Issue #70 - Add no-store cache header to wp-login.php

src/alley/wp/alleyvate/features/class-disable-login-cache.php

@@ -0,0 +1,51 @@
+<?php
+/**
+ * Class file for Disable_Login_Cache
+ *
+ * (c) Alley <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package wp-alleyvate
+ */
+
+namespace Alley\WP\Alleyvate\Features;
+
+use Alley\WP\Alleyvate\Feature;
+
+/**
+ * Adds an HTTP header to the login page to disable storing of that page in
+ * cache. The login page already requires cache revalidation, but it doesn't
+ * block cache's from storing a local copy. Enabling this allows us to
+ * remove the risk of local changes from being ignored because a stored cache
+ * copy.
+ */
+final class Disable_Login_Cache implements Feature {
+	/**
+	 * Boot the feature.
+	 */
+	public function boot(): void {
+		add_filter( 'nocache_headers', [ $this, 'add_no_store_to_login' ] );
+	}
+
+	/**
+	 * Adds the `no-store` flag to the `Cache-Control` headers.
+	 *
+	 * @param array $headers The headers array.
+	 * @return array
+	 */
+	public function add_no_store_to_login( $headers ): array {
+		if ( ! is_array( $headers ) ) {
+			$headers = [];
+		}
+
+		if ( 'wp-login.php' !== ( $GLOBALS['pagenow'] ?? '' ) ) {
+			return $headers;
+		}
+
+		$headers['Cache-Control'] = 'no-cache, must-revalidate, max-age=0, no-store';
+
+		return $headers;
+	}
+}

src/alley/wp/alleyvate/load.php

@@ -28,6 +28,7 @@ function available_features(): array {
 		'disable_sticky_posts'                 => new Features\Disable_Sticky_Posts(),
 		'disable_trackbacks'                   => new Features\Disable_Trackbacks(),
 		'disallow_file_edit'                   => new Features\Disallow_File_Edit(),
+		'disable_login_cache'                  => new Features\Disable_Login_Cache(),
 		'login_nonce'                          => new Features\Login_Nonce(),
 		'prevent_framing'                      => new Features\Prevent_Framing(),
 		'redirect_guess_shortcircuit'          => new Features\Redirect_Guess_Shortcircuit(),

tests/alley/wp/alleyvate/features/test-disable-login-cache.php

@@ -0,0 +1,75 @@
+<?php
+/**
+ * Class file for Test_Disable_Login_Cache
+ *
+ * (c) Alley <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ *
+ * @package wp-alleyvate
+ *
+ * @phpcs:disable WordPress.WP.GlobalVariablesOverride.Prohibited, Generic.CodeAnalysis.EmptyStatement.DetectedCatch, WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
+ */
+
+namespace Alley\WP\Alleyvate\Features;
+
+use Alley\WP\Alleyvate\Feature;
+use Mantle\Testkit\Test_Case;
+
+/**
+ * Tests for the disabling the login cache.
+ */
+final class Test_Disable_Login_Cache extends Test_Case {
+	/**
+	 * Feature instance.
+	 *
+	 * @var Feature
+	 */
+	private Feature $feature;
+
+	/**
+	 * Set up.
+	 */
+	protected function setUp(): void {
+		parent::setUp();
+
+		$this->feature = new Disable_Login_Cache();
+	}
+
+	/**
+	 * Verify that the no-store flag is added to the login page.
+	 *
+	 * Note: `wp_get_nocache_headers()` is used by `nocache_headers()` which
+	 * in turn is called on `wp-login.php`. We call it directly here so
+	 * we can assert against an array instead of trying to send headers.
+	 */
+	public function test_login_page_cache_is_no_stored() {
+		global $pagenow;
+
+		$pagenow = 'wp-login.php';
+
+		$this->feature->boot();
+
+		$headers = \wp_get_nocache_headers();
+
+		self::assertArrayHasKey( 'Cache-Control', $headers );
+		self::assertStringContainsString( 'no-store', $headers['Cache-Control'] );
+	}
+
+	/**
+	 * Verify that the no-store flag isn't added to other pages.
+	 */
+	public function test_non_login_page_is_stored() {
+		global $pagenow;
+
+		$pagenow = 'single.php'; // Anything other than wp-login.php.
+
+		$this->feature->boot();
+
+		$headers = \wp_get_nocache_headers();
+
+		self::assertArrayHasKey( 'Cache-Control', $headers );
+		self::assertStringNotContainsString( 'no-store', $headers['Cache-Control'] );
+	}
+}