From 742b8263d53a5ebba56684ce5e11bf9ab1bd863d Mon Sep 17 00:00:00 2001
From: Thang Vu <hi@thvu.dev>
Date: Sat, 8 Feb 2025 12:06:25 +0700
Subject: [PATCH] feat(core): add default cache control headers for GET
 endpoints

---
 packages/next-auth/src/core/index.ts          | 16 ++++++++++++-
 packages/next-auth/src/core/routes/session.ts | 23 ++++++++++++++++---
 2 files changed, 35 insertions(+), 4 deletions(-)

diff --git a/packages/next-auth/src/core/index.ts b/packages/next-auth/src/core/index.ts
index 27ff069f97..9d16f057ea 100644
--- a/packages/next-auth/src/core/index.ts
+++ b/packages/next-auth/src/core/index.ts
@@ -166,7 +166,21 @@ export async function AuthHandler<
       }
       case "csrf":
         return {
-          headers: [{ key: "Content-Type", value: "application/json" }],
+          headers: [
+            { key: "Content-Type", value: "application/json" },
+            {
+              key: "Cache-Control",
+              value: "private, no-cache, no-store",
+            },
+            {
+              key: "Pragma",
+              value: "no-cache",
+            },
+            {
+              key: "Expires",
+              value: "0",
+            },
+          ],
           body: { csrfToken: options.csrfToken } as any,
           cookies,
         }
diff --git a/packages/next-auth/src/core/routes/session.ts b/packages/next-auth/src/core/routes/session.ts
index ff1dc8e8e6..5fdb09d4b4 100644
--- a/packages/next-auth/src/core/routes/session.ts
+++ b/packages/next-auth/src/core/routes/session.ts
@@ -32,7 +32,25 @@ export default async function session(
 
   const response: ResponseInternal<Session | {}> = {
     body: {},
-    headers: [{ key: "Content-Type", value: "application/json" }],
+    headers: [
+      { key: "Content-Type", value: "application/json" },
+      ...(isUpdate
+        ? []
+        : [
+            {
+              key: "Cache-Control",
+              value: "private, no-cache, no-store",
+            },
+            {
+              key: "Pragma",
+              value: "no-cache",
+            },
+            {
+              key: "Expires",
+              value: "0",
+            },
+          ]),
+    ].filter(Boolean),
     cookies: [],
   }
 
@@ -98,8 +116,7 @@ export default async function session(
   } else {
     try {
       // @ts-expect-error -- adapter is checked to be defined in `init`
-      const { getSessionAndUser, deleteSession, updateSession } =
-        adapter
+      const { getSessionAndUser, deleteSession, updateSession } = adapter
       let userAndSession = await getSessionAndUser(sessionToken)
 
       // If session has expired, clean up the database