From 572b56619ec3abe3644940d93aa004424c3c4797 Mon Sep 17 00:00:00 2001
From: Aaron L <aaron@intensifying.dev>
Date: Tue, 27 Apr 2021 15:50:18 -0700
Subject: [PATCH] Prevent cache of qr code

---
 CHANGELOG.md                       | 6 ++++++
 otp/twofactor/totp2fa/totp.go      | 1 +
 otp/twofactor/totp2fa/totp_test.go | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 591fadb..9464ca1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,12 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [3.0.4] - 2021-04-27
+
+### Changed
+
+- Change qrcode endpoint for totp to try to prevent caching
+
 ## [3.0.3] - 2021-02-14
 
 ### Fixed
diff --git a/otp/twofactor/totp2fa/totp.go b/otp/twofactor/totp2fa/totp.go
index caac564..fc2b14c 100644
--- a/otp/twofactor/totp2fa/totp.go
+++ b/otp/twofactor/totp2fa/totp.go
@@ -221,6 +221,7 @@ func (t *TOTP) GetQRCode(w http.ResponseWriter, r *http.Request) error {
 		return errors.Wrap(err, "failed to encode qr code to png")
 	}
 
+	w.Header().Set("Cache-Control", "no-store")
 	w.Header().Set("Content-Type", "image/png")
 	w.WriteHeader(http.StatusOK)
 	_, err = io.Copy(w, buf)
diff --git a/otp/twofactor/totp2fa/totp_test.go b/otp/twofactor/totp2fa/totp_test.go
index d4354e0..cb2edc5 100644
--- a/otp/twofactor/totp2fa/totp_test.go
+++ b/otp/twofactor/totp2fa/totp_test.go
@@ -256,6 +256,9 @@ func TestGetQRCode(t *testing.T) {
 	if got := wr.Header().Get("Content-Type"); got != "image/png" {
 		t.Error("content type wrong:", got)
 	}
+	if got := wr.Header().Get("Cache-Control"); got != "no-store" {
+		t.Error("cache control header wrong:", got)
+	}
 	if wr.Body.Len() == 0 {
 		t.Error("body should have been sizable")
 	}