Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue #70 - Add no-store cache header to wp-login.php #71

Merged
merged 6 commits into from
Feb 2, 2024
Merged

Issue #70 - Add no-store cache header to wp-login.php #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e8c7f62
WIP: TECH-17
anubisthejackle Jan 31, 2024
266c9d5
Add no-store flag to Cache-Control on login page
anubisthejackle Jan 31, 2024
048d7c3
PHPCS
anubisthejackle Jan 31, 2024
b447587
Move to login nonce feature
anubisthejackle Jan 31, 2024
a92f9b7
Update changelog
anubisthejackle Jan 31, 2024
b1fa6af
Running fixer
srtfisher Feb 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ This library adheres to [Semantic Versioning](https://semver.org/) and [Keep a C

### Added

* `login_nonce`: Added a `no-store` header to the wp-login.php page.
* `prevent_framing`: Added a feature to prevent framing of the site via the
`X-Frame-Options` header.

Expand Down
21 changes: 21 additions & 0 deletions src/alley/wp/alleyvate/features/class-login-nonce.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,27 @@ public function boot(): void {
add_action( 'login_form_login', [ self::class, 'action__add_nonce_life_filter' ] );
add_action( 'login_head', [ self::class, 'action__add_meta_refresh' ] );
add_action( 'after_setup_theme', [ self::class, 'action__pre_validate_login_nonce' ], 9999 );
add_filter( 'nocache_headers', [ self::class, 'add_no_store_to_login' ] );
}

/**
* Adds the `no-store` flag to the `Cache-Control` headers.
*
* @param array $headers The headers array.
* @return array
*/
public static function add_no_store_to_login( $headers ): array {
if ( ! \is_array( $headers ) ) {
$headers = [];
}

if ( 'wp-login.php' !== ( $GLOBALS['pagenow'] ?? '' ) ) {
return $headers;
}

$headers['Cache-Control'] = 'no-cache, must-revalidate, max-age=0, no-store';

return $headers;
}

/**
Expand Down
36 changes: 36 additions & 0 deletions tests/alley/wp/alleyvate/features/test-login-nonce.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,4 +144,40 @@ public function test_logout_nonce_validates(): void {

$this->assertTrue( wp_validate_boolean( wp_verify_nonce( $token, 'log-out' ) ) );
}

/**
* Verify that the no-store flag is added to the login page.
*
* Note: `wp_get_nocache_headers()` is used by `nocache_headers()` which
* in turn is called on `wp-login.php`. We call it directly here so
* we can assert against an array instead of trying to send headers.
*/
public function test_login_page_cache_is_no_stored() {
global $pagenow;

$pagenow = 'wp-login.php';

$this->feature->boot();

$headers = wp_get_nocache_headers();

self::assertArrayHasKey( 'Cache-Control', $headers );
self::assertStringContainsString( 'no-store', $headers['Cache-Control'] );
}

/**
* Verify that the no-store flag isn't added to other pages.
*/
public function test_non_login_page_is_stored() {
global $pagenow;

$pagenow = 'single.php'; // Anything other than wp-login.php.

$this->feature->boot();

$headers = wp_get_nocache_headers();

self::assertArrayHasKey( 'Cache-Control', $headers );
self::assertStringNotContainsString( 'no-store', $headers['Cache-Control'] );
}
}
Loading