Service Workers Invalid security token and Clear Site Data HTTP Heade…

…r (#4088) If a website has a Service Worker installed it would load and register before a User tries to login to the backend causing a "Invalid security token" message. This PR unregisters any installed Service Worker when a User opens the backend Signin webpage. I have also added the NEW Security Headers to add Protection to October's Cache and Cookies. This includes two new Middleware that first clears any bad cached data before a User tries to login and the second Middleware will clear all the sensitive User Data when a User signs out of the Backend. For more info on the new Security Header 'Clear Site Data' you can see the spec found here: https://www.w3.org/TR/clear-site-data/ Fixes #4076, fixes #3707.
wintercms · Mar 1, 2019 · dd53206 · dd53206
1 parent 57f358b
commit dd53206
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/modules/backend/assets/js/auth/uninstall-sw.js b/modules/backend/assets/js/auth/uninstall-sw.js
@@ -0,0 +1,10 @@
+// Only run on HTTPS connections
+if (location.protocol === 'https:') {
+    // Unregister all service workers before signing in to prevent cache issues
+    navigator.serviceWorker.getRegistrations().then(
+        function(registrations) {
+            for (let registration of registrations) {  
+                registration.unregister();
+            }
+    });
+}
diff --git a/modules/backend/controllers/Auth.php b/modules/backend/controllers/Auth.php
@@ -32,6 +32,26 @@ class Auth extends Controller
     public function __construct()
     {
         parent::__construct();
+
+        $this->middleware(function ($request, $next) {
+            $response = $next($request);
+            // Clear Cache and any previous data to fix Invalid security token issue, see github: #3707
+            $response->headers->set('Cache-Control', 'no-cache, no-store, must-revalidate');
+            return $response;
+        })->only('signin');
+
+		// Only run on HTTPS connections
+		if (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on") {
+            $this->middleware(function ($request, $next) {
+                $response = $next($request);
+                // Add HTTP Header 'Clear Site Data' to remove all Sensitive Data when signout, see github issue: #3707
+                $response->headers->set('Clear-Site-Data', 'cache, cookies, storage, executionContexts');
+                return $response;
+            })->only('signout');
+        }
+
+        // Add JS File to un-install SW to avoid Cookie Cache Issues when Signin, see github issue: #3707
+        $this->addJs(url("/modules/backend/assets/js/auth/uninstall-sw.js"));
         $this->layout = 'auth';
     }
 
@@ -212,4 +232,4 @@ public function reset_onSubmit()
 
         return Backend::redirect('backend/auth/signin');
     }
-}
+}