#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
模板 head 和 footer 标签注入功能忽略错误页面避免当扩展发生错误时导致错误页面无法显示
#### Which issue(s) this PR fixes:
Fixes#6500 , #6750
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
优化退出登录页面的 UI。
<img width="568" alt="image" src="https://github.com/user-attachments/assets/dd3b405b-e200-478a-ba87-b0d474e6ee1f">
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
<div th:replace="~{gateway_fragments/login::form}"></div>
#### Special notes for your reviewer:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
1. 封装单独的校验函数。
2. 完善 i18n。
<img width="676" alt="image" src="https://github.com/user-attachments/assets/af8a4edc-d6ba-419f-b7ba-baa9d488186d">
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
Currently, logout page is always visible for anyone whether the user is authenticated. This PR restricts the visibility of logout page to authenticated users but anonymous users.
#### Special notes for your reviewer:
> http http://localhost:8090/logout
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: 0
Location: /login?authentication_required
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
content-length: 0
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复当用户通知偏好设置中出现不存在的通知器名称时会导致 NPE 的问题
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR refactors password reset for extensibility. If we want to add another password reset method, first thing we need to do is adding a new password reset method into `halo.security.password-reset-methods[]` and then defining PasswordResetAvailabilityProvider bean.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR makes XOR operation for CSRF token and changes the CSRF cookie `HttpOnly` to `true` to forbid JavaScript from accessing the cookie.
See https://docs.spring.io/spring-security/reference/servlet/exploits/csrf.html#csrf-token-request-handler-breach for more details.
#### Special notes for your reviewer:
http http://localhost:8090/login -ph
HTTP/1.1 200 OK
set-cookie: XSRF-TOKEN=6d5dd83f-f0a7-4d94-a33e-73f213d679ff; Path=/; HTTPOnly
http http://localhost:8090/login -pb | grep _csrf
><input type="hidden" name="_csrf" value="ctubmrEC3dAbxC5H_k_-VnVUtih2BrfjcPfLmVAyaP0a1kAdEb-t_IcwuLM29B11yGLKNRQxm0lFZILOFZX-_GcHWJ974iR5"/>
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind feature
/milestone 2.20.x
/area core
#### What this PR does / why we need it:
Fixes https://github.com/halo-dev/halo/issues/5278
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
<img width="666" alt="image" src="https://github.com/user-attachments/assets/bef83af1-ab9d-4c84-8c3e-0d4f8a6892f3">
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR changes the redirect URI to `/uc` instead of `/console` after authenticating successfully.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind bug
/milestone 2.20.x
#### What this PR does / why we need it:
修复注册页面的 JS 错误。
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR changes server.forward-header-strategy to native instead of framework due to a bug of Spring Framework 6.20.0-RC.1.
See https://github.com/spring-projects/spring-framework/pull/32097#discussion_r1791264218 for more.
If Halo server is proxied by OpenResty which is using HTTP 2, all header names proxied into Halo server will be lowercase. This behavior makes Halo get a null header(e.g.:: `content-type: application/json`) while invoking `request.getHeaders().getContentType()`.
And I found that `ServerHttpRequest` is mutated by `org.springframework.web.server.adapter.ForwardedHeaderTransformer`, so I try to use native forward-header-strategy to resolve the problem and it works very well. See [reactor.netty.http.server.DefaultHttpForwardedHeaderHandler](446683826b/reactor-netty-http/src/main/java/reactor/netty/http/server/DefaultHttpForwardedHeaderHandler.java) for more.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR separates authorization exchange customization into security configurers. I also define the annotations `@Order` on every security configurer in order to customize authorization exchange in separated source file instead of modifying existing.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
完善登录方式选择按钮的 i18n。
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6759
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
Fixes https://github.com/halo-dev/halo/issues/6760
<form th:replace="~{gateway_modules/form_fragments::login}"></form>
<form th:replace="~{gateway_modules/form_fragments::signup}"></form>
<form th:replace="~{gateway_modules/form_fragments::totp}"></form>
#### Special notes for your reviewer:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
/sig docs
#### What this PR does / why we need it:
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
<img width="893" alt="image" src="https://github.com/user-attachments/assets/990f834f-3d97-4ee8-9c24-01cc188b7be6">
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
备份时排除全文索引目录 indices,防止恢复之后因为索引文件问题无法启动。
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6443
#### Does this PR introduce a user-facing change?
备份时排除全文索引目录 indices,防止恢复之后因为索引文件问题无法启动。
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds [a Gradle plugin ](https://github.com/ben-manes/gradle-versions-plugin)to discover dependency updates.
❯ ./gradlew dependencyUpdates -Drevision=release
> Task :api:dependencyUpdates
:api Project Dependency Updates (report to plain text file)
The following dependencies are using the latest release version:
- com.github.ben-manes.caffeine:caffeine:3.1.8
- com.github.java-json-tools:json-patch:1.13
- com.j256.two-factor-auth:two-factor-auth:1.3
- io.asyncer:r2dbc-mysql:1.3.0
- io.github.java-diff-utils:java-diff-utils:4.12
- io.github.resilience4j:resilience4j-reactor:2.2.0
- io.github.resilience4j:resilience4j-spring-boot3:2.2.0
- io.projectreactor:reactor-test:3.7.0-M6
- io.r2dbc:r2dbc-h2:1.0.0.RELEASE
- io.seruco.encoding:base62:0.1.3
- org.apache.commons:commons-lang3:3.17.0
- org.imgscalr:imgscalr-lib:4.2
- org.jacoco:org.jacoco.agent:0.8.12
- org.jacoco:org.jacoco.ant:0.8.12
- org.mariadb:r2dbc-mariadb:1.2.2
- org.openapi4j:openapi-schema-validator:1.0.7
- org.pf4j:pf4j:3.12.0
- org.postgresql:postgresql:42.7.4
- org.postgresql:r2dbc-postgresql:1.0.5.RELEASE
- org.projectlombok:lombok:1.18.30
- org.springdoc:springdoc-openapi-starter-webflux-ui:2.6.0
- org.springframework.boot:spring-boot-starter-actuator:3.4.0-M3
- org.springframework.boot:spring-boot-starter-cache:3.4.0-M3
- org.springframework.boot:spring-boot-starter-data-jpa:3.4.0-M3
- org.springframework.boot:spring-boot-starter-data-r2dbc:3.4.0-M3
- org.springframework.boot:spring-boot-starter-mail:3.4.0-M3
- org.springframework.boot:spring-boot-starter-security:3.4.0-M3
- org.springframework.boot:spring-boot-starter-test:3.4.0-M3
- org.springframework.boot:spring-boot-starter-thymeleaf:3.4.0-M3
- org.springframework.boot:spring-boot-starter-validation:3.4.0-M3
- org.springframework.boot:spring-boot-starter-webflux:3.4.0-M3
- org.springframework.integration:spring-integration-core:6.4.0-M3
- org.springframework.security:spring-security-oauth2-client:6.4.0-M4
- org.springframework.security:spring-security-oauth2-jose:6.4.0-M4
- org.springframework.security:spring-security-oauth2-resource-server:6.4.0-M4
- org.springframework.security:spring-security-test:6.4.0-M4
- org.springframework.session:spring-session-core:3.4.0-M2
- org.thymeleaf.extras:thymeleaf-extras-springsecurity6:3.1.2.RELEASE
The following dependencies have later release versions:
- com.google.guava:guava [32.0.1-jre -> 33.3.1-jre]
- net.bytebuddy:byte-buddy [1.15.1 -> 1.15.3]
- org.apache.lucene:lucene-analysis-common [9.11.1 -> 9.12.0]
- org.apache.lucene:lucene-backward-codecs [9.11.1 -> 9.12.0]
- org.apache.lucene:lucene-core [9.11.1 -> 9.12.0]
- org.apache.lucene:lucene-highlighter [9.11.1 -> 9.12.0]
- org.apache.lucene:lucene-queryparser [9.11.1 -> 9.12.0]
- org.apache.tika:tika-core [2.9.2 -> 3.0.0-BETA2]
- org.jsoup:jsoup [1.15.3 -> 1.18.1]
Gradle release-candidate updates:
- Gradle: [8.10.2: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
> Task :application:dependencyUpdates
:application Project Dependency Updates (report to plain text file)
The following dependencies are using the latest release version:
- com.puppycrawl.tools:checkstyle:9.3
- io.projectreactor:reactor-test:3.7.0-M6
- org.jacoco:org.jacoco.agent:0.8.12
- org.jacoco:org.jacoco.ant:0.8.12
- org.springframework:spring-context-indexer:6.2.0-RC1
- org.springframework.boot:spring-boot-configuration-processor:3.4.0-M3
- org.springframework.boot:spring-boot-starter-test:3.4.0-M3
- org.springframework.security:spring-security-test:6.4.0-M4
- org.webjars.npm:jsencrypt:3.3.2
- org.webjars.npm:normalize.css:8.0.1
The following dependencies have later release versions:
- org.projectlombok:lombok [1.18.30 -> 1.18.34]
Gradle release-candidate updates:
- Gradle: [8.10.2: UP-TO-DATE]
Generated report file build/dependencyUpdates/report.txt
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.10.2/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
9 actionable tasks: 2 executed, 7 up-to-date
#### Does this PR introduce a user-facing change?
如果当前 Pull Request 的修改不会造成用户侧的任何变更,在 `release-note` 代码块儿中填写 `NONE`。
否则请填写用户侧能够理解的 Release Note。如果当前 Pull Request 包含破坏性更新(Break Change),
Release Note 需要以 `action required` 开头。
If no, just write "NONE" in the release-note block below.
If yes, a release note is required:
Enter your extended release note in the block below. If the PR requires additional action from users switching to the new release, include the string "action required".
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR make authenticated users redirect to user center if they are trying to access login and signup pages.
#### Special notes for your reviewer:
1. Log in Halo
2. Try to request <http://localhost:8090/login> or <http://localhost:8090/signup>.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind feature
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR provides an endpoint for disconnecting user connection. After the user connection is disconnected, an event `UserConnectionDisconnectedEvent` will be published for plugins.
Now, OAuth2 plugin can simplify the authentication, binding and unbinding logic, please see the AuthProvider configuration snippet below:
authenticationUrl: /oauth2/authorization/github
- bindingUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/connect/github
+ bindingUrl: /oauth2/authorization/github
- unbindUrl: /apis/api.plugin.halo.run/v1alpha1/plugins/plugin-oauth2/disconnect/github
+ unbindUrl: /apis/uc.api.auth.halo.run/v1alpha1/user-connections/github/disconnect
Please note that, OAuth2 plugin can also define binding and unbinding endpoints by self.
#### Special notes for your reviewer:
OAuth2 test plugin:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/milestone 2.20.x
/area core
/kind improvement
#### What this PR does / why we need it:
允许通过 `halo.security.basic-auth.disabled=true` 配置来禁用 Basic Auth 认证
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
允许通过 `halo.security.basic-auth.disabled=true` 配置来禁用 Basic Auth 认证,在 2.20 版本生产环境下默认禁用了 Basic Auth
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR add support for binding OAuth2 user automatically. So we can remove the user-binding page.
Please note that those changes may break the OAuth2 and SocialLogin plugins.
#### Special notes for your reviewer:
Build OAuth2 plugin from <https://github.com/halo-sigs/plugin-oauth2/pull/64> or use [plugin-oauth2-1.0.4-SNAPSHOT.zip](https://github.com/user-attachments/files/17177592/plugin-oauth2-1.0.4-SNAPSHOT.zip) I built.
- Bind after logging in
1. Log in Halo with username and password method
2. Try to unbind OAuth2 user
3. Bind OAuth2 user again
- Initially bind without logging in
1. Go to login page
2. Log in with OAuth2 method and you will be redirected to login page
3. Log in with username and password method
4. See the result of binding
- Log in with OAuth2 method after binding
1. Go to login page
2. Log in with OAuth2 method and you will be redirected to uc page directly
#### Does this PR introduce a user-facing change?
支持自动绑定 OAuth2 登录用户
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds confirmPassword field into SignUpData for validation. So the signup page can be rendered correctly.
See https://github.com/halo-dev/halo/issues/6718 for more.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6718
#### Special notes for your reviewer:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6721
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.20.x
#### What this PR does / why we need it:
移除在 Edge 浏览器中,为密码输入框添加显示密码明文按钮。
<img width="406" alt="image" src="https://github.com/user-attachments/assets/49801c25-d8dc-46db-9cba-302653af1951">
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/milestone 2.20.x
/area core
#### What this PR does / why we need it:
将内容管理相关的数据更新类归档到 content 包下,如访问量和评论量统计
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
这是由于 URI string 中包含空格无法创建 URI 对象,目前将忽略这种非法参数,如果生成失败则直接返回原始 URI string
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind feature
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR registers a ServerWebExchangeContextFilter to make ServerWebExchange available under ContextView. The usage example is as follows:
Mono.deferContextual(contextView -> {
var exchange = ServerWebExchangeContextFilter.getExchange(contextView);
return mono;
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
此问题由 #6390 导致
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR upgrades to [Spring Boot 3.4.0-M3](https://github.com/spring-projects/spring-boot/releases/tag/v3.4.0-M3).
1. Fix the compilation error of OptimalPropertyAccess because the class has been privated in [this commit](b431594021).
2. Fix exception `org.mockito.exceptions.misusing.UnnecessaryStubbingException` for some unit tests after upgrading.
3. Replace deprecated annotations `@MockBean` and `@SpyBean` with `@MockitoBean` and `@MockitoSpyBean` respectively.
#### Does this PR introduce a user-facing change?
升级 Spring Boot 至 3.4.0-M3
#### What type of PR is this?
/kind improvement
/area core
/area theme
#### What this PR does / why we need it:
This PR removes ReactivePropertyAccessor because it use `AstUtils#getPropertyAccessorsToTry` which is already hidden in [the commit](33fbd7141d (diff-deaf3517fbd66f40a8717877a8328dee0fb2581dfb6be487f327dc73ea33b5b5)). If we upgraded to Spring Boot 3.4.0-M3, the code in ReactivePropertyAccessor would be broken.
More importantly, I believe there is one issue with the current implementation although it can resolve the reactive issue.
- The PropertyAccessor modified the process flow of SPEL
This PR provides some wrappers to wrap existing PropertyAccessor and MethodResolver to evaluate reactive return value.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/area plugin
/milestone 2.20.x
#### What this PR does / why we need it:
Plugins can implement their own RouterFunctions and ControllerMappings, but those might expose root ApplicationContext for plugins, which is not expected.
So this PR fixes the insecure access to root ApplicationContext.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/area plugin
/milestone 2.20.x
#### What this PR does / why we need it:
This PR disables access to ApplicationContext using ITemplateContext.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds chunked transfer support for rendering templates, which means that the max memory used by rendering template will be max chunk size instead of size of rendering result.
Users can define the max chunk size like below:
maxChunkSize: 8KB # Setting to 0 will disable the chunked response.
#### Special notes for your reviewer:
1. Try to start Halo instance
2. Execute the command like below and see if the response headers contain `transfer-encoding: chunked`:
http http://localhost:8090/ -p h
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Language: en-CN
Content-Type: text/html
Expires: 0
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
content-encoding: gzip
set-cookie: XSRF-TOKEN=1e677724-ce82-4b63-911c-f78b22cd9169; Path=/
transfer-encoding: chunked
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/milestone 2.20.x
/area core
#### What this PR does / why we need it:
替换 Version 过时方法的引用为新 API
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind feature
/milestone 2.20.x
/area theme
#### What this PR does / why we need it:
主题支持通过 `${site.version}` 得到 Halo 版本号
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
主题支持通过 `${site.version}` 得到 Halo 版本号
#### What type of PR is this?
/kind feature
/area plugin
#### What this PR does / why we need it:
This PR provides an interface ElementTagProcessor to make plugin handle element tag easily. e.g.:
public class ImgTagProcessor implements ElementTagPostProcessor {
public Mono<Void> process(ITemplateContext context, IProcessableElementTag tag,
IElementTagStructureHandler structureHandler) {
var elementName = tag.getElementDefinition().getElementName();
if (!Objects.equals("img", elementName.getElementName())) {
return Mono.empty();
var srcAttr = tag.getAttribute("src");
if (srcAttr == null) {
return Mono.empty();
var newSrc = srcAttr.getValue();
// TODO rewrite src
structureHandler.setAttribute("src", newSrc);
return Mono.empty();
After PR merged, plugins https://github.com/webp-sh/halo-plugin-webp-cloud and https://github.com/guqing/plugin-cloudinary can be refined with new method.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
If we are running Halo instance in machine with small memory available, the JS/CSS bundle might not be accessible.
This RP refactors generation of JS and CSS bundle with fixed buffer size rather than length of original resources.
2024-09-02T15:01:27.667+08:00 WARN 62039 --- [boundedElastic-3] reactor.core.Exceptions : throwIfFatal detected a jvm fatal exception, which is thrown and logged below:
java.lang.OutOfMemoryError: Java heap space
at java.base/java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:64) ~[na:na]
at java.base/java.nio.ByteBuffer.allocate(ByteBuffer.java:363) ~[na:na]
at org.springframework.core.io.buffer.DefaultDataBuffer.allocate(DefaultDataBuffer.java:234) ~[spring-core-6.1.12.jar:6.1.12]
at org.springframework.core.io.buffer.DefaultDataBuffer.setCapacity(DefaultDataBuffer.java:196) ~[spring-core-6.1.12.jar:6.1.12]
at org.springframework.core.io.buffer.DefaultDataBuffer.ensureWritable(DefaultDataBuffer.java:228) ~[spring-core-6.1.12.jar:6.1.12]
at org.springframework.core.io.buffer.DefaultDataBuffer.write(DefaultDataBuffer.java:296) ~[spring-core-6.1.12.jar:6.1.12]
at org.springframework.core.io.buffer.DefaultDataBuffer.write(DefaultDataBuffer.java:289) ~[spring-core-6.1.12.jar:6.1.12]
at org.springframework.core.io.buffer.DefaultDataBuffer.write(DefaultDataBuffer.java:43) ~[spring-core-6.1.12.jar:6.1.12]
at run.halo.app.core.extension.service.impl.PluginServiceImpl.lambda$uglifyJsBundle$17(PluginServiceImpl.java:257) ~[classes/:na]
at run.halo.app.core.extension.service.impl.PluginServiceImpl$$Lambda$4661/0x000000c80214e298.accept(Unknown Source) ~[na:na]
at reactor.core.publisher.FluxPeekFuseable$PeekFuseableSubscriber.onNext(FluxPeekFuseable.java:196) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxUsing$UsingFuseableSubscriber.onNext(FluxUsing.java:353) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxGenerate$GenerateSubscription.next(FluxGenerate.java:178) ~[reactor-core-3.6.9.jar:3.6.9]
at org.springframework.core.io.buffer.DataBufferUtils$ReadableByteChannelGenerator.accept(DataBufferUtils.java:1002) ~[spring-core-6.1.12.jar:6.1.12]
at org.springframework.core.io.buffer.DataBufferUtils$ReadableByteChannelGenerator.accept(DataBufferUtils.java:974) ~[spring-core-6.1.12.jar:6.1.12]
at reactor.core.publisher.FluxGenerate.lambda$new$1(FluxGenerate.java:58) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxGenerate$$Lambda$4155/0x000000c802069228.apply(Unknown Source) ~[na:na]
at reactor.core.publisher.FluxGenerate$GenerateSubscription.slowPath(FluxGenerate.java:271) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxGenerate$GenerateSubscription.request(FluxGenerate.java:213) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxUsing$UsingFuseableSubscriber.request(FluxUsing.java:320) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxPeekFuseable$PeekFuseableSubscriber.request(FluxPeekFuseable.java:144) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxFlatMap$FlatMapInner.onSubscribe(FluxFlatMap.java:968) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxPeekFuseable$PeekFuseableSubscriber.onSubscribe(FluxPeekFuseable.java:178) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxUsing$UsingFuseableSubscriber.onSubscribe(FluxUsing.java:347) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxGenerate.subscribe(FluxGenerate.java:85) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxUsing.subscribe(FluxUsing.java:102) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.Flux.subscribe(Flux.java:8848) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxFlatMap$FlatMapMain.onNext(FluxFlatMap.java:430) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxHandleFuseable$HandleFuseableSubscriber.tryOnNext(FluxHandleFuseable.java:135) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxIterable$IterableSubscriptionConditional.slowPath(FluxIterable.java:664) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxIterable$IterableSubscriptionConditional.request(FluxIterable.java:623) ~[reactor-core-3.6.9.jar:3.6.9]
at reactor.core.publisher.FluxHandleFuseable$HandleFuseableSubscriber.request(FluxHandleFuseable.java:260) ~[reactor-core-3.6.9.jar:3.6.9]
2024-09-02T15:01:27.681+08:00 DEBUG 62039 --- [boundedElastic-3] a.w.r.e.AbstractErrorWebExceptionHandler : [131a559b-102] Resolved [OutOfMemoryError: Java heap space] for HTTP GET /apis/api.console.halo.run/v1alpha1/plugins/-/bundle.js
2024-09-02T15:01:27.681+08:00 ERROR 62039 --- [boundedElastic-3] a.w.r.e.AbstractErrorWebExceptionHandler : [131a559b-102] 500 Server Error for HTTP GET "/apis/api.console.halo.run/v1alpha1/plugins/-/bundle.js?v=1725260408176"
java.lang.OutOfMemoryError: Java heap space
at java.base/java.nio.HeapByteBuffer.<init>(HeapByteBuffer.java:64) ~[na:na]
#### Does this PR introduce a user-facing change?
优化在内存紧张时 Console 端无法加载插件资源的问题
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
删除 SubscriptionServiceIntegrationTest 类。因为当前测试类不经常性出错,暂时无法排查原因。
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复 external-url 配置带了尾部斜杠导致邮件通知的查看通知链接无法访问的问题
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
修复 external-url 配置带了尾部斜杠导致邮件通知的查看通知链接无法访问的问题
#### What type of PR is this?
/kind feature
/area theme
/sig docs
/milestone 2.20.x
#### What this PR does / why we need it:
After this PR, we can define i18n message files next to the template file.
index.properties # Higher properties than default.properties
index_zh.properties # Higher properties than index.properties
index_zh_CN.properties # Higher priority than index_zh.properties
It's convenient for plugins that define the template files.
See https://www.thymeleaf.org/doc/tutorials/3.1/usingthymeleaf.html#standard-message-resolver for more.
#### Does this PR introduce a user-facing change?
支持在主题中通过 Thymeleaf 默认行为实现国际化
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR adds support changing locale using query `language`. After passing the query, we will automatically respond a cookie `language` back to browser.
Please see the result below:
http http://localhost:8090/\?language\=zh-CN Accept:text/html -p h
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Language: zh-CN
Content-Type: text/html
Expires: 0
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 0
content-encoding: gzip
content-length: 4765
set-cookie: language=zh-CN; Path=/; Secure
set-cookie: XSRF-TOKEN=f0f2c972-0024-4575-aef2-0609356b4757; Path=/
#### Does this PR introduce a user-facing change?
支持利用参数 language 切换地域语言
#### What type of PR is this?
/kind improvement
/area theme
/milestone 2.20.x
#### What this PR does / why we need it:
This PR simplifies ThemeLocaleContextResolver by removing unused attributes.
In another PR <https://github.com/halo-dev/halo/pull/6647>, fixed locale resolution for query parameter `language`. This PR fixes locale resolution for cookie `language` as well.
Please see the results below:
http https://www.halo.run/ Cookie:language=zh-CN -p h
HTTP/1.1 200 OK
Content-Language: und
http http://localhost:8090 Cookie:language=zh-CN -p h
HTTP/1.1 200 OK
Content-Language: zh-CN
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area theme
/milestone 2.20.x
#### What this PR does / why we need it:
If we pass a query `language` while requesting index page, we will get the wrong header `Content-Language`. Please see the result below:
http https://www.halo.run/\?language\=zh-CN -p h
HTTP/1.1 200 OK
Content-Language: und
After fixing, we will get the right header `Content-Language`.
http http://localhost:8090/\?language\=zh-CN -p h
HTTP/1.1 200 OK
Content-Language: zh-CN
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind feature
/area core
/area plugin
/milestone 2.20.x
#### What this PR does / why we need it:
Currently, we are refactoring login and logout pages to make them extensible. If plugins want to realize a new authentication method, the CryptoService and RateLimiterRegistry may be used to authenticate.
So this PR exposes the two beans to plugins. No side effect will be introduced.
#### Does this PR introduce a user-facing change?
【开发相关】允许在插件使用 CryptoService 和 RateLimiterRegistry
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
优化根据 URI 生成缩略图时的请求头
1. 由于之前 attachment 的 permalink 是 `URI.toString` 会导致根据 permalink 索引查询附件可能由于编码问题无法查询到导致生成缩略图只能根据 URI 生成
2. 可能配置了 nginx 判断请求头不允许脚本请求如导致根据 URI 访问图片无法访问导致无法生成,如
if ($http_user agent ~*(python curlljava wget go-http-client httpclient okhttp)){
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR filters blank role name while granting roles for an user to prevent null role in permissions.
#### Which issue(s) this PR fixes:
Fixes https://github.com/halo-dev/halo/issues/6604
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
修复 GIF 缩略图生成只会保留第一帧的问题
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
修复 GIF 缩略图生成只会保留第一帧的问题
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.20.x
#### What this PR does / why we need it:
This PR add keyword synchronized for methods `addOrUpdateDocuments`, `deleteDocuments` and `deleteAll` to ensure the write lock of Lucene is obtained only by one IndexWriter at the same time.
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind improvement
/milestone 2.19.0
#### What this PR does / why we need it:
将缩略图生成的模式改为自动,速度优先会导致图片失真率较高,部分图片在 w1600 的尺寸下看起来会比较模糊。
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.19.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind cleanup
/area core
/milestone 2.19.0
#### What this PR does / why we need it:
For backward compatibility, the slug of single page should not be unique.
BTW, the problem was introduced by <https://github.com/halo-dev/halo/pull/6540>.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.19.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.19.x
#### What this PR does / why we need it:
修复 postFinder 的 list 排序参数不生效的问题
此问题由于 https://github.com/halo-dev/halo/pull/6531 导致
#### Which issue(s) this PR fixes:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind bug
/area core
/milestone 2.19.0
#### What this PR does / why we need it:
This PR refactors LuceneSearchEngine to let IndexWriter and SearcherManager load lazily to prevent LockObtainFailedException from performing a rolling update.
#### Which issue(s) this PR fixes:
#### Special notes for your reviewer:
1. Use MySQL or PostgreSQL as database for Halo
2. Start an instance of Halo
3. Try to initialize Halo and search posts
4. Change the `server.port` and start another instance of Halo
5. Check the status of another instance
#### Does this PR introduce a user-facing change?
修复滚动更新时无法启动新的 Halo 实例的问题
#### What type of PR is this?
/kind cleanup
/kind improvement
/area core
/milestone 2.19.0
#### What this PR does / why we need it:
This PR refactors some requests with sort parameter by reusing SortableRequest, and refactors some queries with indexer.
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.19.x
#### What this PR does / why we need it:
重命名缩略图大小的参数名以便和主题端 finder 用法保持一致
同时确保通过 encode 或者没有 encode 的 uri 都可以获取到缩略图
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind feature
/milestone 2.19.x
/area core
#### What this PR does / why we need it:
为 postFinder 添加一个统一参数的 list 方法并支持传递排序参数
Fixes https://github.com/halo-dev/halo/issues/4933
#### Does this PR introduce a user-facing change?
为 postFinder 添加一个统一参数的 list 方法并支持传递排序参数
#### What type of PR is this?
/kind bug
/area core
/milestone 2.19.0
#### What this PR does / why we need it:
This PR corrects list options builder for listing aggregated roles, because I wrongly used the label selector in <https://github.com/halo-dev/halo/pull/6471>.
#### Special notes for your reviewer:
1. Try to install the plugin <https://www.halo.run/store/apps/app-YXyaD>
2. Enable the plugin and enable setting `匿名评论需要验证码`
3. **Anonymous** request any of posts with comment enabled
4. Check the captcha in comment area
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.19.x
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/kind improvement
/area core
/milestone 2.19.0
#### What this PR does / why we need it:
#### Does this PR introduce a user-facing change?
#### What type of PR is this?
/area core
/kind feature
/milestone 2.19.x
#### What this PR does / why we need it:
升级默认主题的版本为 [1.9.0](https://github.com/halo-dev/theme-earth/releases/tag/v1.9.0)。
#### Does this PR introduce a user-facing change?