params *Web3GrantParams) error {
@@ -335,5 +335,5 @@ func (a *API) web3GrantEthereum(ctx context.Context, w http.ResponseWriter, r *h
 			return err
 		}
 	}
-	return sendJSON(w, http.StatusOK, token)
+	return sendTokenJSON(w, http.StatusOK, token)
 }