From 06e0b4b1167395debe5b57292363fdde7ab04a5c Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 10 Oct 2024 10:54:55 +0100
Subject: [PATCH 1/3] Prevent protected pages being cached

---
 src/Auth/Protect/Protection.php        | 2 ++
 src/Http/Responses/DataResponse.php    | 6 +++++-
 src/StaticCaching/Middleware/Cache.php | 8 ++++++--
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/Auth/Protect/Protection.php b/src/Auth/Protect/Protection.php
index ba56c52714..24f4edf463 100644
--- a/src/Auth/Protect/Protection.php
+++ b/src/Auth/Protect/Protection.php
@@ -67,6 +67,8 @@ public function protect()
             ->setUrl($this->url())
             ->setData($this->data())
             ->protect();
+
+        return $this->scheme() !== null;
     }
 
     protected function url()
diff --git a/src/Http/Responses/DataResponse.php b/src/Http/Responses/DataResponse.php
index ccc921e66c..292b15f720 100644
--- a/src/Http/Responses/DataResponse.php
+++ b/src/Http/Responses/DataResponse.php
@@ -91,10 +91,14 @@ protected function getRedirect()
 
     protected function protect()
     {
-        app(Protection::class)
+        $isProtected = app(Protection::class)
             ->setData($this->data)
             ->protect();
 
+        if ($isProtected) {
+            $this->headers['X-Statamic-Protected'] = true;
+        }
+
         return $this;
     }
 
diff --git a/src/StaticCaching/Middleware/Cache.php b/src/StaticCaching/Middleware/Cache.php
index 77ed71fe5d..80f86e5ce1 100644
--- a/src/StaticCaching/Middleware/Cache.php
+++ b/src/StaticCaching/Middleware/Cache.php
@@ -179,8 +179,12 @@ private function shouldBeCached($request, $response)
             return false;
         }
 
-        // Draft and private pages should not be cached.
-        if ($response->headers->has('X-Statamic-Draft') || $response->headers->has('X-Statamic-Private')) {
+        // Draft, private and protected pages should not be cached.
+        if (
+            $response->headers->has('X-Statamic-Draft')
+            || $response->headers->has('X-Statamic-Private')
+            || $response->headers->has('X-Statamic-Protected')
+        ) {
             return false;
         }
 

From 333c878955d21ad1877f6e53021254c1bb2c70eb Mon Sep 17 00:00:00 2001
From: Duncan McClean <duncan@duncanmcclean.com>
Date: Thu, 10 Oct 2024 11:50:08 +0100
Subject: [PATCH 2/3] Add test

---
 tests/FrontendTest.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tests/FrontendTest.php b/tests/FrontendTest.php
index 68a5295d87..f4d9d99f64 100644
--- a/tests/FrontendTest.php
+++ b/tests/FrontendTest.php
@@ -354,6 +354,19 @@ public function past_private_entries_dont_get_statically_cached()
         $this->markTestIncomplete();
     }
 
+    #[Test]
+    public function header_is_added_to_protected_responses()
+    {
+        $page = $this->createPage('about');
+        $page->set('protect', 'logged_in')->save();
+
+        $this
+            ->actingAs(User::make())
+            ->get('/about')
+            ->assertOk()
+            ->assertHeader('X-Statamic-Protected', true);
+    }
+
     #[Test]
     public function key_variables_key_added()
     {

From 13aa49dd8c483c6abaee2f8f322d8eba0f7ca287 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Fri, 18 Oct 2024 11:44:15 -0400
Subject: [PATCH 3/3] nitpick

---
 src/Auth/Protect/Protection.php     | 2 --
 src/Http/Responses/DataResponse.php | 8 ++++----
 tests/FrontendTest.php              | 6 ++++++
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/src/Auth/Protect/Protection.php b/src/Auth/Protect/Protection.php
index 24f4edf463..ba56c52714 100644
--- a/src/Auth/Protect/Protection.php
+++ b/src/Auth/Protect/Protection.php
@@ -67,8 +67,6 @@ public function protect()
             ->setUrl($this->url())
             ->setData($this->data())
             ->protect();
-
-        return $this->scheme() !== null;
     }
 
     protected function url()
diff --git a/src/Http/Responses/DataResponse.php b/src/Http/Responses/DataResponse.php
index 292b15f720..baca6e7896 100644
--- a/src/Http/Responses/DataResponse.php
+++ b/src/Http/Responses/DataResponse.php
@@ -91,11 +91,11 @@ protected function getRedirect()
 
     protected function protect()
     {
-        $isProtected = app(Protection::class)
-            ->setData($this->data)
-            ->protect();
+        $protection = app(Protection::class)->setData($this->data);
 
-        if ($isProtected) {
+        $protection->protect();
+
+        if ($protection->scheme()) {
             $this->headers['X-Statamic-Protected'] = true;
         }
 
diff --git a/tests/FrontendTest.php b/tests/FrontendTest.php
index f4d9d99f64..418fa02a94 100644
--- a/tests/FrontendTest.php
+++ b/tests/FrontendTest.php
@@ -358,6 +358,12 @@ public function past_private_entries_dont_get_statically_cached()
     public function header_is_added_to_protected_responses()
     {
         $page = $this->createPage('about');
+
+        $this
+            ->get('/about')
+            ->assertOk()
+            ->assertHeaderMissing('X-Statamic-Protected');
+
         $page->set('protect', 'logged_in')->save();
 
         $this