[5.x]: Two-step verification setup page was cached at cloudflare level on standard content page

[joepagan]

What happened?

Description

Hey,

As the image shows, someone managed to visit a public url /offices which normally shows an entry's text-based content (no login form), but what has cached at cloudflare level is the Craft Two Factor Authentication setup page. We use latest craft and blitz on this app.

I presume this has happened where a user who has not yet setup 2fa fully tried to login, abandoned that flow (or they were previously logged in before 2FA was enabled and the session was retained), then they visited an uncached page (/offices in this case) and got this, maybe because the admin bar plugin is installed on this app and rendered in the template and that triggered the 2fa html.

Steps to reproduce

1. I haven't tried to reproduce it, but I've aluded to what I think could happen above

Expected behavior

if a two factor setup page is rendered ensure that a Cache-Control nocache header is always set

Actual behavior

Two factor page was cached at cloudflare level instead of the page's actual content.

Craft CMS version

5.6.17

PHP version

8.3.16

Operating system and version

No response

Database type and version

MySQL 28.1

Image driver and version

No response

Installed plugins and versions

• Admin Bar: 5.3.2
• AI Alt Text: v1.3.0
• Blitz: 5.10.3
• CKEditor: 4.6.0
• CP Field Inspect: 2.0.4
• Formie: 3.0.24
• Linkit: 5.0.0
• Navigation: 3.0.6
• Neo: 5.4.1
• Retour: 5.0.9
• Scout: 5.0.5
• SEOmatic: dev-develop-v5
• Servd Assets and Helpers: 4.0.15
• Site Copy X: 2.1.1
• Translations: 4.1.1
• Vite: 5.0.1

[brandonkelly]

Thanks for reporting that! This is fixed for the next release. I caught a few similar situations that could also affect Craft 4, so those are fixed for the next 4 + 5 releases as well.

[joepagan]

Nice one cheers @brandonkelly !

[brandonkelly]

Craft 4.15.1 and 5.7.2 are out with those fixes. Thanks again!