Security: Refactor cache headers, auth token validation & UI #782 #808

Signed-off-by: Michael Mayer <michael@photoprism.app>
2025-12-12 00:34:13 +01:00 · 2024-01-17 14:16:02 +01:00
parent 0c4cd8d1b9
commit 2912ac9464
21 changed files with 367 additions and 197 deletions
--- a/internal/api/api_auth.go
+++ b/internal/api/api_auth.go
@@ -31,10 +31,12 @@ func AuthAny(c *gin.Context, resource acl.Resource, grants acl.Permissions) (s *
 	if s = Session(clientIp, authToken); s == nil {
 		event.AuditWarn([]string{clientIp, "unauthenticated", "%s %s", "denied"}, grants.String(), string(resource))
 		return entity.SessionStatusUnauthorized()
-	} else {
-		s.SetClientIP(clientIp)
 	}

+	// Disable caching of responses and the client IP.
+	c.Header(header.CacheControl, header.CacheControlNoStore)
+	s.SetClientIP(clientIp)
+
 	// If the request is from a client application, check its authorization based
 	// on the allowed scope, the ACL, and the user account it belongs to (if any).
 	if s.IsClient() {