Skip to content

Fess 15.7.0

Latest
Latest

Choose a tag to compare

View all tags
@marevol marevol released this 25 Jun 03:03
· 3 commits to master since this release
fess-15.7.0
aec892f

We're pleased to announce the release of Fess 15.7.0.

This release introduces a unified /api/v2 REST API for headless and single-page-application frontends, and a new static theme system that lets you build search screens entirely from HTML, CSS, and JavaScript — shipped with a bundled Bootstrap 5 reference theme. It also updates the search engine to OpenSearch 3.7.

Important — API v2 migration: The legacy v1 JSON search and chat APIs have been replaced by the new /api/v2 surface. If you depend on the previous v1 search API, install the new fess-webapp-v1-api plugin to restore it.

Highlights

  • Unified /api/v2 REST API
    A single, consistent API surface replaces the legacy per-feature REST managers. A unified JSON envelope (status, schema, data / error) covers search, scroll (NDJSON), related queries and content, document cache, favorites, click logging, authentication (login / logout / me / password change), CSRF tokens, login rate limiting, UI config, and chat (POST and SSE streaming). The API ships with an OpenAPI contract and is hardened with enforced input bounds, mandatory CSRF on state-changing requests, and per-IP / per-user rate limiting. Note: the old v1 JSON search and chat endpoints are removed; install fess-webapp-v1-api if you still need the v1 search API.

  • Static Theme System (HTML / CSS / JS Search UI)
    Search screens can now be delivered as static themes — self-contained HTML, CSS, and JavaScript bundles served directly from the web tier without a JSP or Action round-trip. Themes are validated against a theme.yml manifest, support pre-compressed assets and cache headers, and can be installed by ZIP upload with strong security guards (path-traversal, zip-bomb, and size limits). A new Admin → Theme screen lets you upload, activate, set a default, and remove themes.

  • Bundled Bootstrap Reference Theme
    Fess ships a complete Bootstrap 5 reference theme built from vanilla ES2022 modules that reproduces the existing search UI — home, search with facets, advanced search, cached view, AI chat, profile, and help — across 16 languages. Use it directly or as a starting point for your own custom search frontend.

  • OpenSearch 3.7 Support
    Fess is now compatible with OpenSearch 3.7, and the bundled kopf plugin is updated to 15.7.0.

Improvements

API & Integration

  • New /api/v2 surface with 24 focused handlers behind a unified JSON envelope (#3136)
  • Enforce input bounds across the v2 REST API following OWASP API4:2023 (#3162)
  • Published OpenAPI contract for the v2 user and chat APIs, with a pinned response-field allowlist (#3168, #3163, #3156)
  • Refactor v2 API helpers into reusable DI components (#3160)
  • Localize password-policy errors for SPA themes (#3143)
  • Resolve correct installation / EOL help URLs in the UI config endpoint (#3153)

Search UI & Themes

  • Filesystem-backed static theme system with manifest validation, atomic ZIP install, and an admin management UI (#3136)
  • Run filter-only (facet) searches directly in the SPA theme (#3171)
  • Apply sort, page-size, and language options on search submission rather than on change (#3174, #3151)
  • Reset in-memory facet and search state when navigating back to the home view (#3170, #3155, #3176)
  • Submit a search when a home-page suggestion is clicked, and trigger suggestions from a single character (#3152, #3139)
  • Show the favorite star and count for all users in static themes (#3142)
  • Clear login-form credentials when the login modal closes (#3150)
  • Align the user-menu profile label with the password-change page and polish help-page styling (#3145, #3147)

Security & Hardening

  • Enforce CSRF unconditionally on state-changing v2 requests (#3159)
  • Scope login throttling to (client IP, username) and key anonymous chat throttling by client IP (#3158, #3165)
  • Restrict credentialed CORS to allow-listed origins (#3157)
  • Encode the search query in related-content placeholders to prevent reflected XSS (#3161)
  • Add a session.cookie.secure option to set the Secure attribute on the session cookie (#3166, #3169)
  • Omit cluster_name from anonymous health responses and default all v2 responses to Cache-Control: no-store (#3164, #3144)
  • Validate click query_id membership and bound the reported rank (#3167)

Administration & Configuration

  • New Admin → Theme management screen with clearer default-theme labelling and reliable default persistence (#3140, #3138)

AI Search Mode / RAG Chat

  • Use highlighted passages for large documents when generating answers (#3148)
  • Redesign smart summary as a "Minimal Trail" with phase-specific history (#3131)
  • Notify the browser of LLM retry / waiting / fallback / warning states and the search-hit count (#3130)
  • Treat truncated LLM responses as a fallback in RAG intent handling (#3129)

Crawler & Indexing

  • Include HTTP 403 and 410 in the default set of failure URL status codes (#3132)
  • Tighten the FessCrawlerThread hot path and precompile regex patterns across the API, crawler, and LLM code (#3134, #3133)

Platform

  • Update to OpenSearch 3.7.0 (#3146)
  • Sync README translations with the English version (#3137)

Bug Fixes

  • Storage features are now correctly enabled when using the default Google Cloud Storage endpoint (#3135)

We recommend upgrading to Fess 15.7.0 to take advantage of the new /api/v2 API, the static theme system with its bundled Bootstrap reference theme, and OpenSearch 3.7 support. If you rely on the legacy v1 search API, remember to install the fess-webapp-v1-api plugin.

📜 Documentation
📦 Docker Image: GitHub Packages - codelibs/fess
💬 Community Forum: discuss.codelibs.org

Thank you for using Fess!

Assets 5
Loading