#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR makes users not be able to configure a invalid external URL like `https:www/halo.run` even if it is an valid URL format.
#### Which issue(s) this PR fixes:
Fixes#6837
#### Does this PR introduce a user-facing change?
```release-note
修复可配置无效的外部访问地址的问题
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
提升登录页面的可访问性。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds globalInfo data into logout template model.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6821
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR disables CSRF protection for actuator endpoints because they are not state-changing operations.
#### Which issue(s) this PR fixes:
Fixes#6827
#### Special notes for your reviewer:
Try to restore Halo.
#### Does this PR introduce a user-facing change?
```release-note
修复恢复备份后无法自动重启的问题
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR prevents caching from cache plugin for pre-auth pages and logout page.
#### Which issue(s) this PR fixes:
Fixes#6826
#### Special notes for your reviewer:
1. Install `Page Cache Plugin` from <https://www.halo.run/store/apps/app-BaamQ>.
2. Open a private browser window
3. Access login page twice
4. Try to login
5. See the result
#### Does this PR introduce a user-facing change?
```release-note
解决因缓存插件缓存登录页面导致无法登录的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds globalInfo into template models and refactors password reset to adapt data binding.
Fixes https://github.com/halo-dev/halo/issues/6821
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复不能正常显示邮箱验证提示的问题。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
重置密码跳转到登录页面之后,在顶部添加重置成功的提示。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化登录页面的 UI。
<img width="1910" alt="image" src="https://github.com/user-attachments/assets/736b1f72-e7c1-4c19-a0d9-dc935c738931">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
优化校验提示信息根据用户选择的语言代替 `Locale#getDefault()#getLanguage()`
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR supports redirecting to URI with fragment. e.g.: <http://localhost:8090/login?redirect_uri=%2F%23afragment>(redirect_uri is `/#afragment`).
#### Which issue(s) this PR fixes:
Fixes#6767
#### Special notes for your reviewer:
1. Request <http://localhost:8090/login?redirect_uri=%2F%23afragment>
2. Log in
3. See the redirection
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
模板 head 和 footer 标签注入功能忽略错误页面避免当扩展发生错误时导致错误页面无法显示
#### Which issue(s) this PR fixes:
Fixes#6500 , #6750
#### Does this PR introduce a user-facing change?
```release-note
代码注入功能忽略对错误页面和登录注册等页面的注入
```
#### What type of PR is this?
/area ui
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
完善内置的认证提供商的 i18n。
<img width="859" alt="image" src="https://github.com/user-attachments/assets/a145fc98-05f0-4d62-805a-f3b4f4380a04">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化退出登录页面的 UI。
<img width="568" alt="image" src="https://github.com/user-attachments/assets/dd3b405b-e200-478a-ba87-b0d474e6ee1f">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
为注册用户增加用户名和密码长度校验
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
优化文件类型检测并支持根据文件名作为决策依据
#### Does this PR introduce a user-facing change?
```release-note
优化文件类型检测并支持根据文件名作为决策依据
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
重构登录、注册相关的模板结构,主要目的是为了解耦,修改页面时仅修改相关的模板和语言文件。
重构之后主题的引用方式如下:
login.html
```html
<div th:replace="~{gateway_fragments/login::form}"></div>
```
#### Special notes for your reviewer:
需要测试各个页面是否功能正常
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
完善部分表单的确定密码校验。
1. 封装单独的校验函数。
2. 完善 i18n。
<img width="676" alt="image" src="https://github.com/user-attachments/assets/af8a4edc-d6ba-419f-b7ba-baa9d488186d">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
Currently, logout page is always visible for anyone whether the user is authenticated. This PR restricts the visibility of logout page to authenticated users but anonymous users.
#### Special notes for your reviewer:
```bash
> http http://localhost:8090/logout
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Location: /login?authentication_required
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
content-length: 0
```
#### Does this PR introduce a user-facing change?
```release-note
修复未登录情况下依然能够访问登出页面的问题
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复当用户通知偏好设置中出现不存在的通知器名称时会导致 NPE 的问题
此问题可能发生在,通知器由插件或者专业版提供并且修改了偏好设置后禁用了插件或切换到开源版导致找不到该通知器的记录
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area ui
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复创建用户表单的用户名长度校验不生效的问题。
#### Does this PR introduce a user-facing change?
```release-note
修复创建用户表单的用户名长度校验不生效的问题。
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR refactors password reset for extensibility. If we want to add another password reset method, first thing we need to do is adding a new password reset method into `halo.security.password-reset-methods[]` and then defining PasswordResetAvailabilityProvider bean.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
在提交登录表单时,不在密码框中显示加密文本。
#### Which issue(s) this PR fixes:
Fixes#6799
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR makes XOR operation for CSRF token and changes the CSRF cookie `HttpOnly` to `true` to forbid JavaScript from accessing the cookie.
See https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-token-request-handler-breach for more details.
#### Special notes for your reviewer:
```bash
http http://localhost:8090/login -ph
HTTP/1.1 200 OK
set-cookie: XSRF-TOKEN=6d5dd83f-f0a7-4d94-a33e-73f213d679ff; Path=/; HTTPOnly
```
```bash
http http://localhost:8090/login -pb | grep _csrf
><input type="hidden" name="_csrf" value="ctubmrEC3dAbxC5H_k_-VnVUtih2BrfjcPfLmVAyaP0a1kAdEb-t_IcwuLM29B11yGLKNRQxm0lFZILOFZX-_GcHWJ974iR5"/>
```
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind feature
/milestone 2.20.x
/area core
#### What this PR does / why we need it:
支持用户在个人中心管理自己的附件(需要具有对应权限)
Fixes https://github.com/halo-dev/halo/issues/5278
#### Does this PR introduce a user-facing change?
```release-note
支持用户在个人中心管理自己的附件(需要具有对应权限)
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复注册时,不能正常显示用户名重复的错误的问题。
<img width="666" alt="image" src="https://github.com/user-attachments/assets/bef83af1-ab9d-4c84-8c3e-0d4f8a6892f3">
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area ui
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
为 Code Input 设置默认高度,修复全屏按钮被遮挡的问题。
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6681
#### Does this PR introduce a user-facing change?
```release-note
为 Code Input 设置默认高度,修复全屏按钮被遮挡的问题。
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR changes the redirect URI to `/uc` instead of `/console` after authenticating successfully.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
更新默认主题的版本。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化重置密码表单的错误提示样式。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复注册页面的 JS 错误。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
升级预设插件的版本。
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR changes server.forward-header-strategy to native instead of framework due to a bug of Spring Framework 6.20.0-RC.1.
See https://github.com/spring-projects/spring-framework/pull/32097#discussion_r1791264218 for more.
If Halo server is proxied by OpenResty which is using HTTP 2, all header names proxied into Halo server will be lowercase. This behavior makes Halo get a null header(e.g.:: `content-type: application/json`) while invoking `request.getHeaders().getContentType()`.
And I found that `ServerHttpRequest` is mutated by `org.springframework.web.server.adapter.ForwardedHeaderTransformer`, so I try to use native forward-header-strategy to resolve the problem and it works very well. See [reactor.netty.http.server.DefaultHttpForwardedHeaderHandler](446683826b/reactor-netty-http/src/main/java/reactor/netty/http/server/DefaultHttpForwardedHeaderHandler.java) for more.
#### Does this PR introduce a user-facing change?
```release-note
None
```
#### What type of PR is this?
/area ui
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复 Code 输入框在模态框(VModal)组件中无法正常全屏显示的问题。
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6682
#### Does this PR introduce a user-facing change?
```release-note
修复 Code 输入框在模态框(VModal)组件中无法正常全屏显示的问题。
```
#### What type of PR is this?
/kind improvement
/area ui
/milsetone 2.20.x
#### What this PR does / why we need it:
在 userSelect 查询用户列表时,移除匿名与已删除用户这两个保留用户。
#### How to test it?
在文章设置,用户列表中不存在匿名与已删除用户即可。
#### Which issue(s) this PR fixes:
Fixes#6665
#### Does this PR introduce a user-facing change?
```release-note
在 user select 中不再显示匿名与已删除用户。
```
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR separates authorization exchange customization into security configurers. I also define the annotations `@Order` on every security configurer in order to customize authorization exchange in separated source file instead of modifying existing.
#### Does this PR introduce a user-facing change?
```release-note
None
```
John Niang