Teedy v2.6.0: unified navigation, security hardening, file drop zones, color palette

Author: fmaass

.github/workflows/build-deploy.yml

@@ -73,21 +73,21 @@ jobs:
           path: docs-web/target
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker metadata
         id: metadata
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -98,7 +98,7 @@ jobs:
             type=raw,value={{branch}}-rc-{{sha}},enable=${{ startsWith(github.ref, 'refs/heads/release/') }}
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
         with:
           context: .
           platforms: linux/amd64,linux/arm64

Dockerfile

@@ -73,4 +73,4 @@ USER jetty
 HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
     CMD curl -f http://localhost:8080/api/user || exit 1
 
-CMD java ${JAVA_OPTIONS} -jar /opt/jetty/start.jar
+CMD ["sh", "-c", "exec java ${JAVA_OPTIONS} -jar /opt/jetty/start.jar"]

ROADMAP.md

@@ -139,50 +139,79 @@ See [release notes](https://github.com/fmaass/teedy-docs/releases/tag/v2.5.0) fo
 
 ---
 
-## v2.6.0 (Planned)
+## v2.6.0 (Released)
 
 **Theme:** Security Hardening + Unified Navigation
 
 ### Unified document view
 
-- Merge Documents and Browse into a single view with three zones: tag tree sidebar (left), address bar with active/related tags and search (top), document list (main)
-- Tag tree always visible alongside documents, with facet-driven counts and auto-expand to active branches
-- Document slide-over panel (side peek) to preview documents without leaving the list
+- Merged Documents and Browse into a single three-zone layout: tag tree sidebar (left), search bar with filter chips (top), document list (main)
+- Tag tree always visible with facet-driven counts and auto-expand to active branches
+- Document slide-over panel to preview documents without leaving the list
 - AND/OR toggle for tag intersection vs union mode
-- Tag exclusion UI: tri-state per tag (neutral / included / excluded) with visual differentiation on chips; backend `!tag:` / `search[nottag]` already supports this
-- Untagged document filter: "Untagged" pseudo-node or toggle to surface documents with zero tags
-- Quick tagging from document list: right-click context menu with tag picker to add/remove tags without opening the edit form
-- Replaces the separate Documents and Browse navigation items with a single "Documents" view
+- Tag exclusion UI: tri-state per tag (neutral / included / excluded) with visual chips
+- Quick tagging from document list context menu
 
-### Login brute force protection
+### File drop zones
 
-- Per-IP and per-username rate limiting with exponential backoff after failed attempts
-- Configurable thresholds via env vars
+- Drag-and-drop file upload on document edit form and Files tab
+- Visual feedback on drag hover, pending file list with sizes
+- Direct upload on Files tab without entering edit mode
 
-### Password change verification
+### Auto-tag from filter
 
-- Require current password when changing password via self-update endpoint
-- Frontend form update
+- New documents pre-populate tags from currently selected tags in the tag tree
+- Convenience default — users can remove tags before saving
 
-### File upload size limits
+### Security hardening
 
-- Configurable maximum upload size (env var, default 500MB)
-- Enforce at stream level before writing to disk
+- Login brute force protection: per-IP and per-username rate limiting with exponential backoff, HTTP 429 + Retry-After header, 15-minute max lockout
+- Session token lifetime reduced from 20 years to 90 days with sliding expiry (token rotation on authenticated requests)
+- Password complexity enforcement: minimum 8 characters, mixed case + digit, reject username as password
+- Auth cookie Secure + HttpOnly flags, security response headers
+- Lucene: removed NoLockFactory, commit-only-on-success, synchronized reader access
 
-### OIDC linking security
+### Upload size limits
 
-- Prevent auto-linking OIDC accounts to existing local accounts without explicit authorization
-- Require local login or admin approval for first-time binding
+- Configurable maximum upload size via `DOCS_MAX_UPLOAD_SIZE` env var (default 500 MB)
+- Exposed in Settings UI as read-only system info
 
-### Session token lifetime
+### Unified color palette
 
-- Reduce "remember me" token lifetime from 20 years to 90 days
-- Token rotation on authenticated requests
+- Self-contained primary color ramp derived from Teedy blue (#2aabd2), no external palette references
+- Status colors (success/warning/danger/info) use PrimeVue semantic tokens for automatic dark mode and theme switching
+- Design token system via teedy-tokens.css with PrimeVue variable delegation
 
-### Password complexity
+### Frontend modernization
 
-- Enforce mixed-case + digit or zxcvbn-based strength check
-- Reject passwords matching the username
+- Component decomposition: AppHeader, TagTreePanel, TagFilterChips, DocumentSearchBar, DocumentTable, DocumentSlideOver, PdfViewer
+- PDF.js canvas renderer replacing iframe embeds
+- Accessibility: ARIA labels on icon-only buttons, ARIA tab roles, PrimeVue Select components
+- Design tokens and PrimeVue migration across settings, document, and tag views
+
+### Infrastructure
+
+- Docker CMD JSON form for proper signal forwarding
+- GitHub Actions upgraded to Node.js 24 compatible versions
+- Legacy AngularJS removed (180 dead files from src-legacy/)
+
+See [release notes](https://github.com/fmaass/teedy-docs/releases/tag/v2.6.0) for details.
+
+---
+
+## v2.7.0 (Planned)
+
+**Theme:** TBD
+
+### Password change verification
+
+- Require current password when changing password via self-update endpoint
+- Frontend form update
+
+### OIDC linking security
+
+- Prevent auto-linking OIDC accounts to existing local accounts without explicit authorization
+- Require local login or admin approval for first-time binding
 
 ### Bulk operations
 

docs-core/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>com.sismics.docs</groupId>
     <artifactId>docs-parent</artifactId>
-    <version>2.5.0</version>
+    <version>2.6.0</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

docs-core/src/main/java/com/sismics/docs/core/dao/AuthenticationTokenDao.java

@@ -97,6 +97,23 @@ public void updateLastConnectionDate(String id) {
         q.executeUpdate();
     }
 
+    /**
+     * Updates the creation date of a token (used for token rotation / sliding expiry).
+     *
+     * @param authenticationToken Authentication token with updated creation date
+     */
+    public void updateCreationDate(AuthenticationToken authenticationToken) {
+        StringBuilder sb = new StringBuilder("update T_AUTHENTICATION_TOKEN ato ");
+        sb.append(" set AUT_CREATEDATE_D = :creationDate ");
+        sb.append(" where ato.AUT_ID_C = :id");
+
+        EntityManager em = ThreadLocalContext.get().getEntityManager();
+        Query q = em.createNativeQuery(sb.toString());
+        q.setParameter("creationDate", authenticationToken.getCreationDate());
+        q.setParameter("id", authenticationToken.getId());
+        q.executeUpdate();
+    }
+
     /**
      * Returns all authentication tokens of an user.
      * 

docs-core/src/main/java/com/sismics/docs/core/dao/TagDao.java

@@ -306,5 +306,58 @@ public long countDocumentsWithAllTags(List<String> tagIds) {
         q.setParameter("tagCount", (long) tagIds.size());
         return ((Number) q.getSingleResult()).longValue();
     }
+
+    /**
+     * Returns tags that co-occur with any of the given selected tags (OR logic).
+     *
+     * @param selectedTagIds List of currently selected tag IDs
+     * @return Map of tag ID to document count (excludes already-selected tags)
+     */
+    @SuppressWarnings("unchecked")
+    public Map<String, Long> getCoOccurringTagCountsOr(List<String> selectedTagIds) {
+        if (selectedTagIds == null || selectedTagIds.isEmpty()) {
+            return getTagDocumentCounts();
+        }
+
+        EntityManager em = ThreadLocalContext.get().getEntityManager();
+        Query q = em.createNativeQuery(
+                "select dt.DOT_IDTAG_C, count(distinct dt.DOT_IDDOCUMENT_C) " +
+                "from T_DOCUMENT_TAG dt " +
+                "join T_DOCUMENT d on d.DOC_ID_C = dt.DOT_IDDOCUMENT_C and d.DOC_DELETEDATE_D is null " +
+                "where dt.DOT_DELETEDATE_D is null " +
+                "and dt.DOT_IDTAG_C not in (:selectedTagIds) " +
+                "and dt.DOT_IDDOCUMENT_C in (" +
+                "  select dt2.DOT_IDDOCUMENT_C from T_DOCUMENT_TAG dt2 " +
+                "  where dt2.DOT_IDTAG_C in (:selectedTagIds) " +
+                "  and dt2.DOT_DELETEDATE_D is null " +
+                ") " +
+                "group by dt.DOT_IDTAG_C");
+        q.setParameter("selectedTagIds", selectedTagIds);
+        List<Object[]> rows = q.getResultList();
+        Map<String, Long> result = new HashMap<>();
+        for (Object[] row : rows) {
+            result.put((String) row[0], ((Number) row[1]).longValue());
+        }
+        return result;
+    }
+
+    /**
+     * Counts documents matching any of the given tags (OR logic).
+     *
+     * @param tagIds Tag IDs
+     * @return Number of matching documents
+     */
+    public long countDocumentsWithAnyTag(List<String> tagIds) {
+        if (tagIds == null || tagIds.isEmpty()) {
+            return 0;
+        }
+        EntityManager em = ThreadLocalContext.get().getEntityManager();
+        Query q = em.createNativeQuery(
+                "select count(distinct dt.DOT_IDDOCUMENT_C) from T_DOCUMENT_TAG dt " +
+                "join T_DOCUMENT d on d.DOC_ID_C = dt.DOT_IDDOCUMENT_C and d.DOC_DELETEDATE_D is null " +
+                "where dt.DOT_IDTAG_C in (:tagIds) and dt.DOT_DELETEDATE_D is null");
+        q.setParameter("tagIds", tagIds);
+        return ((Number) q.getSingleResult()).longValue();
+    }
 }
 

docs-core/src/main/java/com/sismics/docs/core/dao/criteria/DocumentCriteria.java

@@ -93,6 +93,12 @@ public class DocumentCriteria {
      */
     private Boolean deleted;
 
+    /**
+     * Tag combination mode: "and" (default) requires all tag groups to match,
+     * "or" requires any tag group to match.
+     */
+    private String tagMode = "and";
+
     public List<String> getTargetIdList() {
         return targetIdList;
     }
@@ -208,4 +214,12 @@ public Boolean getDeleted() {
     public void setDeleted(Boolean deleted) {
         this.deleted = deleted;
     }
+
+    public String getTagMode() {
+        return tagMode;
+    }
+
+    public void setTagMode(String tagMode) {
+        this.tagMode = tagMode;
+    }
 }

docs-core/src/main/java/com/sismics/docs/core/util/indexing/LuceneIndexingHandler.java

@@ -312,7 +312,9 @@ public void findByCriteria(PaginatedList<DocumentDto> paginatedList, List<String
             parameterMap.put("title", criteria.getTitleList());
         }
         if (!criteria.getTagIdList().isEmpty()) {
+            boolean orMode = "or".equalsIgnoreCase(criteria.getTagMode());
             int index = 0;
+            List<String> allTagCriteria = orMode ? Lists.newArrayList() : null;
             for (List<String> tagIdList : criteria.getTagIdList()) {
                 List<String> tagCriteriaList = Lists.newArrayList();
                 for (String tagId : tagIdList) {
@@ -321,7 +323,14 @@ public void findByCriteria(PaginatedList<DocumentDto> paginatedList, List<String
                     tagCriteriaList.add(String.format("dt%d.DOT_ID_C is not null", index));
                     index++;
                 }
-                criteriaList.add("(" + Joiner.on(" OR ").join(tagCriteriaList) + ")");
+                if (orMode) {
+                    allTagCriteria.addAll(tagCriteriaList);
+                } else {
+                    criteriaList.add("(" + Joiner.on(" OR ").join(tagCriteriaList) + ")");
+                }
+            }
+            if (orMode && !allTagCriteria.isEmpty()) {
+                criteriaList.add("(" + Joiner.on(" OR ").join(allTagCriteria) + ")");
             }
         }
         if (!criteria.getExcludedTagIdList().isEmpty()) {

docs-web-common/pom.xml

@@ -5,7 +5,7 @@
   <parent>
     <groupId>com.sismics.docs</groupId>
     <artifactId>docs-parent</artifactId>
-    <version>2.5.0</version>
+    <version>2.6.0</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

docs-web-common/src/main/java/com/sismics/rest/util/ValidationUtil.java

@@ -221,4 +221,29 @@ public static Date validateDate(String s, String name, boolean nullable) throws
             throw new ClientException("ValidationError", MessageFormat.format("{0} must be a date", name));
         }
     }
+
+    /**
+     * Validates password strength: 8+ chars, at least one uppercase, one lowercase, one digit.
+     * Rejects passwords matching the username (case-insensitive).
+     *
+     * @param password Password to validate
+     * @param username Username to compare against
+     */
+    public static void validatePasswordStrength(String password, String username) {
+        if (password == null || password.length() < 8) {
+            throw new ClientException("ValidationError", "Password must be at least 8 characters");
+        }
+        boolean hasUpper = false, hasLower = false, hasDigit = false;
+        for (char c : password.toCharArray()) {
+            if (Character.isUpperCase(c)) hasUpper = true;
+            else if (Character.isLowerCase(c)) hasLower = true;
+            else if (Character.isDigit(c)) hasDigit = true;
+        }
+        if (!hasUpper || !hasLower || !hasDigit) {
+            throw new ClientException("ValidationError", "Password must contain at least one uppercase letter, one lowercase letter, and one digit");
+        }
+        if (username != null && password.equalsIgnoreCase(username)) {
+            throw new ClientException("ValidationError", "Password must not match the username");
+        }
+    }
 }