From dd53206a82ed59cd483aca5b5968b3993413b7a5 Mon Sep 17 00:00:00 2001
From: Ayumi Hamasaki <46076483+ayumihamasaki2@users.noreply.github.com>
Date: Fri, 1 Mar 2019 22:22:18 +0000
Subject: [PATCH] Service Workers Invalid security token and Clear Site Data
 HTTP Header (#4088)

If a website has a Service Worker installed it would load and register before a User tries to login to the backend causing a "Invalid security token" message. This PR unregisters any installed Service Worker when a User opens the backend Signin webpage.

I have also added the NEW Security Headers to add Protection to October's Cache and Cookies. This includes two new Middleware that first clears any bad cached data before a User tries to login and the second Middleware will clear all the sensitive User Data when a User signs out of the Backend.

For more info on the new Security Header 'Clear Site Data' you can see the spec found here: https://www.w3.org/TR/clear-site-data/

Fixes #4076, fixes #3707.
---
 .../backend/assets/js/auth/uninstall-sw.js    | 10 +++++++++
 modules/backend/controllers/Auth.php          | 22 ++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 modules/backend/assets/js/auth/uninstall-sw.js

diff --git a/modules/backend/assets/js/auth/uninstall-sw.js b/modules/backend/assets/js/auth/uninstall-sw.js
new file mode 100644
index 000000000..eb48b3938
--- /dev/null
+++ b/modules/backend/assets/js/auth/uninstall-sw.js
@@ -0,0 +1,10 @@
+// Only run on HTTPS connections
+if (location.protocol === 'https:') {
+    // Unregister all service workers before signing in to prevent cache issues
+    navigator.serviceWorker.getRegistrations().then(
+        function(registrations) {
+            for (let registration of registrations) {  
+                registration.unregister();
+            }
+    });
+}
\ No newline at end of file
diff --git a/modules/backend/controllers/Auth.php b/modules/backend/controllers/Auth.php
index 849a2675f..b8a38a0af 100644
--- a/modules/backend/controllers/Auth.php
+++ b/modules/backend/controllers/Auth.php
@@ -32,6 +32,26 @@ class Auth extends Controller
     public function __construct()
     {
         parent::__construct();
+
+        $this->middleware(function ($request, $next) {
+            $response = $next($request);
+            // Clear Cache and any previous data to fix Invalid security token issue, see github: #3707
+            $response->headers->set('Cache-Control', 'no-cache, no-store, must-revalidate');
+            return $response;
+        })->only('signin');
+
+		// Only run on HTTPS connections
+		if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on") {
+            $this->middleware(function ($request, $next) {
+                $response = $next($request);
+                // Add HTTP Header 'Clear Site Data' to remove all Sensitive Data when signout, see github issue: #3707
+                $response->headers->set('Clear-Site-Data', 'cache, cookies, storage, executionContexts');
+                return $response;
+            })->only('signout');
+        }
+
+        // Add JS File to un-install SW to avoid Cookie Cache Issues when Signin, see github issue: #3707
+        $this->addJs(url("/modules/backend/assets/js/auth/uninstall-sw.js"));
         $this->layout = 'auth';
     }
 
@@ -212,4 +232,4 @@ class Auth extends Controller
 
         return Backend::redirect('backend/auth/signin');
     }
-}
+}
\ No newline at end of file