From 07fb8c072d9b35b18682285078e689ae15cc2a7c Mon Sep 17 00:00:00 2001
From: Elian Doran <contact@eliandoran.me>
Date: Wed, 14 Aug 2024 18:59:02 +0300
Subject: [PATCH] server: Fix CSRF on mobile reload (closes #318)

---
 src/routes/index.ts | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/routes/index.ts b/src/routes/index.ts
index a9403ab26..7cc0a5014 100644
--- a/src/routes/index.ts
+++ b/src/routes/index.ts
@@ -23,6 +23,11 @@ function index(req: Request, res: Response) {
     const csrfToken = req.csrfToken();
     log.info(`Generated CSRF token ${csrfToken} with secret ${res.getHeader('set-cookie')}`);
 
+    // We force the page to not be cached since on mobile the CSRF token can be
+    // broken when closing the browser and coming back in to the page.
+    // The page is restored from cache, but the API call fail.
+    res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
+
     res.render(view, {
         csrfToken: csrfToken,
         themeCssUrl: getThemeCssUrl(options.theme),