fix(security): explicitly declare cache-control header instead of using middleware

This commit reverts 1f6f389ff2

src/controllers/404.js

@@ -55,7 +55,6 @@ exports.send404 = async function (req, res) {
 		});
 	}
 
-	await middleware.inhibitCacheAsync(req, res);
 	await middleware.buildHeaderAsync(req, res);
 	await res.render('404', {
 		path: validator.escape(path),

src/controllers/helpers.js

@@ -420,6 +420,10 @@ helpers.formatApiResponse = async (statusCode, res, payload) => {
 	}
 
 	if (String(statusCode).startsWith('2')) {
+		if (res.req.loggedIn) {
+			res.set('cache-control', 'private');
+		}
+
 		res.status(statusCode).json({
 			status: {
 				code: 'ok',

src/middleware/admin.js

@@ -26,7 +26,6 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 		await require('./index').applyCSRFasync(req, res);
 	}
 
-	res.set('cache-control', 'private');
 	res.locals.config = await controllers.api.loadConfig(req);
 	next();
 });

src/middleware/header.js

@@ -45,10 +45,6 @@ middleware.buildHeader = helpers.try(async (req, res, next) => {
 		return res.redirect('/');
 	}
 
-	if (req.loggedIn) {
-		res.set('cache-control', 'private');
-	}
-
 	res.locals.config = config;
 	next();
 });

src/middleware/headers.js

@@ -3,7 +3,6 @@
 const os = require('os');
 const winston = require('winston');
 const _ = require('lodash');
-const util = require('util');
 
 const meta = require('../meta');
 const languages = require('../languages');
@@ -109,13 +108,4 @@ module.exports = function (middleware) {
 			return [defaultLang];
 		}
 	}
-
-	middleware.inhibitCache = (req, res, next) => {
-		if (req.loggedIn) {
-			res.set('cache-control', 'private');
-		}
-
-		next();
-	};
-	middleware.inhibitCacheAsync = util.promisify(middleware.inhibitCache);
 };

src/middleware/render.js

@@ -34,6 +34,10 @@ module.exports = function (middleware) {
 				options.url = (req.baseUrl + req.path.replace(/^\/api/, ''));
 				options.bodyClass = helpers.buildBodyClass(req, res, options);
 
+				if (req.loggedIn) {
+					res.set('cache-control', 'private');
+				}
+
 				const buildResult = await plugins.hooks.fire(`filter:${template}.build`, { req: req, res: res, templateData: options });
 				if (res.headersSent) {
 					return;

src/routes/helpers.js

@@ -18,7 +18,6 @@ function _handleArgs(middleware, middlewares, controller) {
 		middleware.authenticateRequest,
 		middleware.maintenanceMode,
 		middleware.registrationComplete,
-		middleware.inhibitCache,
 		middleware.pluginHooks,
 		...middlewares,
 	];

test/middleware.js

@@ -100,7 +100,7 @@ describe('Middlewares', () => {
 		});
 	});
 
-	describe('.inhibitCache (cache-control header)', () => {
+	describe('cache-control header', () => {
 		let uid;
 		let jar;