I have a flask app which serves an Angular JS app only to authenticated users.
Access control for the view which serves the app is implemented with @login_required from the Flask-Login package as follows:
# The app page is accessible only to authenticated users
@viewer_blueprint.route('/')
@login_required # Limits access to authenticated users
def serve_app():
return send_from_directory(
app.static_folder + '/app', "index.html")
However, I have noticed that after logging out, an unauthenticated user attempting to view this view does not get redirected to the login page, rather, they see a cached version of the app.
I have observed this behavior on Google Chrome and Firefox running the dev server.
How do I force no-caching only in the case of unauthenticated users? (I still might want caching for logged in users.)(Related questions / answers on stackoverflow seem to only address disabling caching period independent of authentication status, which strikes me as an unnecessary compromise.)
Examining the XHR log in Firebug seems to indicate the browser never even makes the original request to the protected app view. It just loads directly from cache.
EDIT 1:
One possibility would be to check authentication in the front-end app and force the redirect to the sign-in page if not authenticated, however I am interested in a back-end solution which can handle this 'automagically' so as to avoid the extra care needed on the front-end (after all, isn't this what @login_required, morally speaking, should / does claim to do?).