#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
为系统配置获取增加缓存以提高路由和主题模板渲染的速度
#### Special notes for your reviewer:
1. 系统能正确初始化
2. 测试修改系统配置后 http://localhost:8090/actuator/globalinfo 和主题端 `${site}` 是否都是新的
3. 更改了文章路由规则后能正确调整到新的规则
#### Does this PR introduce a user-facing change?
```release-note
为系统配置的获取增加缓存以提高路由和主题模板渲染的速度
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
统一使用同一个 RequestPath 来解析请求信息
#### Does this PR introduce a user-facing change?
```release-note
None
```
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR modifies the behavior of the "Send" button for sending verification codes. Now, when the button is clicked, it immediately shows a "Sending..." state, improving user experience by providing instant feedback. After a successful request, a countdown is displayed. This makes the process clearer for users and reduces confusion during waiting time.
Which issue(s) this PR fixes:
Fixes#7064
Special notes for your reviewer:
Please review the implementation for consistent UI behavior and ensure no race conditions occur if the button is clicked multiple times quickly.
Does this PR introduce a user-facing change?
Improved user experience for sending verification codes: the button now immediately shows "
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
限制缩略图生成仅针对附件库中的图片,防止任意 URI 的生成行为带来的潜在攻击风险
先 merge #7077 后才能合并此 PR
#### Does this PR introduce a user-facing change?
```release-note
限制缩略图生成仅针对附件库中的图片,防止任意 URI 的生成行为带来的潜在攻击风险
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复可能为因为并发调用缩略图生成导致多次创建缩略图的问题
此 PR 为 #7031 的补充,并且会清理以前重复生成的缩略图记录和文件
#### Does this PR introduce a user-facing change?
```release-note
修复可能为因为并发调用缩略图生成导致多次重复缩略图记录的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
对本地缩略图的原图链接和尺寸增加唯一性检查避免重复
#### Does this PR introduce a user-facing change?
```release-note
对本地缩略图的原图链接和尺寸增加唯一性检查避免重复
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR removes template engine instead of clearing cache of template engine after upgrading theme to resolve incomplete cache clear.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/7056
#### Special notes for your reviewer:
1. Try to install the theme `theme-earth 1.12.0`
2. Request index page and you will see the `上一页` which should be `下一页`
3. Try to upgrade to the theme `theme-earth 1.12.1`
4. Request index page and you should see the `下一页` directly.
#### Does this PR introduce a user-facing change?
```release-note
修复升级主题后语言包未更新的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复新创建的标签在主题端展示关联文章数量为 null 的问题
#### Which issue(s) this PR fixes:
Fixes#7042
#### Does this PR introduce a user-facing change?
```release-note
修复新创建的标签在主题端展示关联文章数量为 null 的问题
```
#### What type of PR is this?
/kind feature
#### What this PR does / why we need it:
This PR adds support for detecting OpenHarmony as a device operating system.
#### Which issue(s) this PR fixes:
Fixes#7039
#### Special notes for your reviewer:
This PR introduces minor changes in the device OS detection logic.
#### Does this PR introduce a user-facing change?
```release-note
新设备登录通知的操作系统名支持展示鸿蒙替代 Unknown
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
隐藏关键通知项设置以避免用户意外禁用而无法收到通知
#### Which issue(s) this PR fixes:
Fixes#6967
#### Does this PR introduce a user-facing change?
```release-note
隐藏关键通知项设置以避免用户意外禁用而无法收到通知
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR rearranges order of security configurers. Especially, SecurityWebFiltersConfigurer has lower priority to configure than other security configurers.
So we can catch internal authentication in plugins.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds support for hooking user creating. Plugin developers can define extension points of `UserPreCreatingHandler` and `UserPostCreatingHandler` to do something else.
#### Does this PR introduce a user-facing change?
```release-note
支持在插件中定义用户创建的前置和后置处理器
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复登录页面路由会被自定义页面覆盖导致无法登录的问题
#### Which issue(s) this PR fixes:
Fixes#6893
#### Does this PR introduce a user-facing change?
```release-note
修复登录页面路由会被自定义页面路由覆盖导致无法登录的问题
```
#### What type of PR is this?
/kind bug
/area plugin
/milestone 2.20.x
#### What this PR does / why we need it:
修复插件配置可能因为缺少校验导致使用时类型转换失败从而影响 Halo 使用的问题
#### Which issue(s) this PR fixes:
Fixes#6899
#### Does this PR introduce a user-facing change?
```release-note
修复插件配置可能因为缺少校验导致使用时类型转换失败从而影响 Halo 使用的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复使用 `singlePageFinder.list()` 时会提示缺少 spec.deleted 索引的问题
#### Which issue(s) this PR fixes:
Fixes#6919
#### Does this PR introduce a user-facing change?
```release-note
修复使用 `singlePageFinder.list()` 时会提示缺少 spec.deleted 索引的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复登录时切换了其他语言但是登录成功后始终显示中文的问题
此问题为 https://github.com/halo-dev/halo/pull/6891 导致
#### Does this PR introduce a user-facing change?
```release-note
修复登录时切换了其他语言但是登录成功后始终显示中文的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds the annotations `@NestedConfigurationProperties` to let Spring Configuration Processor generate fully metadata.
We can execute command `./gradlew :application:compileJava` to generate `application/build/classes/java/main/META-INF/spring-configuration-metadata.json`. If you are using IDEA Ultimate, configuration hints related to Halo will be available.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修正 OpenAPI 的分组匹配规则 之前有很多 PublicAPIs 没有出现在对应的组
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR excludes console and uc assets in security configuration to make them access by anonymous users.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6908
#### Special notes for your reviewer:
```bash
http http://localhost:8090/uc/assets/index-E-uvwInx.css -ph
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: no-cache
Content-Encoding: gzip
Content-Length: 26213
Content-Type: text/css
Vary: Accept-Encoding
```
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复在低版本 Safari 浏览器中,注册表单中的按钮高度溢出的问题。
#### Which issue(s) this PR fixes:
Fixes#6910
#### Does this PR introduce a user-facing change?
```release-note
修复在低版本 Safari 浏览器中,注册表单中的按钮高度溢出的问题。
```
<!-- Fuck Safari -->
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
将 MySQL 的表创建脚本 name 列字符集改为 utf8mb4_bin 以使其对大小写敏感
Fixes https://github.com/halo-dev/halo/issues/4372
**how to test it?**
使用 docker 运行 MySQL
```shell
# mariadb 同样将镜像改为 mariadb 后执行相同步骤
docker run --name mysql-test -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=halo -p 3306:3306 --rm -d mysql:latest
```
然后执行表创建脚本并手动执行以下两条 SQL 能成功插入
```sql
insert into extensions(name,data,version) values('a', 'a', 0)
insert into extensions(name,data,version) values('A', 'A', 0)
```
#### Does this PR introduce a user-facing change?
```release-note
修改 MySQL 表创建脚本 name 列的字符集使其大小写敏感以解决可能会遇到切换数据库时因为数据冲突而无法导入备份的问题(这只对此版本及之后的新用户有效)
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复非 HTTPS 连接下无法记住用户语言偏好的问题
#### Which issue(s) this PR fixes:
Fixes#6888
#### Does this PR introduce a user-facing change?
```release-note
修复非 HTTPS 连接下无法记住用户语言偏好的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR refactors sign up data binding using internal `bind` method in `ServerRequest` instead of binding my hand. It's more convenient and simpler.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR appends query `method=local` after redirection location in authentication failure handler to redirect to login page with local method.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6894
#### Does this PR introduce a user-facing change?
```release-note
修复非默认登录方式登录失败之后跳转至默认登录方式的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复从旧版本升级到 2.20 会因为默认主题目录已经存在而无法初始化的问题
#### Which issue(s) this PR fixes:
Fixes#6887
#### Does this PR introduce a user-facing change?
```release-note
修复从旧版本升级到 2.20 会因为默认主题目录已经存在而无法初始化的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR exposes ReactiveUserDetailsService to authentication plugins.
#### Does this PR introduce a user-facing change?
```release-note
支持在插件中使用 ReactiveUserDetailsService
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
Bump app store plugin to 1.6.0
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR makes PAT configuration standalone and removes unused configuration related with `JWT`.
After this, we can define additional authentications in plugins with correct configuration order.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area plugin
/milestone 2.20.x
#### What this PR does / why we need it:
This PR exposes user and role services into plugins. Some authentication plugins may interact with users and users' roles.
#### Does this PR introduce a user-facing change?
```release-note
允许在插件中使用 UserService 和 RoleService
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复由 #6680 导致的插件模板处理扩展中无法获取到请求上下文的问题
#6680 修复了插件可以在模板处理扩展中通过请求上下文获取到 Halo 的 ApplicationContext 的问题
但这也引入了新的问题就是导致模板处理扩展无法获取到请求上下文,此 PR 通过判断传递给插件的 ITemplateContext 是否为 IWebContext,如果是则包装为 SecureTemplateWebContext 传递给插件,以解决此问题
#### Which issue(s) this PR fixes:
Fixes#6875
#### Does this PR introduce a user-facing change?
```release-note
修复插件模板处理扩展中无法获取到请求上下文的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR refactors check of whether the current user is a real user to fix the problem of not being able to create PAT for OAuth2 user.
#### Does this PR introduce a user-facing change?
```release-note
修复通过 OAuth2 登录之后无法正常创建和恢复个人令牌的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR corrects typo of `apisGroups` to `apiGroups` to fix the problem of not being able to disconnect OAuth2 user.
#### Special notes for your reviewer:
0. Install OAuth2 plugin
1. Log in as a normal user
2. Bind a OAuth2 user
3. Try to unbind it
#### Does this PR introduce a user-facing change?
```release-note
修复无法正常解绑 OAuth2 用户
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复初始化 Halo 之后无法进入登录页面的问题
此问题原因是更改了 AuthProvider 的逻辑,当系统启动之后缺少默认的登录方式导致登录页面无法正确渲染
此 PR 将确保默认的登录方式始终存在来解决此问题
how to test it?
重新初始化 Halo 之后能正确渲染登录页面并登录即为符合预期
#### Does this PR introduce a user-facing change?
```release-note
修复初始化 Halo 之后无法进入登录页面的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR ignores URI fragment while removing redirect URI. Before that, users may be redirected to previous redirect URI that contains fragment.
#### Does this PR introduce a user-facing change?
```release-note
修复二次登录后重定向跳转至旧地址的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
恢复 https://github.com/halo-dev/halo/pull/6846 中删除的 SystemSetting.AuthProvider#enabled 字段避免插件应用到了它可能会发生错误,将其标记为过时
#### Does this PR introduce a user-facing change?
```release-note
None
```
* refactor: auth provider sorting logic for better maintainability and clarity
* Refine UI
* chore: remove other auth type
* Remove other auth providers
---------
Co-authored-by: Ryan Wang <i@ryanc.cc>
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
注册表单发送邮箱验证码时,支持显示来自后端的异常。
<img width="693" alt="image" src="https://github.com/user-attachments/assets/78d1d793-7673-4442-9b0b-1eb7c4d91ebd">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复首次初始化之后,个人中心使用的附件存储策略没有默认值的问题。
#### Which issue(s) this PR fixes:
Fixes#6834
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复初始化登录之后,没有正确重定向到 /console 的问题。
#### Which issue(s) this PR fixes:
Fixes#6850
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR fills operation ID while building setup route to prevent errors when generating OpenAPI docs.
```java
2024-10-13T22:09:46.997+08:00 ERROR 68966 --- [ parallel-4] a.w.r.e.AbstractErrorWebExceptionHandler : [88654f05-3] 500 Server Error for HTTP GET "/v3/api-docs/apis_aggregated.api_v1alpha1"
java.lang.IllegalStateException: You should either fill, the Operation or at least the bean class and the bean method
at org.springdoc.core.fn.builders.operation.Builder.build(Builder.java:467) ~[springdoc-openapi-starter-common-2.6.0.jar:2.6.0]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
```
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/milestone 2.20.x
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
忽略预设插件安装时的错误避免无法初始化
可能因为没有预先 download 预设插件到项目目录而发生 IO 异常影响初始化流程
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复竖向图片生成缩略图后会丢失方向信息展示为横向图片的问题
#### Which issue(s) this PR fixes:
Fixes#6802
#### Does this PR introduce a user-facing change?
```release-note
修复竖向图片生成缩略图后会丢失方向信息展示为横向图片的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR preserves `remember-me` option after authentication failure.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6835
#### Special notes for your reviewer:
1. Go to login page
2. Input invalid username or password and select `remember-me` option
3. Click `Login` button
4. See the result
#### Does this PR introduce a user-facing change?
```release-note
修复登录失败后记住我选项被重置的问题
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化登录等页面的 UI,主要优化低分屏下的 UI 表现,防止元素过大。
#### Does this PR introduce a user-facing change?
```release-note
优化登录等页面的 UI,优化低分屏下的 UI 表现,防止元素过大。
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR makes users not be able to configure a invalid external URL like `https:www/halo.run` even if it is an valid URL format.
#### Which issue(s) this PR fixes:
Fixes#6837
#### Does this PR introduce a user-facing change?
```release-note
修复可配置无效的外部访问地址的问题
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
提升登录页面的可访问性。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds globalInfo data into logout template model.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6821
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR disables CSRF protection for actuator endpoints because they are not state-changing operations.
#### Which issue(s) this PR fixes:
Fixes#6827
#### Special notes for your reviewer:
Try to restore Halo.
#### Does this PR introduce a user-facing change?
```release-note
修复恢复备份后无法自动重启的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR prevents caching from cache plugin for pre-auth pages and logout page.
#### Which issue(s) this PR fixes:
Fixes#6826
#### Special notes for your reviewer:
1. Install `Page Cache Plugin` from <https://www.halo.run/store/apps/app-BaamQ>.
2. Open a private browser window
3. Access login page twice
4. Try to login
5. See the result
#### Does this PR introduce a user-facing change?
```release-note
解决因缓存插件缓存登录页面导致无法登录的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds globalInfo into template models and refactors password reset to adapt data binding.
Fixes https://github.com/halo-dev/halo/issues/6821
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复不能正常显示邮箱验证提示的问题。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
重置密码跳转到登录页面之后,在顶部添加重置成功的提示。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化登录页面的 UI。
<img width="1910" alt="image" src="https://github.com/user-attachments/assets/736b1f72-e7c1-4c19-a0d9-dc935c738931">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
优化校验提示信息根据用户选择的语言代替 `Locale#getDefault()#getLanguage()`
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR supports redirecting to URI with fragment. e.g.: <http://localhost:8090/login?redirect_uri=%2F%23afragment>(redirect_uri is `/#afragment`).
#### Which issue(s) this PR fixes:
Fixes#6767
#### Special notes for your reviewer:
1. Request <http://localhost:8090/login?redirect_uri=%2F%23afragment>
2. Log in
3. See the redirection
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
模板 head 和 footer 标签注入功能忽略错误页面避免当扩展发生错误时导致错误页面无法显示
#### Which issue(s) this PR fixes:
Fixes#6500 , #6750
#### Does this PR introduce a user-facing change?
```release-note
代码注入功能忽略对错误页面和登录注册等页面的注入
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化退出登录页面的 UI。
<img width="568" alt="image" src="https://github.com/user-attachments/assets/dd3b405b-e200-478a-ba87-b0d474e6ee1f">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
为注册用户增加用户名和密码长度校验
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
优化文件类型检测并支持根据文件名作为决策依据
#### Does this PR introduce a user-facing change?
```release-note
优化文件类型检测并支持根据文件名作为决策依据
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
重构登录、注册相关的模板结构,主要目的是为了解耦,修改页面时仅修改相关的模板和语言文件。
重构之后主题的引用方式如下:
login.html
```html
<div th:replace="~{gateway_fragments/login::form}"></div>
```
#### Special notes for your reviewer:
需要测试各个页面是否功能正常
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
完善部分表单的确定密码校验。
1. 封装单独的校验函数。
2. 完善 i18n。
<img width="676" alt="image" src="https://github.com/user-attachments/assets/af8a4edc-d6ba-419f-b7ba-baa9d488186d">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
Currently, logout page is always visible for anyone whether the user is authenticated. This PR restricts the visibility of logout page to authenticated users but anonymous users.
#### Special notes for your reviewer:
```bash
> http http://localhost:8090/logout
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Location: /login?authentication_required
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
content-length: 0
```
#### Does this PR introduce a user-facing change?
```release-note
修复未登录情况下依然能够访问登出页面的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复当用户通知偏好设置中出现不存在的通知器名称时会导致 NPE 的问题
此问题可能发生在,通知器由插件或者专业版提供并且修改了偏好设置后禁用了插件或切换到开源版导致找不到该通知器的记录
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR refactors password reset for extensibility. If we want to add another password reset method, first thing we need to do is adding a new password reset method into `halo.security.password-reset-methods[]` and then defining PasswordResetAvailabilityProvider bean.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
在提交登录表单时,不在密码框中显示加密文本。
#### Which issue(s) this PR fixes:
Fixes#6799
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR makes XOR operation for CSRF token and changes the CSRF cookie `HttpOnly` to `true` to forbid JavaScript from accessing the cookie.
See https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-token-request-handler-breach for more details.
#### Special notes for your reviewer:
```bash
http http://localhost:8090/login -ph
HTTP/1.1 200 OK
set-cookie: XSRF-TOKEN=6d5dd83f-f0a7-4d94-a33e-73f213d679ff; Path=/; HTTPOnly
```
```bash
http http://localhost:8090/login -pb | grep _csrf
><input type="hidden" name="_csrf" value="ctubmrEC3dAbxC5H_k_-VnVUtih2BrfjcPfLmVAyaP0a1kAdEb-t_IcwuLM29B11yGLKNRQxm0lFZILOFZX-_GcHWJ974iR5"/>
```
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/milestone 2.20.x
/area core
#### What this PR does / why we need it:
支持用户在个人中心管理自己的附件(需要具有对应权限)
Fixes https://github.com/halo-dev/halo/issues/5278
#### Does this PR introduce a user-facing change?
```release-note
支持用户在个人中心管理自己的附件(需要具有对应权限)
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复注册时,不能正常显示用户名重复的错误的问题。
<img width="666" alt="image" src="https://github.com/user-attachments/assets/bef83af1-ab9d-4c84-8c3e-0d4f8a6892f3">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR changes the redirect URI to `/uc` instead of `/console` after authenticating successfully.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
更新默认主题的版本。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化重置密码表单的错误提示样式。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复注册页面的 JS 错误。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
升级预设插件的版本。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR changes server.forward-header-strategy to native instead of framework due to a bug of Spring Framework 6.20.0-RC.1.
See https://github.com/spring-projects/spring-framework/pull/32097#discussion_r1791264218 for more.
If Halo server is proxied by OpenResty which is using HTTP 2, all header names proxied into Halo server will be lowercase. This behavior makes Halo get a null header(e.g.:: `content-type: application/json`) while invoking `request.getHeaders().getContentType()`.
And I found that `ServerHttpRequest` is mutated by `org.springframework.web.server.adapter.ForwardedHeaderTransformer`, so I try to use native forward-header-strategy to resolve the problem and it works very well. See [reactor.netty.http.server.DefaultHttpForwardedHeaderHandler](446683826b/reactor-netty-http/src/main/java/reactor/netty/http/server/DefaultHttpForwardedHeaderHandler.java) for more.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR separates authorization exchange customization into security configurers. I also define the annotations `@Order` on every security configurer in order to customize authorization exchange in separated source file instead of modifying existing.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
完善登录方式选择按钮的 i18n。
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6759
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
Fixes https://github.com/halo-dev/halo/issues/6760
重构登录、注册、找回密码、两步验证等模板的结构,提供更好的复用性,现在主题可以这样复用模板:
login.html
```html
<form th:replace="~{gateway_modules/form_fragments::login}"></form>
```
signup.html
```html
<form th:replace="~{gateway_modules/form_fragments::signup}"></form>
```
challenges/two-factor/totp.html
```html
<form th:replace="~{gateway_modules/form_fragments::totp}"></form>
```
#### Special notes for your reviewer:
需要测试各个页面是否功能正常
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
/sig docs
#### What this PR does / why we need it:
修复恢复备份后可能会因为与之前的数据冲突导致无法启动的问题
如果恢复时发生不可预知的错误,需要重启之后重新初始化再进行恢复
#### Which issue(s) this PR fixes:
Fixes#6672
#### Does this PR introduce a user-facing change?
```release-note
修复恢复备份后可能会因为与恢复之前存在的数据冲突导致无法启动的问题
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
为系统默认的存储策略添加保护措施,不允许删除。
<img width="893" alt="image" src="https://github.com/user-attachments/assets/990f834f-3d97-4ee8-9c24-01cc188b7be6">
#### Does this PR introduce a user-facing change?
```release-note
为系统默认的存储策略添加保护措施,不允许删除。
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
备份时排除全文索引目录 indices,防止恢复之后因为索引文件问题无法启动。
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6443
#### Does this PR introduce a user-facing change?
```release-note
备份时排除全文索引目录 indices,防止恢复之后因为索引文件问题无法启动。
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
微调登录相关页面的样式。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds [a Gradle plugin ](https://github.com/ben-manes/gradle-versions-plugin)to discover dependency updates.
```bash
❯ ./gradlew dependencyUpdates -Drevision=release
> Task :api:dependencyUpdates
------------------------------------------------------------
:api Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest release version:
- com.github.ben-manes.caffeine:caffeine:3.1.8
- com.github.java-json-tools:json-patch:1.13
- com.j256.two-factor-auth:two-factor-auth:1.3
- io.asyncer:r2dbc-mysql:1.3.0
- io.github.java-diff-utils:java-diff-utils:4.12
- io.github.resilience4j:resilience4j-reactor:2.2.0
- io.github.resilience4j:resilience4j-spring-boot3:2.2.0
- io.projectreactor:reactor-test:3.7.0-M6
- io.r2dbc:r2dbc-h2:1.0.0.RELEASE
- io.seruco.encoding:base62:0.1.3
- org.apache.commons:commons-lang3:3.17.0
- org.imgscalr:imgscalr-lib:4.2
- org.jacoco:org.jacoco.agent:0.8.12
- org.jacoco:org.jacoco.ant:0.8.12
- org.mariadb:r2dbc-mariadb:1.2.2
- org.openapi4j:openapi-schema-validator:1.0.7
- org.pf4j:pf4j:3.12.0
- org.postgresql:postgresql:42.7.4
- org.postgresql:r2dbc-postgresql:1.0.5.RELEASE
- org.projectlombok:lombok:1.18.30
- org.springdoc:springdoc-openapi-starter-webflux-ui:2.6.0
- org.springframework.boot:spring-boot-starter-actuator:3.4.0-M3
- org.springframework.boot:spring-boot-starter-cache:3.4.0-M3
- org.springframework.boot:spring-boot-starter-data-jpa:3.4.0-M3
- org.springframework.boot:spring-boot-starter-data-r2dbc:3.4.0-M3
- org.springframework.boot:spring-boot-starter-mail:3.4.0-M3
- org.springframework.boot:spring-boot-starter-security:3.4.0-M3
- org.springframework.boot:spring-boot-starter-test:3.4.0-M3
- org.springframework.boot:spring-boot-starter-thymeleaf:3.4.0-M3
- org.springframework.boot:spring-boot-starter-validation:3.4.0-M3
- org.springframework.boot:spring-boot-starter-webflux:3.4.0-M3
- org.springframework.integration:spring-integration-core:6.4.0-M3
- org.springframework.security:spring-security-oauth2-client:6.4.0-M4
- org.springframework.security:spring-security-oauth2-jose:6.4.0-M4
- org.springframework.security:spring-security-oauth2-resource-server:6.4.0-M4
- org.springframework.security:spring-security-test:6.4.0-M4
- org.springframework.session:spring-session-core:3.4.0-M2
- org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.2.RELEASE
The following dependencies have later release versions:
- com.google.guava:guava [32.0.1-jre -> 33.3.1-jre]
https://github.com/google/guava
- net.bytebuddy:byte-buddy [1.15.1 -> 1.15.3]
https://bytebuddy.net
- org.apache.lucene:lucene-analysis-common [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-backward-codecs [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-core [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-highlighter [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.lucene:lucene-queryparser [9.11.1 -> 9.12.0]
https://lucene.apache.org/
- org.apache.tika:tika-core [2.9.2 -> 3.0.0-BETA2]
https://tika.apache.org/
- org.jsoup:jsoup [1.15.3 -> 1.18.1]
https://jsoup.org/
Gradle release-candidate updates:
- Gradle: [8.10.2: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
> Task :application:dependencyUpdates
------------------------------------------------------------
:application Project Dependency Updates (report to plain text file)
------------------------------------------------------------
The following dependencies are using the latest release version:
- com.puppycrawl.tools:checkstyle:9.3
- io.projectreactor:reactor-test:3.7.0-M6
- org.jacoco:org.jacoco.agent:0.8.12
- org.jacoco:org.jacoco.ant:0.8.12
- org.springframework:spring-context-indexer:6.2.0-RC1
- org.springframework.boot:spring-boot-configuration-processor:3.4.0-M3
- org.springframework.boot:spring-boot-starter-test:3.4.0-M3
- org.springframework.security:spring-security-test:6.4.0-M4
- org.webjars.npm:jsencrypt:3.3.2
- org.webjars.npm:normalize.css:8.0.1
The following dependencies have later release versions:
- org.projectlombok:lombok [1.18.30 -> 1.18.34]
https://projectlombok.org
Gradle release-candidate updates:
- Gradle: [8.10.2: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.10.2/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD SUCCESSFUL in 1s
9 actionable tasks: 2 executed, 7 up-to-date
```
#### Does this PR introduce a user-facing change?
<!--
如果当前 Pull Request 的修改不会造成用户侧的任何变更,在 `release-note` 代码块儿中填写 `NONE`。
否则请填写用户侧能够理解的 Release Note。如果当前 Pull Request 包含破坏性更新(Break Change),
Release Note 需要以 `action required` 开头。
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
-->
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR make authenticated users redirect to user center if they are trying to access login and signup pages.
#### Special notes for your reviewer:
1. Log in Halo
2. Try to request <http://localhost:8090/login> or <http://localhost:8090/signup>.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR provides an endpoint for disconnecting user connection. After the user connection is disconnected, an event `UserConnectionDisconnectedEvent` will be published for plugins.
Now, OAuth2 plugin can simplify the authentication, binding and unbinding logic, please see the AuthProvider configuration snippet below:
```diff
spec:
authenticationUrl: /oauth2/authorization/github
- bindingUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/connect/github
+ bindingUrl: /oauth2/authorization/github
- unbindUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/disconnect/github
+ unbindUrl: /apis/uc.api.auth.halo.run/v1alpha1/user-connections/github/disconnect
```
Please note that, OAuth2 plugin can also define binding and unbinding endpoints by self.
#### Special notes for your reviewer:
OAuth2 test plugin:
[plugin-oauth2-1.0.4-SNAPSHOT.zip](https://github.com/user-attachments/files/17184215/plugin-oauth2-1.0.4-SNAPSHOT.zip)
#### Does this PR introduce a user-facing change?
```release-note
None
```
guqing