|
| 1 | +## [5.1.0] - 2025-12-12 |
| 2 | +### Added |
| 3 | +- ORCID OpenID Connect login support with JWT token verification |
| 4 | +- `CORSFilter` response filter for cross-origin resource sharing on static assets |
| 5 | +- Cache invalidation (BAN requests) for agent and user account lookup queries |
| 6 | +- New `Application::normalizeOrigin` method for origin normalization |
| 7 | +- `ldh:parent-origin` XPath function for parent origin retrieval |
| 8 | +- HTTP tests for CORS functionality, internal IP blocking, and form proxying |
| 9 | +- `ForbiddenExceptionMapper` for handling forbidden exceptions |
| 10 | +- `Content-Security-Policy` header for uploaded files to prevent XSS attacks |
| 11 | +- Sticky left and right navigation panels |
| 12 | +- Support for recursive content blocks |
| 13 | +- Docker volume for Varnish cache file persistence |
| 14 | + |
| 15 | +### Changed |
| 16 | +- **BREAKING**: Admin application moved from `/admin/` path to `admin.` subdomain |
| 17 | +- **BREAKING**: Replaced `ldt:base` with `ldh:origin` in configuration (now uses absolute URIs with full domain names) |
| 18 | +- Refactored OAuth2 authentication with extracted base classes `AuthorizeBase`, `LoginBase`, and `JWTVerifier` |
| 19 | +- Provider-specific implementations for Google and ORCID OAuth flows in separate packages |
| 20 | +- Authorization queries now isolated by dataspace using `FILTER(strstarts(str(?g), str($base)))` |
| 21 | +- Optimized Varnish caching for authenticated requests with proper cache bypass for user-specific content |
| 22 | +- Root domain extraction logic replaced with configured `BASE_URI` from `Application.getBaseURI()` |
| 23 | +- Eliminated unnecessary wrapper methods (`getRootContextURI()`) in favor of direct `getSystem().getBaseURI()` calls |
| 24 | +- Client-side XSLT now uses `ldt:base()` function instead of `$ldt:base` parameter |
| 25 | +- OAuth and access request endpoints moved to end-user dataspace (no longer extend `GraphStoreImpl` or `SPARQLEndpointImpl`) |
| 26 | +- ID tokens now returned via URL fragment instead of query parameters |
| 27 | +- CLI scripts refactored: `--fragment` parameter renamed to `--uri` |
| 28 | +- Nginx configuration now exempts internal requests from rate limiting |
| 29 | +- Parameterized nginx and Varnish configurations for better flexibility |
| 30 | +- Improved `ClientUriRewriteFilter` to use configured host instead of hardcoded localhost |
| 31 | +- Agent metadata and authorizations now managed per-app in entrypoint.sh |
| 32 | +- Separated templates for owner and secretary authorizations |
| 33 | +- Fuseki data directory changed in Docker configuration |
| 34 | +- `$ORIGIN` environment variable now excludes default ports (80/443) |
| 35 | +- WYMEditor cross-origin compatibility fixes |
| 36 | +- Replaced `ldh:new` with `ixsl:new` in client-side code |
| 37 | + |
| 38 | +### Fixed |
| 39 | +- Fixed security vulnerability [LNK-002 (cache poisoning)](https://github.com/AtomGraph/LinkedDataHub/issues/253) |
| 40 | +- Fixed security vulnerability [LNK-004 (path traversal)](https://github.com/AtomGraph/LinkedDataHub/issues/252) |
| 41 | +- Fixed security vulnerability [LNK-009 (SSRF - internal IP address proxying)](https://github.com/AtomGraph/LinkedDataHub/issues/250) |
| 42 | +- Fixed security vulnerability [LNK-011 (XSS via uploaded files)](https://github.com/AtomGraph/LinkedDataHub/issues/254) |
| 43 | +- Fixed Billion Laughs [XML entity expansion exploit](https://github.com/AtomGraph/LinkedDataHub/issues/249) by excluding Xerces dependency |
| 44 | +- Fixed OpenLayers map dragging functionality |
| 45 | +- Fixed graph layout rendering issues |
| 46 | +- Fixed SPARQL update and `application/x-www-form-urlencoded` proxying |
| 47 | +- Fixed access request URL building and modal form display |
| 48 | +- Fixed `ldh:Shape` mode in XSLT |
| 49 | +- Fixed HTML reloading after OAuth login |
| 50 | +- Improved SHACL support in UI with better form controls |
| 51 | +- Fixed performance regression in `ClientUriRewriteFilter` for production deployments |
| 52 | +- Fixed agent and user account duplicate creation via proper cache invalidation |
| 53 | +- Fixed same-site URI resolution for XSLT document loading across subdomains |
| 54 | +- Fixed entrypoint to load datasets for all configured apps |
| 55 | +- Fixed authorization filter to handle non-existent dataspaces (throws `NotFoundException`) |
| 56 | + |
| 57 | +### Removed |
| 58 | +- Removed `RequestAccess` resource from admin package (moved to end-user) |
| 59 | +- Removed `admin/oauth2` package (OAuth moved to end-user dataspace) |
| 60 | +- Removed XOM dependency |
| 61 | +- Removed rate limiting tests from HTTP test suite |
| 62 | +- Removed debug output from entrypoint and test scripts |
| 63 | +- Removed unused namespace declarations |
| 64 | + |
1 | 65 | ## [5.0.23] - 2025-09-11 |
2 | 66 | ### Added |
3 | 67 | - Drag handles for content blocks - blocks can now only be dragged by their dedicated drag handles |
|
0 commit comments