Exposure of sensitive information by using the back button after logging out security bug fix

CacheControlSubscriber.php

<?php

// src/EventListener/CacheControlSubscriber.php

declare(strict_types=1);

namespace App\EventListener;

use App\SectionResolver\ShopCustomerAccountSubSection;
use Sylius\Bundle\AdminBundle\SectionResolver\AdminSection;
use Sylius\Bundle\CoreBundle\SectionResolver\SectionProviderInterface;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;

final class CacheControlSubscriber implements EventSubscriberInterface
{
    /** @var SectionProviderInterface */
    private $sectionProvider;

    public function __construct(SectionProviderInterface $sectionProvider)
    {
        $this->sectionProvider = $sectionProvider;
    }

    public static function getSubscribedEvents(): array
    {
        return [
            KernelEvents::RESPONSE => 'setCacheControlDirectives',
        ];
    }

    public function setCacheControlDirectives(ResponseEvent $event): void
    {
        if (
            !$this->sectionProvider->getSection() instanceof AdminSection &&
            !$this->sectionProvider->getSection() instanceof ShopCustomerAccountSubSection
        ) {
            return;
        }

        $response = $event->getResponse();

        $response->headers->addCacheControlDirective('no-cache', true);
        $response->headers->addCacheControlDirective('max-age', '0');
        $response->headers->addCacheControlDirective('must-revalidate', true);
        $response->headers->addCacheControlDirective('no-store', true);
    }
}

services.yaml

# config/services.yaml
services:
    # ...
    App\EventListener\CacheControlSubscriber:
        arguments: ['@sylius.section_resolver.uri_based_section_resolver']
        tags:
            - { name: kernel.event_subscriber, event: kernel.response }
            
    # required if you are backporting ShopUriBasedSectionResolver
    sylius.section_resolver.shop_uri_based_section_resolver:
        class: App\SectionResolver\ShopUriBasedSectionResolver
        tags:
            - { name: sylius.uri_based_section_resolver, priority: -10 }

ShopCustomerAccountSubSection.php

<?php

// src/SectionResolver/ShopCustomerAccountSubSection.php

declare(strict_types=1);

namespace App\SectionResolver;

use Sylius\Bundle\ShopBundle\SectionResolver\ShopSection;

class ShopCustomerAccountSubSection extends ShopSection
{
}

ShopUriBasedSectionResolver.php

<?php

// src/SectionResolver/ShopUriBasedSectionResolver.php

declare(strict_types=1);

namespace App\SectionResolver;

use Sylius\Bundle\CoreBundle\SectionResolver\SectionInterface;
use Sylius\Bundle\CoreBundle\SectionResolver\UriBasedSectionResolverInterface;
use Sylius\Bundle\ShopBundle\SectionResolver\ShopSection;

final class ShopUriBasedSectionResolver implements UriBasedSectionResolverInterface
{
    /** @var string */
    private $shopCustomerAccountUri;

    public function __construct(string $shopCustomerAccountUri = 'account')
    {
        $this->shopCustomerAccountUri = $shopCustomerAccountUri;
    }

    public function getSection(string $uri): SectionInterface
    {
        if (str_contains($uri, $this->shopCustomerAccountUri)) {
            return new ShopCustomerAccountSubSection();
        }

        return new ShopSection();
    }
}