diff --git a/src/handlers/profile.ts b/src/handlers/profile.ts index 4c83f48fd..9df236d5c 100644 --- a/src/handlers/profile.ts +++ b/src/handlers/profile.ts @@ -70,6 +70,7 @@ export default function profileHandler( return; } + res.setHeader('Cache-Control', 'no-store'); res.json(session.user); }; } diff --git a/tests/handlers/profile.test.ts b/tests/handlers/profile.test.ts index 305478bf9..1238b86bc 100644 --- a/tests/handlers/profile.test.ts +++ b/tests/handlers/profile.test.ts @@ -23,6 +23,14 @@ describe('profile handler', () => { expect(profile).toStrictEqual({ nickname: '__test_nickname__', sub: '__test_sub__' }); }); + test('should not allow caching the profile response', async () => { + const baseUrl = await setup(withoutApi); + const cookieJar = await login(baseUrl); + + const { res } = await get(baseUrl, '/api/auth/me', { cookieJar, fullResponse: true }); + expect(res.headers['cache-control']).toEqual('no-store'); + }); + test('should throw if re-fetching with no Access Token', async () => { const afterCallback: AfterCallback = (_req, _res, session: Session): Session => { delete session.accessToken;