Stop browsers from caching index.html files

Author: brionmario

backend/cmd/server/main.go

@@ -35,6 +35,7 @@ import (
 
 	"github.com/asgardeo/thunder/internal/system/cache"
 	"github.com/asgardeo/thunder/internal/system/config"
+	"github.com/asgardeo/thunder/internal/system/constants"
 	"github.com/asgardeo/thunder/internal/system/crypto/pki"
 	"github.com/asgardeo/thunder/internal/system/database/provider"
 	"github.com/asgardeo/thunder/internal/system/jwt"
@@ -303,9 +304,25 @@ func createStaticFileHandler(routePrefix, directory string, logger *log.Logger)
 	fileServer := http.FileServer(http.Dir(directory))
 
 	return http.StripPrefix(routePrefix, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Handle root path "/" by explicitly serving index.html
+		if r.URL.Path == "/" || r.URL.Path == "" {
+			indexPath := path.Join(directory, "index.html")
+			if fileExists(indexPath) {
+				// Set no-cache headers for index.html
+				w.Header().Set(constants.CacheControlHeaderName, constants.CacheControlNoCache+", "+constants.CacheControlNoStore+", "+constants.CacheControlMustRevalidate)
+				w.Header().Set(constants.PragmaHeaderName, constants.PragmaNoCache)
+				w.Header().Set(constants.ExpiresHeaderName, constants.ExpiresZero)
+				http.ServeFile(w, r, indexPath)
+				return
+			}
+		}
+
 		// Get the file path
 		filePath := path.Join(directory, r.URL.Path)
 
+		// Check if the requested file is index.html
+		isIndexHTML := r.URL.Path == "/index.html" || path.Base(filePath) == "index.html"
+
 		// Check if file exists
 		if _, err := os.Stat(filePath); os.IsNotExist(err) {
 			// For SPA routing, serve index.html for non-existent files
@@ -314,6 +331,23 @@ func createStaticFileHandler(routePrefix, directory string, logger *log.Logger)
 				logger.Debug("Serving index.html for SPA routing",
 					log.String("requested_path", r.URL.Path),
 					log.String("route_prefix", routePrefix))
+				// Set no-cache headers for index.html
+				w.Header().Set(constants.CacheControlHeaderName, constants.CacheControlNoCache+", "+constants.CacheControlNoStore+", "+constants.CacheControlMustRevalidate)
+				w.Header().Set(constants.PragmaHeaderName, constants.PragmaNoCache)
+				w.Header().Set(constants.ExpiresHeaderName, constants.ExpiresZero)
+				http.ServeFile(w, r, indexPath)
+				return
+			}
+		}
+
+		// Serve index.html directly with no-cache headers when requested
+		if isIndexHTML {
+			indexPath := path.Join(directory, "index.html")
+			if fileExists(indexPath) {
+				// Set no-cache headers for index.html
+				w.Header().Set(constants.CacheControlHeaderName, constants.CacheControlNoCache+", "+constants.CacheControlNoStore+", "+constants.CacheControlMustRevalidate)
+				w.Header().Set(constants.PragmaHeaderName, constants.PragmaNoCache)
+				w.Header().Set(constants.ExpiresHeaderName, constants.ExpiresZero)
 				http.ServeFile(w, r, indexPath)
 				return
 			}

backend/cmd/server/main_test.go

@@ -385,6 +385,140 @@ func TestCreateStaticFileHandler(t *testing.T) {
 	})
 }
 
+func TestCreateStaticFileHandler_CacheHeaders(t *testing.T) {
+	logger := log.GetLogger()
+	tmpDir := t.TempDir()
+
+	indexContent := []byte("<!DOCTYPE html><html><body>index</body></html>")
+	jsContent := []byte("console.log('hello');")
+	cssContent := []byte("body { margin: 0; }")
+	imageContent := []byte{0xFF, 0xD8, 0xFF} // Mock image bytes
+
+	requireWriteFile(t, filepath.Join(tmpDir, "index.html"), indexContent)
+	requireWriteFile(t, filepath.Join(tmpDir, "app.js"), jsContent)
+	requireWriteFile(t, filepath.Join(tmpDir, "styles.css"), cssContent)
+	requireWriteFile(t, filepath.Join(tmpDir, "logo.png"), imageContent)
+
+	handler := createStaticFileHandler("/app/", tmpDir, logger)
+
+	expectedCacheControl := "no-cache, no-store, must-revalidate"
+	expectedPragma := "no-cache"
+	expectedExpires := "0"
+
+	t.Run("sets cache headers when serving index.html at root", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/app/", nil)
+		rr := httptest.NewRecorder()
+
+		handler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, expectedCacheControl, rr.Header().Get("Cache-Control"),
+			"Cache-Control header should prevent caching for index.html at root")
+		assert.Equal(t, expectedPragma, rr.Header().Get("Pragma"),
+			"Pragma header should be set for index.html at root")
+		assert.Equal(t, expectedExpires, rr.Header().Get("Expires"),
+			"Expires header should be set for index.html at root")
+		assert.Contains(t, rr.Body.String(), "index")
+	})
+
+	t.Run("sets cache headers when serving index.html directly", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/app/index.html", nil)
+		rr := httptest.NewRecorder()
+
+		handler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Equal(t, expectedCacheControl, rr.Header().Get("Cache-Control"),
+			"Cache-Control header should prevent caching for direct index.html request")
+		assert.Equal(t, expectedPragma, rr.Header().Get("Pragma"),
+			"Pragma header should be set for direct index.html request")
+		assert.Equal(t, expectedExpires, rr.Header().Get("Expires"),
+			"Expires header should be set for direct index.html request")
+		assert.Contains(t, rr.Body.String(), "index")
+	})
+
+	t.Run("sets cache headers when serving index.html as SPA fallback", func(t *testing.T) {
+		testCases := []struct {
+			path        string
+			description string
+		}{
+			{"/app/dashboard", "single level path"},
+			{"/app/users/profile", "multi level path"},
+			{"/app/settings/advanced/security", "deeply nested path"},
+			{"/app/nonexistent.html", "non-existent HTML file"},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.description, func(t *testing.T) {
+				req := httptest.NewRequest(http.MethodGet, tc.path, nil)
+				rr := httptest.NewRecorder()
+
+				handler.ServeHTTP(rr, req)
+
+				assert.Equal(t, http.StatusOK, rr.Code)
+				assert.Equal(t, expectedCacheControl, rr.Header().Get("Cache-Control"),
+					"Cache-Control header should prevent caching for SPA fallback at %s", tc.path)
+				assert.Equal(t, expectedPragma, rr.Header().Get("Pragma"),
+					"Pragma header should be set for SPA fallback at %s", tc.path)
+				assert.Equal(t, expectedExpires, rr.Header().Get("Expires"),
+					"Expires header should be set for SPA fallback at %s", tc.path)
+				assert.Contains(t, rr.Body.String(), "index",
+					"Should serve index.html content for SPA fallback at %s", tc.path)
+			})
+		}
+	})
+
+	t.Run("does not set cache headers for static assets", func(t *testing.T) {
+		testCases := []struct {
+			path        string
+			description string
+			content     []byte
+		}{
+			{"/app/app.js", "JavaScript file", jsContent},
+			{"/app/styles.css", "CSS file", cssContent},
+			{"/app/logo.png", "image file", imageContent},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.description, func(t *testing.T) {
+				req := httptest.NewRequest(http.MethodGet, tc.path, nil)
+				rr := httptest.NewRecorder()
+
+				handler.ServeHTTP(rr, req)
+
+				assert.Equal(t, http.StatusOK, rr.Code)
+				assert.Empty(t, rr.Header().Get("Cache-Control"),
+					"Cache-Control header should not be set for %s", tc.description)
+				assert.Empty(t, rr.Header().Get("Pragma"),
+					"Pragma header should not be set for %s", tc.description)
+				assert.Empty(t, rr.Header().Get("Expires"),
+					"Expires header should not be set for %s", tc.description)
+				assert.Equal(t, string(tc.content), rr.Body.String(),
+					"Should serve correct content for %s", tc.description)
+			})
+		}
+	})
+
+	t.Run("does not match files ending with index.html incorrectly", func(t *testing.T) {
+		customIndexFile := []byte("custom index content")
+		requireWriteFile(t, filepath.Join(tmpDir, "my-custom-index.html"), customIndexFile)
+
+		req := httptest.NewRequest(http.MethodGet, "/app/my-custom-index.html", nil)
+		rr := httptest.NewRecorder()
+
+		handler.ServeHTTP(rr, req)
+
+		assert.Equal(t, http.StatusOK, rr.Code)
+		assert.Empty(t, rr.Header().Get("Cache-Control"),
+			"Cache-Control should not be set for files that contain 'index.html' but are not exactly 'index.html'")
+		assert.Empty(t, rr.Header().Get("Pragma"),
+			"Pragma should not be set for files that contain 'index.html' but are not exactly 'index.html'")
+		assert.Empty(t, rr.Header().Get("Expires"),
+			"Expires should not be set for files that contain 'index.html' but are not exactly 'index.html'")
+		assert.Equal(t, string(customIndexFile), rr.Body.String())
+	})
+}
+
 func requireWriteFile(t *testing.T, path string, content []byte) {
 	t.Helper()
 	cleanPath := filepath.Clean(path)

backend/internal/system/constants/server_constants.go

@@ -50,15 +50,27 @@ const ContentTypeFormURLEncoded = "application/x-www-form-urlencoded"
 // CacheControlHeaderName is the name of the cache-control header used in HTTP responses.
 const CacheControlHeaderName = "Cache-Control"
 
-// CacheControlNoStore is the cache-control value to prevent caching.
+// CacheControlNoCache is the cache-control directive to force revalidation.
+const CacheControlNoCache = "no-cache"
+
+// CacheControlNoStore is the cache-control directive to prevent caching.
 const CacheControlNoStore = "no-store"
 
+// CacheControlMustRevalidate is the cache-control directive to require revalidation of stale cache entries.
+const CacheControlMustRevalidate = "must-revalidate"
+
 // PragmaHeaderName is the name of the pragma header used in HTTP responses.
 const PragmaHeaderName = "Pragma"
 
 // PragmaNoCache is the pragma value to prevent caching.
 const PragmaNoCache = "no-cache"
 
+// ExpiresHeaderName is the name of the expires header used in HTTP responses.
+const ExpiresHeaderName = "Expires"
+
+// ExpiresZero is the expires value to indicate immediate expiration.
+const ExpiresZero = "0"
+
 // DefaultPageSize is the default limit for pagination when not specified.
 const DefaultPageSize = 30
 

frontend/apps/thunder-develop/index.html

@@ -5,6 +5,11 @@
     <link rel="icon" type="image/x-icon" href="/assets/images/favicon.ico" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 
+    <!-- Prevent browser caching -->
+    <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+    <meta http-equiv="Pragma" content="no-cache" />
+    <meta http-equiv="Expires" content="0" />
+
     <!-- Start of loading application configurations -->
     <script type="text/javascript" src="/config.js"></script>
     <!-- End of loading application configurations -->

frontend/apps/thunder-gate/index.html

@@ -4,6 +4,12 @@
     <meta charset="UTF-8" />
     <link rel="icon" type="image/x-icon" href="/assets/images/favicon.ico" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+
+    <!-- Prevent browser caching -->
+    <meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
+    <meta http-equiv="Pragma" content="no-cache" />
+    <meta http-equiv="Expires" content="0" />
+
     <title>Gate</title>
 
     <!-- Start of loading application configurations -->