From 2d1f1684a10c6709119a4e533c7b15bbb24a3ee2 Mon Sep 17 00:00:00 2001
From: Marius Balteanu <marius.balteanu@zitec.com>
Date: Wed, 13 Aug 2025 05:58:49 +0000
Subject: [PATCH] Explicitly don't cache sensitive 2FA actions (#43083).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Felix Schäfer (user:felix).

git-svn-id: https://svn.redmine.org/redmine/trunk@23917 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/account_controller.rb            | 1 +
 app/controllers/twofa_backup_codes_controller.rb | 2 ++
 app/controllers/twofa_controller.rb              | 1 +
 test/integration/twofa_test.rb                   | 6 ++++++
 4 files changed, 10 insertions(+)

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 2edc68729..ea75d5de1 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -220,6 +220,7 @@ class AccountController < ApplicationController
 
   def twofa_confirm
     @twofa_view = @twofa.otp_confirm_view_variables
+    no_store
   end
 
   def twofa
diff --git a/app/controllers/twofa_backup_codes_controller.rb b/app/controllers/twofa_backup_codes_controller.rb
index 8e14247b0..e330fad1b 100644
--- a/app/controllers/twofa_backup_codes_controller.rb
+++ b/app/controllers/twofa_backup_codes_controller.rb
@@ -37,6 +37,7 @@ class TwofaBackupCodesController < ApplicationController
 
   def confirm
     @twofa_view = @twofa.otp_confirm_view_variables
+    no_store
   end
 
   def create
@@ -64,6 +65,7 @@ class TwofaBackupCodesController < ApplicationController
 
     if tokens.present? && (@created_at = tokens.collect(&:created_on).max) > 5.minutes.ago
       @backup_codes = tokens.collect(&:value)
+      no_store
     else
       flash[:warning] = l('twofa_backup_codes_already_shown', bc_path: my_twofa_backup_codes_init_path)
       redirect_to controller: 'my', action: 'account'
diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb
index 347c16d6e..7049110e7 100644
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -45,6 +45,7 @@ class TwofaController < ApplicationController
 
   def activate_confirm
     @twofa_view = @twofa.init_pairing_view_variables
+    no_store
   end
 
   def activate
diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb
index 3cdc355ff..d81bf6291 100644
--- a/test/integration/twofa_test.rb
+++ b/test/integration/twofa_test.rb
@@ -102,6 +102,7 @@ class TwofaTest < Redmine::IntegrationTest
   end
 
   test "should generate and accept backup codes" do
+    # this also checks that all actions with secrets aren't cached
     log_user('jsmith', 'jsmith')
     get "/my/account"
     assert_response :success
@@ -109,6 +110,7 @@ class TwofaTest < Redmine::IntegrationTest
     assert_redirected_to "/my/twofa/totp/activate/confirm"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
 
     totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
     post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
@@ -121,12 +123,14 @@ class TwofaTest < Redmine::IntegrationTest
     assert_redirected_to "/my/twofa/backup_codes/confirm"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
     assert_select 'form', /Please enter your two-factor authentication code/i
 
     post "/my/twofa/backup_codes/create", params: {twofa_code: "wrong"}
     assert_redirected_to "/my/twofa/backup_codes/confirm"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
     assert_select 'form', /Please enter your two-factor authentication code/i
 
     # prevent replay attack prevention from kicking in
@@ -136,6 +140,7 @@ class TwofaTest < Redmine::IntegrationTest
     assert_redirected_to "/my/twofa/backup_codes"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
     assert_select ".flash", /your backup codes have been generated/i
 
     assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
@@ -155,6 +160,7 @@ class TwofaTest < Redmine::IntegrationTest
     }
     assert_redirected_to "/account/twofa/confirm"
     follow_redirect!
+    assert_includes @response.headers['Cache-Control'], 'no-store'
 
     assert_select "#login-form h3", /two-factor authentication/i
     post "/account/twofa", params: {twofa_code: code}