Prevent cache of qr code

volatiletech · Apr 27, 2021 · 572b566 · 572b566
1 parent e62387f
commit 572b566
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [3.0.4] - 2021-04-27
+
+### Changed
+
+- Change qrcode endpoint for totp to try to prevent caching
+
 ## [3.0.3] - 2021-02-14
 
 ### Fixed

diff --git a/otp/twofactor/totp2fa/totp.go b/otp/twofactor/totp2fa/totp.go
@@ -221,6 +221,7 @@ func (t *TOTP) GetQRCode(w http.ResponseWriter, r *http.Request) error {
 		return errors.Wrap(err, "failed to encode qr code to png")
 	}
 
+	w.Header().Set("Cache-Control", "no-store")
 	w.Header().Set("Content-Type", "image/png")
 	w.WriteHeader(http.StatusOK)
 	_, err = io.Copy(w, buf)

diff --git a/otp/twofactor/totp2fa/totp_test.go b/otp/twofactor/totp2fa/totp_test.go
@@ -256,6 +256,9 @@ func TestGetQRCode(t *testing.T) {
 	if got := wr.Header().Get("Content-Type"); got != "image/png" {
 		t.Error("content type wrong:", got)
 	}
+	if got := wr.Header().Get("Cache-Control"); got != "no-store" {
+		t.Error("cache control header wrong:", got)
+	}
 	if wr.Body.Len() == 0 {
 		t.Error("body should have been sizable")
 	}