feat(settings): Add setup check for too much caching

apps/settings/appinfo/routes.php

@@ -66,6 +66,7 @@
 		['name' => 'LogSettings#getEntries', 'url' => '/settings/admin/log/entries', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'LogSettings#download', 'url' => '/settings/admin/log/download', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'CheckSetup#check', 'url' => '/settings/ajax/checksetup', 'verb' => 'GET' , 'root' => ''],
+		['name' => 'CheckSetup#checkCookies', 'url' => '/settings/ajax/checksetupcookies.png', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'CheckSetup#getFailedIntegrityCheckFiles', 'url' => '/settings/integrity/failed', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'CheckSetup#rescanFailedIntegrityCheck', 'url' => '/settings/integrity/rescan', 'verb' => 'GET' , 'root' => ''],
 		['name' => 'PersonalSettings#index', 'url' => '/settings/user/{section}', 'verb' => 'GET', 'defaults' => ['section' => 'personal-info'] , 'root' => ''],

apps/settings/lib/Controller/CheckSetupController.php

@@ -74,6 +74,7 @@
 use OCP\AppFramework\Http\Attribute\IgnoreOpenAPI;
 use OCP\AppFramework\Http\DataDisplayResponse;
 use OCP\AppFramework\Http\DataResponse;
+use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\DB\Events\AddMissingColumnsEvent;
 use OCP\DB\Events\AddMissingIndicesEvent;
@@ -94,6 +95,8 @@
 use OCP\Security\Bruteforce\IThrottler;
 use OCP\Security\ISecureRandom;
 use Psr\Log\LoggerInterface;
+use function setcookie;
+use function time;
 
 #[IgnoreOpenAPI]
 class CheckSetupController extends Controller {
@@ -972,4 +975,19 @@ public function check() {
 			]
 		);
 	}
+
+	/**
+	 * @AuthorizedAdminSetting(settings=OCA\Settings\Settings\Admin\Overview)
+	 */
+	public function checkCookies(): JSONResponse {
+		$rand = $this->secureRandom->generate(32);
+		setcookie(
+			'nc_setup_check',
+			$rand,
+			time() + 60
+		);
+		return new JSONResponse([
+			'rand' => $rand,
+		]);
+	}
 }

apps/settings/src/admin.js

@@ -243,8 +243,9 @@ window.addEventListener('DOMContentLoaded', () => {
 			OC.SetupChecks.checkGeneric(),
 			OC.SetupChecks.checkWOFF2Loading(OC.filePath('core', '', 'fonts/NotoSans-Regular-latin.woff2'), OC.theme.docPlaceholderUrl),
 			OC.SetupChecks.checkDataProtected(),
-		).then((check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11) => {
-			const messages = [].concat(check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11)
+			OC.SetupChecks.checkCaching(),
+		).then((check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11, check12) => {
+			const messages = [].concat(check1, check2, check3, check4, check5, check6, check7, check8, check9, check10, check11, check12)
 			const $el = $('#postsetupchecks')
 			$('#security-warning-state-loading').addClass('hidden')
 

core/js/setupchecks.js

@@ -47,6 +47,27 @@
 			return deferred.promise();
 		},
 
+		checkCaching: function() {
+			return Promise.all([
+				$.get(OC.generateUrl('settings/ajax/checksetupcookies.png')),
+				$.get(OC.generateUrl('settings/ajax/checksetupcookies.png')),
+			]).then(function(responses) {
+				if (responses[0].rand === responses[1].rand) {
+					console.error('Two unique requests returned the same response', {
+						rand1: responses[0].rand,
+						rand2: responses[1].rand,
+					});
+					return [
+						{
+							msg: t('core', 'Your web server is caching too aggressively. This could lead to leaked cookies and sessions.'),
+							type: OC.SetupChecks.MESSAGE_TYPE_ERROR
+						}
+					];
+				}
+				return [];
+			})
+		},
+
 		/**
 		 * Check whether the .well-known URLs works.
 		 *