Move to login nonce feature

src/alley/wp/alleyvate/features/class-login-nonce.php

@@ -51,6 +51,27 @@ public function boot(): void {
 		add_action( 'login_form_login', [ self::class, 'action__add_nonce_life_filter' ] );
 		add_action( 'login_head', [ self::class, 'action__add_meta_refresh' ] );
 		add_action( 'after_setup_theme', [ self::class, 'action__pre_validate_login_nonce' ], 9999 );
+		add_filter( 'nocache_headers', [ self::class, 'add_no_store_to_login' ] );
+	}
+
+	/**
+	 * Adds the `no-store` flag to the `Cache-Control` headers.
+	 *
+	 * @param array $headers The headers array.
+	 * @return array
+	 */
+	public static function add_no_store_to_login( $headers ): array {
+		if ( ! is_array( $headers ) ) {
+			$headers = [];
+		}
+
+		if ( 'wp-login.php' !== ( $GLOBALS['pagenow'] ?? '' ) ) {
+			return $headers;
+		}
+
+		$headers['Cache-Control'] = 'no-cache, must-revalidate, max-age=0, no-store';
+
+		return $headers;
 	}
 
 	/**

src/alley/wp/alleyvate/load.php

@@ -28,7 +28,6 @@ function available_features(): array {
 		'disable_sticky_posts'                 => new Features\Disable_Sticky_Posts(),
 		'disable_trackbacks'                   => new Features\Disable_Trackbacks(),
 		'disallow_file_edit'                   => new Features\Disallow_File_Edit(),
-		'disable_login_cache'                  => new Features\Disable_Login_Cache(),
 		'login_nonce'                          => new Features\Login_Nonce(),
 		'prevent_framing'                      => new Features\Prevent_Framing(),
 		'redirect_guess_shortcircuit'          => new Features\Redirect_Guess_Shortcircuit(),

tests/alley/wp/alleyvate/features/test-login-nonce.php

@@ -144,4 +144,40 @@ public function test_logout_nonce_validates(): void {
 
 		$this->assertTrue( wp_validate_boolean( wp_verify_nonce( $token, 'log-out' ) ) );
 	}
+
+	/**
+	 * Verify that the no-store flag is added to the login page.
+	 *
+	 * Note: `wp_get_nocache_headers()` is used by `nocache_headers()` which
+	 * in turn is called on `wp-login.php`. We call it directly here so
+	 * we can assert against an array instead of trying to send headers.
+	 */
+	public function test_login_page_cache_is_no_stored() {
+		global $pagenow;
+
+		$pagenow = 'wp-login.php';
+
+		$this->feature->boot();
+
+		$headers = \wp_get_nocache_headers();
+
+		self::assertArrayHasKey( 'Cache-Control', $headers );
+		self::assertStringContainsString( 'no-store', $headers['Cache-Control'] );
+	}
+
+	/**
+	 * Verify that the no-store flag isn't added to other pages.
+	 */
+	public function test_non_login_page_is_stored() {
+		global $pagenow;
+
+		$pagenow = 'single.php'; // Anything other than wp-login.php.
+
+		$this->feature->boot();
+
+		$headers = \wp_get_nocache_headers();
+
+		self::assertArrayHasKey( 'Cache-Control', $headers );
+		self::assertStringNotContainsString( 'no-store', $headers['Cache-Control'] );
+	}
 }