Added
7.0.59 2026-05-31
ub-auth.html: uiSettings.adminUI.faviconURL support on the authorization page
7.0.58 2026-05-26
UPdfViewerExt: iframe-side architecture rewrite. The viewer is now driven by an
iframe-side module host (iframe/moduleHost.js) where built-in features (pdfDocument,
semanticHighlight, summary, customButtons) and external features are self-contained
modules with a uniform install(api) contract.
External packages ship iframe-side functionality (toolbar buttons, button actions,
eventBus listeners, postMessage handlers) by declaring iframeModule: { src }
on pdfViewerExtensions.register(id, ext);
globalThis.__upveModules.register({ id, install }) is the same hook used by built-in
modules — there is no second-class API for external code.
The parent awaits all extension scripts via
pdfViewerExtensions.injectIframeModules(iframeWindow).loaded before the iframe
bootstraps, so every module is installed before the first prop watcher fires.
See components/controls/UFile/views/UPdfViewerExt/iframe/README.md for the full
extension guide (how to add a module, toolbar button, action, message handler).UPdfViewerExt: new public method print() that programmatically triggers the browser
print dialog (respects allowPrint prop); new events before-print and after-print
emitted regardless of whether print was triggered by the toolbar button or programmatically.UPdfViewerExt: toolbarButtons prop and pdfViewerExtensions registry — register
custom toolbar buttons, document lifecycle hooks and panel interactions without
modifying the component source. Buttons support toggle-right-panel action with
interactive panelItems, dynamic state updates via updateToolbarButton(buttonId, patch),
and toolbar-button-click / panel-item-click events.fileRendererFactory, fileRendererMixin: third-party code can now register custom file renderers for
any MIME type without modifying UFileRenderer. Use fileRendererMixin in the renderer component to
receive all standard props (file, entityName, attributeName, recordId, fileOrigName,
previewEditable), then register the component via fileRendererFactory.registerRenderer():
const { fileRendererFactory, fileRendererMixin } = require('@unitybase/adminui-vue')
// GltfRenderer.vue — use fileRendererMixin to get all standard props
export default {
mixins: [fileRendererMixin],
// file, entityName, attributeName, recordId, fileOrigName, previewEditable are available
// registration
fileRendererFactory.registerRenderer({
match: ({contentType}) => contentType === 'model/gltf+json',
component: require('./GltfRenderer.vue').default
UBAuthCore.checkOIDCRedirectResponse(vm): new utility that detects an OIDC
auth response encoded in the URL hash (#oidc=...) after a same-window redirect
and immediately resolves window.deferred, completing authentication without any
user interaction. Call from onCredentialRequired in auth pages.ub-auth.html / UBAuthCore.doOpenIDLogin: OpenID Connect login on the initial
login page now uses a same-window redirect instead of a popup window, avoiding
popup-blocker issues and aligning with the standard OAuth2 Authorization Code Flow.
Session-expired relogin (UAuthOpenidconnect.vue) still uses the popup to preserve
SPA state.UBAuthCore: new loginWithFullPageRedirect reactive data field (default false).
When uiSettings.adminUI.loginWithFullPageRedirect is true in ubConfig.json,
doOpenIDLogin uses a full-page redirect to the selected OIDC provider instead of a popup,
regardless of how many providers are configured.
Additionally, if only one OpenIDConnect provider is the sole auth method, applyAppConfig
automatically redirects to the provider on page load, bypassing the ub-auth form.
The auto-redirect is skipped when the user explicitly logged out to prevent silent
re-authentication via an active IdP session.
7.0.57 2026-05-07
USelectMultiple: added popperClass prop to pass a custom class to the dropdown popper for styling
Changed
7.0.58 2026-05-26
package.json: overrides force element-ui to resolve async-validator@^4.2.5, dropping the legacy
async-validator@1.x → babel-runtime → core-js@2 chain from installs of this package
7.0.57 2026-05-07
UTableEntity: when exporting to xls/html format, only visible columns are now exported (as in the Ext grid)
Deprecated
7.0.58 2026-05-26
UFileRenderer: fileRenderer.$refs.view is no accessible anymore. Use fileRenderer.getBlobViewer() instead.
Removed
7.0.58 2026-05-26
UPdfViewerExt: removed the legacy single-file viewer at
components/controls/UFile/views/UPdfViewerExt.vue (with its accompanying
UPdfViewerExt.md). The folder-based viewer at
components/controls/UFile/views/UPdfViewerExt/UPdfViewerExt.vue is the only
shipped implementation; both registrations previously bound the same Vue
component name (UPdfViewerExt) so the legacy registration was already
dead code (utils/install-ub-components.js). The styleguidist config in
apps/docs-adminui now points at the folder-based path.components/controls/UFile/views/PdfViewerExt_InsideIframe.js — legacy 1.2K-line
iframe-side script replaced by the iframe module bundle
(dist/updf-viewer-iframe.min.js) produced from
components/controls/UFile/views/UPdfViewerExt/iframe/index.js. The only remaining
consumer (adminui-pub UB.ux.PDFComponent) is migrated to the new bundle in the
same release.- prevent call of
logout twice when user close browser tab - first for beforeunload and second for pagehide
UToolbar: support dropdownOnly: true setting for default buttons
Fixed
7.0.59 2026-05-31
- SECURITY harden OpenID Connect login flows in
UBAuthCore and UAuthOpenidconnect:
popup postMessage consumers now require exact event.origin equality, and post-login
returnUrl redirects are parsed with URL and allowed only for the exact current origin
clickOutside: ignore programmatic clicks where e.target === document.body to prevent closing dropdowns
7.0.58 2026-05-26
UBVueApp.wrapTab().on(): read the current tab from items instead of the stale
closure so that subsequent tab.on(...) calls no longer wipe previously bound handlers- Vue navbar tab for an Ext-based form now invokes
BasePanel.beforeClose() on close,
so the unsaved-data confirmation dialog is shown when the user closes the tab via the
Vue navbar
- Vue navbar tab title for an Ext-based form now reflects the form dirty state with the
* prefix and stays in sync with setTitle calls coming from the Ext form
7.0.57 2026-05-07
UToolbar: fixed keyboard shortcuts (Ctrl+S, Ctrl+R) not working when a non-Latin
keyboard layout (e.g. Ukrainian, Russian) is active. e.key returns a layout-specific character instead
of the Latin letter, so the conditions never matched and e.preventDefault() was never called for Ctrl+S,
causing the browser's native "Save page" dialog to open instead of saving the form. Fixed by switching to e.code
(e.g. 'KeyS', 'KeyR') which is layout-independent.UToolbar: fixed Ctrl+Enter ("Save & Close") closing all open unsaved forms simultaneously instead of only
the currently active one. Root cause: the keydown listener was attached to this.$root.$el (the application
root), so every mounted toolbar received and handled the same event. Fixed by adding a guard in onKeydownActions:
if (!this.$parent.$el.contains(document.activeElement)) return — the handler now reacts only when the focused
element belongs to this toolbar's parent form container.el-dialog: fixed an issue where dialogs rendered without the append-to-body prop had incorrect stacking context — the dialog body appeared behind the overlay backdrop due to a lower z-index on the tabs content container. Resolved by resetting tabsContentEl.style.zIndex to unset
Chores
7.0.58 2026-05-26
- update
sanitize-html dependency
Added
7.0.43 2026-05-26
index.mustache: favicon is now resolved dynamically from uiSettings.adminUI.faviconURL.
If specified, replaces the default /favicon.ico in <link rel="shortcut icon"> and <link rel="icon"> elements
Changed
7.0.43 2026-05-26
UB.ux.PDFComponent: extended-pdf-viewer mode now injects the iframe module
bundle (@unitybase/adminui-vue/dist/updf-viewer-iframe.min.js) instead of the
removed legacy PdfViewerExt_InsideIframe.js. The new iframe runtime requires a
UPdfViewerExt:ready → UPdfViewerExt:beginBootstrap handshake before its
module host bootstraps; the component now listens for ready from its iframe
and replies with beginBootstrap immediately (no pdfViewerExtensions are
registered on the ExtJS side). The handshake listener is removed in
onDestroy() to avoid leaks when the panel is closed.
Added
7.0.45 2026-05-26
index.mustache: favicon is now resolved dynamically from uiSettings.adminUI.faviconURL.
If specified, replaces the default /favicon.ico in <link rel="shortcut icon"> and <link rel="icon"> elements
Changed
5.24.34 2026-05-31
SyncConnection.authorize for root user (console only) now do not call /auth
Changed
1.1.99 2026-05-26
ULogView, ULogFiles: toolbar extracted into a new ULogToolbar component with its own styles instead of relying on u-toolbar classes from UToolbar
Added
5.25.5 2026-05-31
- SECURITY per-request OIDC nonce
- SECURITY: validate
id_token claims before trusting any data from it
- New optional provider config property
issuer: the expected value of the iss claim in the id_token.
If omitted, issuer validation is skipped. Pre-configured providers in ubConfig-partial.json now include the correct issuer value:
- Google:
"https://accounts.google.com"
- Azure:
"https://login.microsoftonline.com/<tenant>/v2.0"
Migration: add "issuer" to each provider section in your ubConfig.json.
5.25.4 2026-05-26
OpenIdProvider: support same-window redirect flow for initial login pages.
When the OIDC endpoint is called with a returnUrl query parameter (same-origin validated),
the auth result is encoded in the URL hash (#oidc=...) and the browser is redirected back
to the login page instead of using postMessage + window.close().
The popup-based flow (session-expired relogin inside SPA) is fully preserved and unchanged.- Support for URI-based multitenant environments.
resolveExternalURL resolves tenant-specific
origin by looking up Session.tenantID in security.multitenancy.tenants[] and inheriting
the scheme from App.externalURL. Header-based MT (tenantIDHeader) is explicitly not supported
by the OIDC endpoint and will throw an error
Changed
5.25.5 2026-05-31
- SECURITY BREAKING:
userInfoAddAuthHeader now defaults to true, switching userinfo
requests to the more secure Authorization header transport by default. Setting userInfoAddAuthHeader: false
preserves legacy compatibility mode: GET sends access_token in the query string, and POST sends it in the form body.
Otherwise, the token is sent only in the Authorization: Bearer header.
5.25.4 2026-05-26
- SECURITY unified all random token generation to use
crypto.randomBytes
- SECURITY improve security by preventing leakage of sensitive information in case of OpenID connect errors
- SECURITY refactored OpenID request/query parameter building into a shared helper
and enforce safe
application/x-www-form-urlencoded string generation for auth,
token and userInfo requests
- SECURITY BREAKING PKCE (Proof Key for Code Exchange, RFC 7636) is now enabled by default for all providers.
On each login a fresh
code_verifier (256-bit random, SHA-256 hashed) is generated and bound to the
session; the corresponding code_challenge (S256 method) is appended to the authorization URL, and
code_verifier is included in the token-exchange request, preventing authorization code interception.
Set pkce: false in the provider config only for legacy providers that do not support PKCE (e.g. ADFS 3 / WS2012).
Deprecated
5.25.5 2026-05-31
providerConfig.nonce — any static nonce value in provider config is silently ignored.
Remove the nonce field from your provider configuration in ubConfig.json .
5.25.4 2026-05-26
- auth page now not need to call
UB.get('openIDConnect') from client - OpenID provider list now accessible in conn.appConfig.oidcProviders
Fixed
5.25.5 2026-05-31
- SECURITY
OpenIdProvider: OIDC session cookie now includes an explicit SameSite attribute
and a bounded Max-Age=600 (10 minutes, aligned with the server-side state cache TTL).
- SECURITY stop logging sensitive OIDC cookie and token data in callback, refresh, and M2M token flows.
5.25.4 2026-05-26
- SECURITY fixed reflected XSS in the OIDC callback/error page.
JSON.stringify is not safe for embedding inside an HTML <script> block because the HTML
parser terminates the script tag on the literal bytes </script before any JavaScript parsing occurs.
Fixed
5.24.47 2026-05-07
UBConnection.invalidateCache: fixed a race condition where a select on a cached entity could read stale
data if it was initiated immediately after update/insert/delete while cache invalidation was still in
progress. Added _pendingInvalidateCacheRequests map (keyed by entity name) that stores the invalidation
promise while cacheOccurrenceRefresh is running. _doSelectForCacheableEntity now waits for the pending
invalidation promise (if any) before reading the cache, ensuring fresh data is always returned. The map
self-cleans on both resolve and reject.
Added
5.25.83 2026-05-26
ubConfig.schema.json: new uiSettings.adminUI.loginWithFullPageRedirect boolean property (default false).
When true, OpenIDConnect login uses a full-page redirect to the identity provider instead of a popup.
Additionally, if only one OpenIDConnect provider is configured as the sole auth method, the login page
will redirect directly to the provider on load, bypassing the ub-auth form entirely.ubConfig.schema.json: new uiSettings.adminUI.faviconURL string property.
Optional URL path for a custom favicon. If specified, replaces the default /favicon.ico.
Fixed
5.24.75 2026-05-31
- fixed uba_user i18n for
ka, nl, tg and uz locales (removed localization for not existed attribute gender)
Added
5.24.93 2026-05-26
ubm_desktop.changeUISettings: faviconURL is now included in the reset list, so resetting UI settings
also removes a previously set custom favicon
Fixed
5.24.93 2026-05-26
dataURI2Blob: added support for data:image/vnd.microsoft.icon;base64, MIME type so .ico favicons
uploaded via the UI settings form are correctly parsed and saved
