feat(core): add default cache control header for GET session

nextauthjs · Aug 24, 2024 · ebca184 · ebca184
1 parent b8d424a
commit ebca184
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 2 deletions.
diff --git a/docs/pages/getting-started/session-management/get-session.mdx b/docs/pages/getting-started/session-management/get-session.mdx
@@ -173,3 +173,8 @@ app.get("/", (req, res) => {
 </Code>
 
 If you'd like to extend your session with more fields from your OAuth provider, for example, please check out our ["extending the session" guide](/guides/extending-the-session).
+
+<Callout>
+  By default, GET requests to the session endpoint will automatically return the
+  headers to prevent caching.
+</Callout>
diff --git a/packages/core/src/lib/actions/session.ts b/packages/core/src/lib/actions/session.ts
@@ -24,7 +24,14 @@ export async function session(
 
   const response: ResponseInternal<Session | null> = {
     body: null,
-    headers: { "Content-Type": "application/json" },
+    headers: {
+      "Content-Type": "application/json",
+      ...(!isUpdate && {
+        "Cache-Control": "private, no-cache, no-store",
+        Expires: "0",
+        Pragma: "no-cache",
+      }),
+    },
     cookies,
   }
 

diff --git a/packages/core/test/actions/session.test.ts b/packages/core/test/actions/session.test.ts
@@ -16,6 +16,15 @@ import {
   SESSION_COOKIE_NAME,
 } from "../utils.js"
 
+const assertResponseHeaders = (response: Response) => {
+  expect(response.headers.get("Content-Type")).toEqual("application/json")
+  expect(response.headers.get("Cache-Control")).toEqual(
+    "private, no-cache, no-store"
+  )
+  expect(response.headers.get("Expires")).toEqual("0")
+  expect(response.headers.get("Pragma")).toEqual("no-cache")
+}
+
 describe("assert GET session action", () => {
   beforeEach(() => {
     vi.resetAllMocks()
@@ -94,6 +103,8 @@ describe("assert GET session action", () => {
         session: expectedSession,
         token: expectedToken,
       })
+
+      assertResponseHeaders(response)
     })
 
     it("should return null if no JWT session in the requests cookies", async () => {
@@ -102,6 +113,8 @@ describe("assert GET session action", () => {
       })
       const actual = await response.json()
       expect(actual).toEqual(null)
+
+      assertResponseHeaders(response)
     })
 
     it("should return null if JWT session is invalid", async () => {
@@ -113,6 +126,8 @@ describe("assert GET session action", () => {
       })
       const actual = await response.json()
       expect(actual).toEqual(null)
+
+      assertResponseHeaders(response)
     })
 
     it("should throw invalid JWT error if salt is invalid", async () => {
@@ -132,8 +147,10 @@ describe("assert GET session action", () => {
       })
       const actual = await response.json()
 
-      expect(logger.error).toHaveBeenCalledOnce()
       expect(actual).toEqual(null)
+      expect(logger.error).toHaveBeenCalledOnce()
+
+      assertResponseHeaders(response)
     })
   })
   describe("Database strategy", () => {
@@ -209,6 +226,8 @@ describe("assert GET session action", () => {
         email: expectedUser.email,
       })
       expect(actualBodySession.expires).toEqual(currentExpires.toISOString())
+
+      assertResponseHeaders(response)
     })
 
     it("should return null in the response, and delete the session", async () => {
@@ -263,6 +282,8 @@ describe("assert GET session action", () => {
 
       expect(actualSessionToken).toEqual("")
       expect(actualBodySession).toEqual(null)
+
+      assertResponseHeaders(response)
     })
   })
 })