Service Workers Invalid security token and Clear Site Data HTTP Header (#4088)

If a website has a Service Worker installed it would load and register before a User tries to login to the backend causing a "Invalid security token" message. This PR unregisters any installed Service Worker when a User opens the backend Signin webpage. I have also added the NEW Security Headers to add Protection to October's Cache and Cookies. This includes two new Middleware that first clears any bad cached data before a User tries to login and the second Middleware will clear all the sensitive User Data when a User signs out of the Backend. For more info on the new Security Header 'Clear Site Data' you can see the spec found here: https://www.w3.org/TR/clear-site-data/ Fixes #4076, fixes #3707.
2024-06-28 05:33:29 +02:00 · 2019-03-01 22:22:18 +00:00 · 2019-03-01 22:22:18 +00:00 · dd53206a82
commit dd53206a82
parent 57f358b638
2 changed files with 31 additions and 1 deletions
--- a/modules/backend/assets/js/auth/uninstall-sw.js
+++ b/modules/backend/assets/js/auth/uninstall-sw.js
@ -0,0 +1,10 @@
+// Only run on HTTPS connections
+if (location.protocol === 'https:') {
+    // Unregister all service workers before signing in to prevent cache issues
+    navigator.serviceWorker.getRegistrations().then(
+        function(registrations) {
+            for (let registration of registrations) {  
+                registration.unregister();
+            }
+    });
+}
--- a/modules/backend/controllers/Auth.php
+++ b/modules/backend/controllers/Auth.php
@ -32,6 +32,26 @@ class Auth extends Controller
    public function __construct()
    {
        parent::__construct();
+
+        $this->middleware(function ($request, $next) {
+            $response = $next($request);
+            // Clear Cache and any previous data to fix Invalid security token issue, see github: #3707
+            $response->headers->set('Cache-Control', 'no-cache, no-store, must-revalidate');
+            return $response;
+        })->only('signin');
+
+		// Only run on HTTPS connections
+		if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on") {
+            $this->middleware(function ($request, $next) {
+                $response = $next($request);
+                // Add HTTP Header 'Clear Site Data' to remove all Sensitive Data when signout, see github issue: #3707
+                $response->headers->set('Clear-Site-Data', 'cache, cookies, storage, executionContexts');
+                return $response;
+            })->only('signout');
+        }
+
+        // Add JS File to un-install SW to avoid Cookie Cache Issues when Signin, see github issue: #3707
+        $this->addJs(url("/modules/backend/assets/js/auth/uninstall-sw.js"));
        $this->layout = 'auth';
    }

@ -212,4 +232,4 @@ class Auth extends Controller

        return Backend::redirect('backend/auth/signin');
    }
-}
+}