Explicitly don't cache sensitive 2FA actions (#43083).

Patch by Felix Schäfer (user:felix). git-svn-id: https://svn.redmine.org/redmine/trunk@23917 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-10-26 00:36:14 +02:00 · 2025-08-13 05:58:49 +00:00
parent 8f002c297e
commit 2d1f1684a1
4 changed files with 10 additions and 0 deletions
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -220,6 +220,7 @@ class AccountController < ApplicationController

  def twofa_confirm
    @twofa_view = @twofa.otp_confirm_view_variables
+    no_store
  end

  def twofa
--- a/app/controllers/twofa_backup_codes_controller.rb
+++ b/app/controllers/twofa_backup_codes_controller.rb
@@ -37,6 +37,7 @@ class TwofaBackupCodesController < ApplicationController

  def confirm
    @twofa_view = @twofa.otp_confirm_view_variables
+    no_store
  end

  def create
@@ -64,6 +65,7 @@ class TwofaBackupCodesController < ApplicationController

    if tokens.present? && (@created_at = tokens.collect(&:created_on).max) > 5.minutes.ago
      @backup_codes = tokens.collect(&:value)
+      no_store
    else
      flash[:warning] = l('twofa_backup_codes_already_shown', bc_path: my_twofa_backup_codes_init_path)
      redirect_to controller: 'my', action: 'account'
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -45,6 +45,7 @@ class TwofaController < ApplicationController

  def activate_confirm
    @twofa_view = @twofa.init_pairing_view_variables
+    no_store
  end

  def activate
--- a/test/integration/twofa_test.rb
+++ b/test/integration/twofa_test.rb
@@ -102,6 +102,7 @@ class TwofaTest < Redmine::IntegrationTest
  end

  test "should generate and accept backup codes" do
+    # this also checks that all actions with secrets aren't cached
    log_user('jsmith', 'jsmith')
    get "/my/account"
    assert_response :success
@@ -109,6 +110,7 @@ class TwofaTest < Redmine::IntegrationTest
    assert_redirected_to "/my/twofa/totp/activate/confirm"
    follow_redirect!
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'

    totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
    post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
@@ -121,12 +123,14 @@ class TwofaTest < Redmine::IntegrationTest
    assert_redirected_to "/my/twofa/backup_codes/confirm"
    follow_redirect!
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
    assert_select 'form', /Please enter your two-factor authentication code/i

    post "/my/twofa/backup_codes/create", params: {twofa_code: "wrong"}
    assert_redirected_to "/my/twofa/backup_codes/confirm"
    follow_redirect!
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
    assert_select 'form', /Please enter your two-factor authentication code/i

    # prevent replay attack prevention from kicking in
@@ -136,6 +140,7 @@ class TwofaTest < Redmine::IntegrationTest
    assert_redirected_to "/my/twofa/backup_codes"
    follow_redirect!
    assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
    assert_select ".flash", /your backup codes have been generated/i

    assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
@@ -155,6 +160,7 @@ class TwofaTest < Redmine::IntegrationTest
    }
    assert_redirected_to "/account/twofa/confirm"
    follow_redirect!
+    assert_includes @response.headers['Cache-Control'], 'no-store'

    assert_select "#login-form h3", /two-factor authentication/i
    post "/account/twofa", params: {twofa_code: code}