Merge pull request oauthjs#148 from thomseddon/fix/set-cache-control-headers

Set Cache-Control and Pragma Headers

Author: thomseddon

lib/error.js

@@ -40,11 +40,14 @@ function OAuth2Error (error, description, err) {
     Error.captureStackTrace(this, this.constructor);
   }
 
+  this.headers = {
+    'Cache-Control': 'no-store',
+    'Pragma': 'no-cache'
+  };
+
   switch (error) {
     case 'invalid_client':
-      this.headers = {
-        'WWW-Authenticate': 'Basic realm="Service"'
-      };
+      this.headers['WWW-Authenticate'] = 'Basic realm="Service"';
       /* falls through */
     case 'invalid_grant':
     case 'invalid_request':

lib/grant.js

@@ -466,7 +466,10 @@ function sendResponse (done) {
 
   if (this.refreshToken) response.refresh_token = this.refreshToken;
 
-  this.res.jsonp(response);
+  this.res
+    .set('Cache-Control', 'no-store')
+    .set('Pragma', 'no-cache')
+    .jsonp(response);
 
   if (this.config.continueAfterResponse)
     done();

test/error.js

@@ -28,10 +28,23 @@ describe('OAuth2Error', function() {
     error.name.should.equal('OAuth2Error');
   });
 
-  it('should expose `headers` if error is `invalid_client`', function () {
+  it('should set cache `headers`', function () {
+    var error = new OAuth2Error('invalid_request');
+
+    error.headers.should.eql({
+      'Cache-Control': 'no-store',
+      'Pragma': 'no-cache'
+    });
+  });
+
+  it('should include WWW-Authenticate `header` if error is `invalid_client`', function () {
     var error = new OAuth2Error('invalid_client');
 
-    error.headers.should.eql({ 'WWW-Authenticate': 'Basic realm="Service"' });
+    error.headers.should.eql({
+      'Cache-Control': 'no-store',
+      'Pragma': 'no-cache',
+      'WWW-Authenticate': 'Basic realm="Service"'
+    });
   });
 
   it('should expose a status `code`', function () {

test/grant.js

@@ -411,6 +411,8 @@ describe('Grant', function() {
         .set('Content-Type', 'application/x-www-form-urlencoded')
         .send(validBody)
         .expect(200)
+        .expect('Cache-Control', 'no-store')
+        .expect('Pragma', 'no-cache')
         .end(function (err, res) {
           if (err) return done(err);
 
@@ -452,6 +454,8 @@ describe('Grant', function() {
         .set('Content-Type', 'application/x-www-form-urlencoded')
         .send(validBody)
         .expect(200)
+        .expect('Cache-Control', 'no-store')
+        .expect('Pragma', 'no-cache')
         .end(function (err, res) {
           if (err) return done(err);