OxiCloud 0.5.6

OxiCloud 0.5.6 is a substantial release built from 99 commits across 191 changed files since v0.5.5. The main themes of this release are storage flexibility, smarter deduplication, stronger authentication compatibility, and a much more polished web experience.

Highlights

• Added pluggable storage backends with admin UI support for S3, Azure, and local storage.
• Introduced CDC-based sub-file deduplication powered by FastCDC, BLAKE3 chunk hashing, parallel chunk storage, and manifest-based reconstruction.
• Added a public share page with download support and improved shared, recent, and classic navigation flows.
• Hardened OIDC and auth handling for email-style usernames, sanitized claims.sub, added WWW-Authenticate handshake behavior, and fixed session-expiry issues on HTTP deployments.
• Delivered broad frontend and CSS refactors that simplify the codebase while improving shared items, multi-select actions, search, music navigation, icons, and theming.
• Improved deployment and operations with rustls-only Azure Docker builds, Windows CRLF fixes, PostgreSQL data path fixes, updated docs, and the first steps toward Nix packaging.

New Features

• Pluggable storage backends with admin UI integration for S3, Azure, and local environments.
• Content-defined chunking deduplication with smarter chunk reuse and parallel upload paths.
• Public share page with direct download support.
• Shared-state visibility in the classic file view.
• Better section controls and multi-select action layout in the frontend.
• VitePress documentation site work and expanded localization coverage.

Fixes And Improvements

• Fixed OIDC username provisioning edge cases and claim sanitization.
• Fixed recent-section routing, hash navigation, shared-view behavior, file-list display, device-verification styling, and select-all wiring.
• Restored external thumbnail lookup and switched thumbnail deduplication to blob_hash.
• Reduced Docker build friction by moving Azure crates to rustls and correcting image references.
• Improved performance for hashing, thumbnail generation, audio metadata extraction, cache invalidation, and upload timeout scaling.
• Applied broad JS/CSS/Biome cleanup, improved JS module bundling, and simplified icon handling and theme styling.
• Added Windows CRLF compatibility and PostgreSQL data-location fixes.

Thanks

A huge thank you to everyone who contributed to this release.

Special thanks to Edouard Vanbelle for the large wave of frontend and UX improvements, Dionisio Pozo / DioCrafts for the core platform, storage, deduplication, and release work, Chris Mann and the Les Grands Voisins side of the project for collaboration and incoming changes, BillionClaw for authentication and documentation fixes, Mathieu Boutolleau for deployment improvements, Subhranil Sarkar for Windows compatibility, and su77ungr for standards-compliance improvements.

Thank you all for the code, reviews, ideas, testing, polish, and persistence that made OxiCloud 0.5.6 possible.

v0.5.5

New Features

• Music Player & Playlist Manager: full audio player with queue, shuffle, repeat modes
• Playlist management: create, edit, delete, share, reorder tracks (drag & drop)
• Playlist cover art, public/private toggle, manage shares dialog
• Audio metadata route mounted in backend
• File URL in browser: opened file reflected in URL for bookmarking/sharing
• Sticky page header for better navigation

Bug Fixes

• Fix blank login page regression (reset.css)
• Fix .hidden class not overriding display styles (added !important)
• Fix list view header showing in Photos section
• Fix missing break in switch/case (main.js)
• Stop media playback when inline viewer is closed
• Fix missing menu bar icon on small screens
• Fix historyUrl serialization
• Fix select-all checkbox and shift+click multi-selection
• Fix music player icons (fa-edit/fa-share not in icon registry)
• Fix shuffle bias, queue removal index, repeat-one CSS

Improvements

• Music empty state: full-width centered onboarding matching app design language
• Compact sidebar with inline create button
• JS/CSS linter (Biome) integration + CI pipeline for frontend
• Code formatting and linter suggestions applied across frontend

v0.5.4 — Docker Image Fix, UX Polish & OpenAPI Latest

OxiCloud v0.5.4 — Docker Image Fix, UX Polish & OpenAPI

A focused release with 29 commits from 4 contributors, touching 369 files with over 2,000 lines of improvements. This release restores Docker Hub image publishing (missing since v0.5.1), introduces browser history navigation, OpenAPI spec generation, and a wave of UX refinements for file management.

⚠️ Docker Hub is back: The diocrafts/oxicloud:0.5.4 and :latest images are now available. Images for v0.5.2 and v0.5.3 were never published due to CI pipeline failures — this release fixes all underlying issues. See #250 for details.

---

Highlights

• Docker Image Publishing Restored — Fixed three cascading CI/CD failures that prevented container images from being published since v0.5.1
• Browser History & URL Bookmarking — Navigate folders with browser back/forward buttons and bookmark any folder URL directly
• OpenAPI Spec Generation — Auto-generated OpenAPI documentation via utoipa for the entire REST API
• Enhanced Drag & Drop — Multi-file drag support with visual drag summary and improved drop targets
• Ctrl/Meta/Alt Multi-Select — Select multiple files using keyboard modifiers, desktop-style
• WOPI PDF Fallback — Graceful fallback to inline viewer when WOPI editor fails for PDF files
• Configurable Server Port — OXICLOUD_SERVER_PORT env var replaces hardcoded port 8086
• Login & User Menu Fix — Resolved .hidden class conflict that caused blank login page and missing admin badge/panel in user menu
• View Toggle Polish — Refined grid/list view toggle buttons with tighter proportions

---

Features

• Browser history navigation — Navigate folders with browser back/forward buttons; folder URLs are now bookmarkable (@EdouardVanbelle — #232)
• OpenAPI spec generation with utoipa — Auto-generate openapi.json covering all REST API endpoints via cargo run --bin generate-openapi or just openapi (@iltumio — #245)
• Ctrl/Meta/Alt key multi-select — Hold modifier keys to toggle individual item selection, matching desktop file manager behavior (@EdouardVanbelle — #261)
• Improved drag & drop — Support for dragging multiple files simultaneously with a visual drag summary showing file count (@EdouardVanbelle — #239)
• Action column with context menu — File list view now includes an action column displaying the context menu inline (@EdouardVanbelle — #255)
• Smart loading indicator — File view loader only appears if requests take more than 100ms, avoiding flicker on fast loads (@EdouardVanbelle — #232)
• Configurable server port — Use OXICLOUD_SERVER_PORT env var instead of hardcoded port 8086 (@justDance-everybody — #256)

Bug Fixes

• Docker image publishing restored — Fixed Dockerfile cacher stage failing on generate-openapi binary target, added explicit ref: to workflow checkout steps for correct tag builds, and increased multi-arch build timeout (@DioCrafts — #250)
• Blank login page fixed — .hidden { display: none !important } CSS class overrode inline style.display assignments, preventing login/register/language panels from appearing. All panel visibility now uses classList.remove/add (@DioCrafts)
• Admin badge & panel missing — Same .hidden class conflict prevented the admin role badge, admin panel link, and admin divider from showing in the user dropdown menu (@DioCrafts)
• Profile page not rendering — Profile main-content and auth-error containers also had the hidden class conflict and never became visible (@DioCrafts)
• WOPI PDF view fallback — WOPI editor now falls back to view mode for PDF files instead of failing (@justDance-everybody — #257)
• WOPI-to-inline viewer fallback — When WOPI editor fails entirely for PDFs, gracefully falls back to the built-in inline viewer (@justDance-everybody — #258)
• Notification bell animation — Fixed bell animation and notification zone now automatically closes on clear (@EdouardVanbelle — #247)

Refactoring & Code Quality

• Merge grid and list builder — Unified grid/list file views into a single builder, using CSS-only switching between view modes (@EdouardVanbelle — #260)
• Simplify multiSelect module — Removed duplicate code and streamlined multi-selection logic (@EdouardVanbelle — #239)
• Rename View into Section — Consistent naming across navigation components (@EdouardVanbelle — #239)
• Simplify empty list rendering — Empty state now works correctly in both grid and list views (@EdouardVanbelle — #239)
• No blink on section re-select — Navigation no longer re-renders when clicking the already-selected section (@EdouardVanbelle — #239)
• Remove executable attributes — Cleaned up file permissions on non-bash files (@EdouardVanbelle — #248)
• Remove generated openapi.json from tracking — The generated spec is no longer committed to the repo (@iltumio — #245)
• View toggle button polish — Reduced gap, padding, and button size for a tighter, more balanced grid/list toggle (@DioCrafts)
• Consistent panel visibility — Added hidden class to admin-setup-panel in HTML; removed redundant CSS display:none rule (@DioCrafts)

---

Stats

Metric	Value
Commits	29
Contributors	4
Files changed	369
Insertions	+2,048
Deletions	−1,021
Issues closed	#250, #243, #254
PRs merged	11

---

🙏 Contributor Acknowledgements

@EdouardVanbelle — 12 commits ⭐ MVP of this release

Edouard delivered an extraordinary volume of UX improvements in this release. The browser history navigation transforms how users interact with OxiCloud — folder URLs are now bookmarkable and the back/forward buttons work naturally. The unified grid/list builder is an elegant refactor that simplifies the entire file view architecture. Multi-file drag & drop with visual summaries, Ctrl/Meta multi-select, the inline action column, smart loading indicators, and the notification fix round out a comprehensive overhaul of the frontend experience. Every change shows meticulous attention to how real users interact with a file manager. Thank you, Edouard, for raising the bar on OxiCloud's user experience. 🏆

@justDance-everybody — 3 commits

justDance-everybody tackled critical WOPI integration issues, implementing a two-layer fallback strategy for PDF viewing: first falling back from edit mode to view mode, and then from WOPI entirely to the inline viewer. This ensures PDF files always render, regardless of WOPI editor availability. They also made the server port configurable via environment variable — a simple but essential change for Docker and reverse proxy deployments. Thank you for making OxiCloud more resilient and deployment-friendly.

@iltumio (Manuel Tumiati) — 2 commits

Manuel introduced OpenAPI spec generation using utoipa, giving OxiCloud a proper machine-readable API contract for the first time. This unlocks automatic client SDK generation, Swagger UI documentation, and API testing workflows for the entire community. He also cleaned up the repo by removing the generated JSON from version control. Thank you, Manuel, for this foundational developer experience improvement.

@DioCrafts — 2 commits

Root-caused and fixed the Docker Hub publishing pipeline that had been silently failing since v0.5.2, restoring container image availability. Fixed a pervasive .hidden class CSS conflict that caused blank login pages, missing admin UI elements, and broken profile rendering. Polished the view toggle buttons.

New Contributors 🎉

• @justDance-everybody made their first contribution in #256
• @iltumio made their first contribution in #245

What's Changed

• feat: browser history & permits bookmarks URL by @EdouardVanbelle in #232
• feat: permit multiple file on drag 'n' drop by @EdouardVanbelle in #239
• feat: add OpenAPI spec generation with utoipa and justfile by @iltumio in #245
• fix(notification): correct bell animation + automatically close notif… by @EdouardVanbelle in #247
• chore: remove all executable attributes on non bash files by @EdouardVanbelle in #248
• feat(fileList): add action column to display context menu by @EdouardVanbelle in #255
• fix(config): use OXICLOUD_SERVER_PORT env var instead of hardcoded 8086 by @justDance-everybody in #256
• fix(wopi): fall back to view mode for PDF files by @justDance-everybody in #257
• fix(viewer): fallback to inline viewer when WOPI editor fails for PDFs by @justDance-everybody in #258
• Refactor/merge grid and list builder by @EdouardVanbelle in #260
• feat(item-selection): add ctrl/meta/alt key to toggle item selection by @EdouardVanbelle in #261
• fix(release): v0.5.4 — fix Docker build and publish pipeline by @DioCrafts
• fix(ui): resolve hidden class vs style.display conflict, polish toggle buttons by @DioCrafts

Full Changelog: v0.5.3...v0.5.4

v0.5.3 — Security, Stability & Kubernetes Ready

OxiCloud v0.5.3 — Security, Stability & Kubernetes Ready

A community-powered release with 42 commits from 7 contributors, touching 106 files with nearly 2,000 lines of improvements. This release focuses on critical security hardening, memory & reliability optimizations, Kubernetes-native deployment via Helm, and a wave of UI/UX and WebDAV fixes that dramatically improve the day-to-day experience.

---

Highlights

• Kubernetes Helm Chart — First-class Kubernetes deployment with a full Helm chart, including optional WOPI integration
• SQLx Migration System — Replaced custom schema loader with sqlx::migrate!() for robust, versioned database migrations
• Security Advisory Fix — Patched RUSTSEC-2026-0037 (quinn-proto) to eliminate a known vulnerability
• Folder Ownership Verification — Files can no longer be moved to another user's folder, closing a critical access control gap
• Drag & Drop into Breadcrumbs — Drag files directly into breadcrumb folders for faster file organization
• Download Progress for Large Files — New progress bar for files >2GB with correct 64-bit math
• Thumbnail Timeout Protection — Large image processing now has configurable timeouts to prevent server hangs

---

Features

• SQL migration system using sqlx::migrate!() — Automatic, versioned schema migrations on startup replace the previous manual schema loader (@jaredwolff — #191)
• Helm chart for Kubernetes deployment — Full Helm chart with configurable values, optional WOPI sidecar, and comprehensive documentation (@nk-designz — #198)
• Drag & drop files into breadcrumb folders — Move files by dragging them onto any breadcrumb folder in the navigation bar (@EdouardVanbelle — #238)
• Download progress bar for files >2GB — Inline viewer now shows real-time download progress with correct 64-bit float division, avoiding 32-bit overflow (@BillionClaw — #227)
• Thumbnail generation timeout protection — Configurable timeout (default 30s) prevents large image processing from hanging the server indefinitely (@DioCrafts — #242)
• Add missing home icon — Breadcrumb now displays the proper home icon for root folder navigation (@EdouardVanbelle — #235)

Security & Access Control

• Fix RUSTSEC-2026-0037 — Updated quinn-proto to 0.11.14 to patch a known security advisory (@jaredwolff — b6bcb7d)
• Verify target folder ownership on file move — Moving a file now validates that the caller owns the destination folder, preventing cross-user file injection (@BillionClaw — #224)
• Enforce storage quota on WebDAV PUT uploads — WebDAV uploads now check storage quota before persisting, returning 507 Insufficient Storage when exceeded — previously only REST and chunked uploads had this check (@BillionClaw — #220)
• Cap admin initial quota to available disk space — User creation no longer sets quotas exceeding actual available disk space (@BillionClaw — #226)
• Resolve CSP blocking and session refresh loop — Fixed Content Security Policy violations blocking inline styles and an infinite session refresh loop (@BillionClaw — #211)

Performance & Memory

• Drop encoded image data after decoding — Explicitly frees the original encoded buffer after image decoding, reducing peak memory consumption during thumbnail generation by the original file size (@BillionClaw — #228)
• Thumbnail generation timeout — Wraps spawn_blocking in tokio::time::timeout so a single slow image can't block the thumbnail pipeline (@DioCrafts — #242)

Bug Fixes

Nextcloud Compatibility:

• Fix Nextcloud sync conflict — Replaced static UUID-based ETags with content-hash ETags, resolving persistent sync conflicts in the Nextcloud desktop and mobile clients (@jaredwolff — #207)

WebDAV:

• Preserve correct status codes for rename/move failures — AlreadyExists→409, NotFound→404, AccessDenied→403 instead of blanket 500 errors (@BillionClaw — #222)
• Enforce storage quota on PUT uploads — Closes a gap where WebDAV could bypass quota checks (@BillionClaw — #220)

Files & Storage:

• Batch folder deletion fails — Added debug logging to diagnose and fix batch trash operation failures (@BillionClaw — #216)
• Improve error messages for file/folder already exists — More descriptive error messages when duplicate file/folder names are encountered (@BillionClaw — #225)
• Correct shared link URL to include /api prefix — Shared links previously generated 404 URLs missing the API path prefix (@BillionClaw — #223)

Calendar & Contacts:

• Change calendar owner_id from String to Uuid — Aligns calendar ownership with the native UUID type used everywhere else, fixing lookup failures (@BillionClaw — #208)
• Allow RGBA colors in calendar events — Calendar color validation now accepts RGBA format in addition to RGB (@JVMerkle — #202)

Trash:

• Add missing display fields to TrashedItemDto — Added category, icon_class, and icon_special_class fields so the trash view renders file type information correctly (@BillionClaw — #221)

UI/UX:

• Resolve broken menu navigation — Fixed menu items not responding to clicks (@BillionClaw — #212)
• Resolve dark mode toggle and file search errors — Dark mode toggle now derives state from localStorage; empty folder_id no longer causes search errors (@BillionClaw — #218)
• Photos view bleeding into trash view — Fixed CSS isolation issue where photos grid styles leaked into the trash panel (@jaredwolff — #196)
• Align size values in table view — File sizes now use tabular-nums for proper column alignment (@BillionClaw — #219)
• WOPI public base URL for Docker — Added OXICLOUD_WOPI_PUBLIC_BASE_URL env var support so WOPI document editing works behind reverse proxies in Docker (@BillionClaw — #234)

Internationalization:

• Use translation keys for upload notification titles — Replaced hardcoded English/Spanish strings with proper i18n lookup (@BillionClaw — #217)
• Add missing dialogs.share_folder translation key — Added to all 14 locale files, fixing share dialog failures for folders (@BillionClaw — #215)

Build, CI & Deployment:

• Add PostgreSQL service to Docker publish workflow — The Docker Hub release CI job was failing because it lacked the PostgreSQL service required by tests, causing missing container images for v0.5.2 (@BillionClaw — #214)
• Remove target-cpu=native from Dockerfile — Ensures Docker images are portable across different CPU architectures (@jaredwolff — a0ee538)
• ARMv7 32-bit compilation overflow — Fixed integer overflow on 32-bit ARM targets (@BillionClaw — #209)
• Resolve clippy warnings and rustfmt issues for CI compliance — Cleaned up all remaining linting issues (@zjean — #188)
• Update CI references from db/schema.sql to sqlx migrations — Aligned CI pipelines with the new migration system (@jaredwolff — f6e2b30)
• Add pre-commit checks to CLAUDE.md — Documented required cargo fmt + cargo clippy checks (@jaredwolff — #192)

Migrations:

• Add ALTER TABLE fallback for media_sort_date column — Handles pre-existing tables gracefully during migration (@jaredwolff — #195)

Documentation

• Add feature status table to README — Clear overview of which features are stable, beta, or planned (@BillionClaw — #210)
• Fix incorrect path in development guide — Corrected branch path references in CONTRIBUTING.md (@BillionClaw — #213)
• Helm chart documentation — Comprehensive deployment guide for Kubernetes users (@nk-designz — #198)
• Update README.md & example.env — Improved documentation for remote access setup (@raenur — #197)

Developer Experience

• Dev-mode static assets without cache — When PROFILE=dev, static assets are served directly from /static with no caching, enabling faster frontend iteration (@EdouardVanbelle — #236)
• Remove duplicate breadcrumb home-folder code — Refactored redundant logic in breadcrumb handling (@EdouardVanbelle — 276b9ff)
• Apply rust format + fix clippy warning — Code style cleanup (@EdouardVanbelle — #240)

---

Stats

Metric	Value
Commits	42
Contributors	7
Files changed	106
Insertions	+1,997
Deletions	−882
Issues closed	#82, #92, #101, #102, #104, #107, #108, #124, #189, #193, #230
PRs merged	35

---

🙏 Contributor Acknowledgements

This release would not have been possible without the incredible dedication and talent of every single contributor. The OxiCloud community continues to grow, and every contribution — from a one-line fix to a 22-commit marathon — makes this project stronger.

---

@BillionClaw — 22 commits ⭐ MVP of this release

An absolutely extraordinary contribution. BillionClaw single-handedly tackled the majority of this release, delivering a sweeping wave of fixes that touched every layer of OxiCloud — from WebDAV quota enforcement and folder ownership security, to dark mode toggle fixes, i18n completeness, trash view rendering, shared link URLs, CI pipeline fixes, and ARMv7 compilation support. The depth and breadth of these contributions is remarkable. Every fix came with clear commit messages, proper issue references, and thoughtful descriptions. BillionClaw didn't just fix bugs — they systematically audited and hardened OxiCloud's core functionality. The download progress bar for >2GB files and the thumbnail memory optimization show a keen eye for performance and user experience. Thank you, BillionClaw, for this exceptional level of commitment to OxiCloud. You are a pillar of this community. 🏆

---

@jaredwolff — 8 commits

Jared continues to be one of OxiCloud's most impactful contributors. This release features his landmark SQLx migration system — a foundational infrastructure change that replaces the fragile custom schema loader with proper versioned migratio...

v0.5.2 — Performance, i18n & UI Polish

OxiCloud v0.5.2

A substantial release focused on deep performance optimizations, internationalization expansion, and UI/UX refinements across the entire stack.

---

Performance (Backend)

• UUID native migration — All user/session/auth IDs moved from VARCHAR(36) to native PostgreSQL UUID, eliminating UUID-String round-trips across the storage layer
• BLAKE3 mmap + rayon — File hashing now uses memory-mapped I/O with parallel processing, achieving zero heap allocation
• Async dedup path — Replaced blocking Path::exists() with async try_exists() in the deduplication hot path
• Zero-alloc DTO conversion — File to FileDto via into_parts() ownership transfer eliminates intermediate allocations
• SQL parser optimization — Eliminated Vec<char> allocation in split_sql_statements
• HTTP compression — Enabled gzip + Brotli with a smart content-type predicate
• target-cpu=native — SIMD-optimized BLAKE3 and image processing via .cargo/config.toml
• OnceLock for env vars — Arc<CurrentUser> in auth middleware, pre-computed query lowercase
• Eliminated redundant PG round-trip for blob_hash after image upload

Performance (Frontend)

• Build-time asset pipeline — build.rs with oxc (JS minifier) + LightningCSS for optimized static assets
• Photos append-only render — Eliminates full DOM rebuild on scroll
• Thumbnail optimization — Switched from WebP to JPEG q=80 for faster encoding; cache-first + ETag 304 eliminates DB queries on GET
• Denormalized media_sort_date + pre-scaled video thumbnails

Features

• Client-side video thumbnails — Generated in-browser without ffmpeg dependency
• i18n expansion to 14 locales — Added Hindi, Arabic, Russian, Japanese, Korean
• Admin panel i18n — 117 translation keys, confirm modal replacing confirm(), animated tab switching, removed all inline event handlers
• Profile page i18n — 58 translation keys with data-i18n attributes
• Files empty state — Shows friendly message when a folder is empty (translated in all 14 locales)

Bug Fixes

• Auth race condition — Resolved files not loading on initial visit
• Grid/List view header — List header no longer incorrectly appears in grid mode on login
• Login page rendering — Fixed .hidden CSS specificity issue that caused blank login page
• View switching — Proper classList.toggle("hidden") sync across all navigation functions
• CSP compliance — Added blob: to frame-src and media-src for PDF/video viewing; restored removal of inline handlers in admin
• Thumbnail cleanup — Thumbnails now deleted when files are permanently removed
• CSRF headers — Added to video thumbnail PUT requests
• SQL schema — Added DROP TRIGGER IF EXISTS before CREATE TRIGGER
• UUID SQL casts — Added ::uuid/::text casts in storage repos for UUID columns

UI/UX

• Files grid cards stretch to full width (matching photos view)
• Card border/shadow style unified between Files and Photos
• Fixed i18n safeT() shadowing bug and translationsLoaded timing

---

Full Changelog: v0.5.1...v0.5.2

What's Changed

• fix(auth): resolve race condition causing files not to load on initial visit by @jaredwolff in #178
• Fix(admin.html): restore theme-init.js and remove inline event handlers by @vhsdream in #181

New Contributors

• @vhsdream made their first contribution in #181

Full Changelog: v0.5.1...v0.5.2

v0.5.1 — Security Hardening, Photos, Nextcloud Compatibility & Performance

v0.5.1 — Security Hardening, Photos, Nextcloud Compatibility & Performance

We are thrilled to announce OxiCloud v0.5.1! This release packs an incredible amount of work — 70+ commits spanning security hardening, a brand-new Photos feature, full Nextcloud-compatible API, major performance optimizations, and countless bug fixes. This would not have been possible without the amazing contributions from our community. Thank you so much!

---

🔒 Security

• Critical IDOR & auth vulnerability patches — comprehensive security audit fixes (VULN-01 through VULN-16)
• IP rate limiting + account lockout on authentication endpoints
• HttpOnly cookies + CSP headers + CSRF double-submit protection
• Strict CSP compliance — removed all inline styles, scripts, and event handlers
• Admin escalation prevention and path traversal hardening
• MIME type detection via magic bytes instead of trusting client headers

📸 New Features

• Photos timeline view with lightbox and infinite scroll
• EXIF metadata extraction and storage for photos
• Day / Month / Year grouping in photo views
• Nextcloud-compatible API layer — full compatibility for Nextcloud clients
• Nextcloud Android app connectivity and uploads support
• App Passwords UI on the profile page with active/revoked status display
• OAuth 2.0 Device Authorization Grant (RFC 8628) for WebDAV/CalDAV/CardDAV
• Auto-persist JWT secret — removed setup token requirement

⚡ Performance

• BLAKE3 replaces SHA-256 across WebDAV/WOPI with multithreaded hashing for files >10 MB
• mimalloc global allocator for faster memory allocation
• HTTP/2 enabled with socket2 TCP_NODELAY + socket tuning
• Zero-alloc iCal generation with write!() for CalDAV
• Single UNION ALL query for WebDAV path resolution
• GIN trigram indexes for ILIKE substring search
• moka cache for Basic Auth verification and JWT validation
• cargo-chef multi-stage Docker build for faster CI
• Arc for repetitive DTO fields — eliminates clone allocations
• Concrete types replace dyn trait objects — eliminates vtable overhead
• Batch concurrency, pagination, sorting, transcoding, and folder ops optimized
• Removed dead redirect middleware that ran on every request doing nothing

🐛 Bug Fixes

• Fixed CalDAV PROPFIND returning empty property values
• Fixed WebDAV path translation for all operations and MKCOL recursive creation
• Fixed cross-device rename and MKCOL on existing folders
• Fixed thumbnail blob path resolution and display in file grid/list
• Fixed WOPI intercepting all file opens
• Fixed auth middleware for /me, /change-password, /logout and admin endpoints
• Fixed URL-decode DAV paths with spaces
• Fixed pagination usize underflow when total_pages is zero
• Fixed SQL type mismatch and pagination panic in photos
• Fixed profile page auth-error and main-content div visibility
• Fixed logout fetch to prevent token refresh race condition
• Fixed invisible modals and missing button icons in admin panel
• Fixed list view column spacing and rubber-band selection
• Eliminated 420+ compiler warnings
• Resolved all clippy warnings for --all-features CI build

🧹 Maintenance

• Replaced anyhow with thiserror in db.rs and auth_factory.rs
• Replaced md5 crate with RustCrypto md-5
• Replaced WebDAV LOCK stub with moka-backed lock store (auto-expire TTL)
• Removed redundant hyper dependency and migrations directory
• Applied rustfmt formatting across the codebase

---

🙏 Huge Thanks to Our Contributors!

This release would not have been possible without the incredible dedication, skill, and passion of every single contributor. We are deeply grateful for your time, expertise, and commitment to making OxiCloud better. Thank you from the bottom of our hearts!

• @jaredwolff (Jared Wolff) — Outstanding contributions across the board! Built the entire Photos feature (timeline, lightbox, EXIF extraction, grouping), the App Passwords UI, Nextcloud Android connectivity, strict CSP compliance, thumbnail fixes, auth middleware fixes, WebDAV path translation, and so much more. Your work has been absolutely phenomenal. Thank you immensely, Jared!

• @zjean (zjean) — Fantastic work delivering the full Nextcloud-compatible API layer, fixing schema initialization, duplicate routes, image preview bugs, MIME detection via magic bytes, and tirelessly resolving clippy warnings and formatting across the entire codebase. Your attention to detail and quality is remarkable. Thank you so much, zjean!

Every single contribution — whether a massive feature, a small fix, or a formatting pass — has made OxiCloud stronger, faster, and more secure. We are incredibly lucky to have such a talented and dedicated community. Thank you all! 🎉

---

Full Changelog: v0.5.0...v0.5.1

v0.5.0 — Performance Overhaul & New Features

🚀 OxiCloud v0.5.0

100 commits since v0.4.2 — the biggest release yet. Comprehensive performance audit, new features, and critical fixes.

---

⚡ Performance (30+ optimizations)

Critical (P0)

• ZIP streaming: rewrite download_zip to stream via temp file instead of loading entire archive into RAM — eliminates OOM on large downloads
• PostgreSQL TX during disk I/O: decouple PG transactions from slow disk operations in chunked uploads
• RwLock → DashMap: replace RwLock<HashMap> with lock-free DashMap in ChunkedUploadService, eliminating write-lock contention

High Impact

• Eliminate Vec<u8> copies: all uploads now stream directly to disk — no intermediate RAM buffers
• Arc-wrap SearchResultsDto: zero-copy cache reads via Arc<SearchResultsDto>
• Batch garbage_collect: 500-row mini-transactions instead of unbounded DELETE
• stream_files_in_subtree: replace Vec<File> with async Stream — constant memory for subtree operations
• ltree <@ in delete_folder: replace recursive CTE with GiST-indexed ltree operator
• Persistent blob_hash cache: remove one-shot invalidation, keep cache warm across reads
• Thumbnail single-read: eliminate double disk read with read-once buffer pattern
• Trash bulk cleanup: replace N+1 sequential delete_permanently loop with 2-query bulk DELETE in a single transaction

Medium Impact

• Streaming PROPFIND: parallelize WebDAV queries with tokio::join!
• async Argon2 + Semaphore: bound concurrent password hashes to prevent CPU exhaustion
• moka future::Cache: migrate sync cache to async for search service
• async-compression streaming: eliminate double buffer copy in decompress
• ltree bulk subtree fetch: eliminate N+1 queries in ZIP generation
• COUNT(*) OVER(): eliminate double COUNT+SELECT in search pagination
• SQL-level search filtering: push suggest() filtering + LIMIT to PostgreSQL
• Adaptive thumbnail filters: Triangle for icons, CatmullRom for previews (instead of expensive Lanczos3)
• spawn_blocking SHA-256: offload hash computation off the async runtime
• Arc<str> for etag/content_type: reduce allocations in content cache

🔧 Features

• WOPI protocol support: collaborative document editing via Collabora/LibreOffice Online
• Audio/Video modal player: inline media playback with MIME detection via magic bytes (infer)
• Breadcrumb navigation: full path navigation in Files tab + SPA view refactor
• Collapsible mobile sidebar: responsive UI for mobile devices
• Move dialog navigation: folder browsing + copy functionality in move dialog
• OIDC improvements: email_verified check, auth source badge, password ops guard for OIDC users
• Dual DB pools: separate primary + maintenance connection pools
• German (de.json) locale: i18n support for Deutsch

🐛 Bug Fixes

• OOM protection: lock-free thumbnail cache + OIDC JWKS TTL
• Blob storage leak: prevent orphaned blobs on folder deletion
• Temp file lifecycle: prevent premature temp file deletion during ZIP download
• Storage usage calculation: correct query with direct SQL
• Auto-create home folder: handle empty root folder listing
• Dutch language selection: fix locale mapping
• Unlimited quota display: show ∞ when storage_quota_bytes = 0
• Trash test mocks: simulate PG CASCADE on clear_trash

🔒 Security

• Fail-closed auth (P0): refuse to start when auth is enabled but cannot initialize
• Ignore RUSTSEC-2023-0071: acknowledged advisory for rsa crate

🧹 Code Quality

• cargo fmt --all — consistent formatting across entire codebase
• cargo clippy --all-targets -- -D warnings — zero warnings
• Dead code elimination after each optimization
• Clean architecture maintained throughout all changes

📊 Impact Summary

Metric	Before	After
ZIP download (1 GB)	OOM crash	~50 MB RSS
Trash cleanup (1000 items)	~6s (3000 queries)	~10ms (2 queries)
Subtree listing (10K files)	800 MB RSS spike	~constant memory
Concurrent uploads (lock)	Serial via RwLock	Lock-free DashMap
Thumbnail generation	2 disk reads per image	1 disk read
Folder deletion	Recursive CTE (slow)	ltree <@ (GiST index)
Search cache reads	Clone per read	Arc (zero-copy)
GC DELETE	Unbounded single TX	500-row batches

---

Full Changelog: v0.4.2...v0.5.0

What's Changed

• fix: display unlimited quota (∞) when storage_quota_bytes = 0 by @gbw in #132
• feat(wopi): add WOPI protocol support for collaborative editing by @zjean in #133
• Add email_verified check for OIDC login by @gbw in #134
• Add missing version update from 0.4.1 to 0.4.2 by @gbw in #136
• Feature/OIDC user identity by @zjean in #135
• fix dutch language selection by @zjean in #137
• fix: auto-create home folder when listing root folders returns empty by @gbw in #138
• fix: correct storage usage calculation by using direct SQL query by @gbw in #140
• Optimize search service with database-level pagination and improve cache handling by @gbw in #139
• docs: add example.env and document all environment variables by @gbw in #141
• feat(i18n): update de.json (deutsch by @roswitina in #142
• feat: add breadcrumb navigation and refactor SPA view management by @gbw in #144
• feat(ui): add collapsible sidebar for mobile devices by @gbw in #146
• Ignore RUSTSEC-2023-0071 in security audit by @gbw in #147
• feat: improve move dialog with folder navigation by @gbw in #148
• Small documentation update and cargo fmt by @gbw in #150

Full Changelog: v0.4.2...v0.5.0

v0.4.2 — Trash & Delete Fixes + Frontend Refactoring

🎉 OxiCloud v0.4.2

🐛 Bug Fixes

• Fix folder trash operation — Added missing RECURSIVE keyword in move_to_trash and restore_from_trash SQL CTEs, which caused relation "descendants" does not exist errors when trying to delete folders.
• Fix folder permanent delete — Resolved duplicate key violates unique constraint "idx_files_unique_name_at_root" by explicitly deleting descendant files before removing folders.
• Fix schema FK constraint — Changed files.folder_id foreign key from ON DELETE SET NULL to ON DELETE CASCADE to prevent orphaned file records.
• Fix OIDC admin settings — Admin panel now correctly populates OIDC/SSO settings from environment variables.
• Fix database schema startup — Schema is now always applied on startup to ensure consistency.
• Fix upload filename sanitization — Properly sanitize multipart filenames for folder uploads (#121).
• Fix CSS selectors for SVG icons — Updated sidebar navigation CSS selectors to work with SVG icons.

✨ Improvements

• Simplified trash model — Folders are now the only element marked as trashed; child files are implicitly hidden since navigation queries filter NOT is_trashed. The trash_items view now only shows top-level trashed items, so the trash bin displays the folder itself instead of hundreds of individual child files.
• Trash view icons — Folders and files in the trash now display the same visual icons (yellow folder icon, PDF icon, etc.) as in the main files view.
• Frontend modular architecture — Reorganized all JavaScript into a clean modular folder structure: app/, core/, features/, views/.
• Extract inline CSS/JS — Moved all inline <style> and <script> blocks from admin.html and profile.html into dedicated external files (admin.css, profile.css, admin.js, profile.js).
• CSS class-based visibility — Replaced all style.display JavaScript assignments and inline style="" attributes with CSS utility classes (hidden, show-block, show-flex).
• Dutch translations — Added complete Dutch (NL) language support.
• Brotli + Gzip compression — Enabled Brotli compression for API and static files, plus Cache-Control headers for static assets.
• UI rendering optimizations — Improved rendering performance and event lifecycle management.
• SVG icon system — Frontend optimizations: SVG icons, unified rendering, scoped translatePage.

👏 Thanks to Our Amazing Contributors

A huge thank you to all the incredible users who contributed to this release — you are the best users in the world! 🌟 Your contributions, bug reports, and ideas make OxiCloud better every day.

• @gbw (George Wu)
• @zjean

We truly appreciate every single contribution. Keep being awesome! ❤️

Full Changelog: v0.4.1...v0.4.2

What's Changed

• Enable brotli compression for API and static files by @gbw in #125
• feat: add Dutch translations by @zjean in #130
• fix: always apply database schema on startup by @gbw in #127
• fix(admin): populate OIDC settings in admin panel from environment variables by @gbw in #128

New Contributors

• @zjean made their first contribution in #130

Full Changelog: v0.4.1...v0.4.2

v0.4.1 - Upload Fix & UI Improvements

Bug Fixes

• Fix upload failure (folder_id is required error) by adding create_home_folder through the full hexagonal architecture (trait, service, repository, auth service). All 4 user creation call sites updated.
• Fix double upload with _isUploading concurrency guard and event deduplication.
• Fix Share context menu doing nothing when right-clicking a file. Root cause: DOM ID collision between sharedView dialog and main share dialog.
• Fix Compartidos/Shared tab duplicate headers and broken layout. Page title now updates correctly via data-i18n attribute.
• Fix dark mode white backgrounds on empty-state, shared-filters, trash-actions, action-btn, and header.
• Fix i18n key mismatches in sharedView component.

Styling

• Added full modal CSS for the shared view edit/notification dialogs (.shared-dialog) with dark mode support.

Files Changed

• Cargo.toml (version bump)
• src/application/ports/inbound.rs
• src/application/services/auth_application_service.rs
• src/application/services/folder_service.rs
• src/domain/repositories/folder_repository.rs
• src/infrastructure/repositories/pg/folder_db_repository.rs
• static/css/style.css
• static/js/app.js, ui.js, fileOperations.js
• static/js/components/sharedView.js

Closes #120

Full Changelog: v0.4.0...v0.4.1

v0.4.0

🚀 OxiCloud v0.4.0

The biggest release yet — a complete storage architecture overhaul, 10× upload performance, critical security hardening, batch operations, and dozens of UI/UX polish fixes driven by community feedback. This version covers 53 commits addressing 19+ issues across security, performance, storage, OIDC, uploads, and quality-of-life improvements.

---

🏗️ Architecture — 100% Blob Storage Model

Complete storage rewrite — OxiCloud now uses a PostgreSQL-backed metadata model with content-addressable blob storage and built-in deduplication. All file & folder metadata lives in the database; binary content is stored once via SHA-256 hashing. This is a foundational change that unlocks future clustering and replication. (#113)

---

⚡ Performance

Uploads 10×, downloads 2×, concurrency 2× — Phase 4+5 optimizations include moka in-memory cache, 512 KB I/O buffers, removed unnecessary sync_all calls, hash-on-write pipeline, and preloaded queries. 500 MB upload went from 12.6 s → 1.3 s (392 MB/s). Memory usage: 69–113 MB RSS, 0 swap. New bench.sh v3 for reproducible benchmarking.

---

🔒 Security

• Scope root folder listing to authenticated user — Non-admin users could previously see all users' root folders. Backend now filters GET /api/folders by JWT identity. (#94)
• Scope recent files and favorites per user — Recent and favourites endpoints were returning data across users. Now strictly scoped to the authenticated user. (#106)
• Enforce folder nesting inside user home — Prevented path-traversal by ensuring all folders are nested under the user's home directory. (#105)
• Enforce storage quota on uploads — Uploads now check and enforce the user's storage quota, with accurate usage tracking. (#104)
• Patch 3 critical vulnerabilities — Fixed IDOR on file access, ownership bypass on folder operations, and XSS in file name rendering.
• Fix audit vulnerabilities — Resolved RUSTSEC-2026-0007 and RUSTSEC-2021-0141.

---

🔑 OIDC / Authentication

• Add SSO login button — Login page queries /api/auth/oidc/providers and shows an SSO button when OIDC is configured. Password form is hidden when password login is disabled. (#88, #89)
• Complete OIDC login flow — Frontend properly exchanges the authorization code for JWT tokens after the IdP redirect. (#90)
• Fix async checkAuthentication — Was a regular function using await, causing a parse error that broke the entire app. (#90)
• Fetch OIDC discovery before building authorization URL — get_authorize_url() now async, fetching the real authorization_endpoint from the discovery document. (#91)
• Hide password change form for OIDC-only setups — Profile page queries OIDC config and hides the change-password section. (#96)
• ES256 JWKS support — Added support for ES256 (ECDSA P-256) JSON Web Keys in OIDC token validation. (#115, thanks @gbw!)

---

📁 Storage & Uploads

• Increase upload body limit to 10 GB — Axum's default 2 MB limit was silently truncating uploads. Added DefaultBodyLimit::max(10 GB) globally. (#95)
• File upload progress toast — New floating progress indicator with per-file byte-level tracking via XHR. (#93)
• Notification bell with upload progress — Upload progress integrated into the notification bell UI. (#93)
• Cap default storage quota to available disk space — Was hardcoded to 100 GB regardless of actual capacity. Now uses fs2::available_space(). (#92)

---

🎨 UI / UX

• Multi-select for batch operations — Select multiple files/folders with checkboxes for batch delete, move, download, and favorites. (#100)
• Batch favorites endpoint — Single POST /api/favorites/batch with multi-row INSERT replaces N+1 sequential requests. 40 HTTP calls → 1.
• Server-authoritative favorites & recent — Display fields (icon, category, formatted size) computed server-side; frontend deduplication of formatFileSize, isTextViewable, formatDateTime.
• Hide system directories — .blobs, .trash, .dedup_temp and dot-prefixed folders no longer visible. (#87)
• Make logo a clickable home link — Top-left logo and wordmark are <a href="/"> on all pages. (#97)
• Close About modal with ESC — Standard keyboard shortcut now works. (#98)
• Clean URLs — /profile, /admin, /shared served via dedicated routes, no .html extensions. (#99)
• Fix file name truncation — Proper truncation with ellipsis in both list and grid views. (#110)
• Fix size column alignment — Consistent alignment in list view. (#101)
• Dark mode toggle & search auth — Fixed dark mode persistence and search sending proper auth headers. (#102)
• Share URL respects scheme — Share links honour OXICLOUD_SERVER_HOST scheme (http/https). (#103)
• Trash/recent/favorites rendering — Fixed list view rendering bugs for trash, recent, and favorites panels. (#107)
• Select filename without extension — Rename input now selects only the filename part.

---

🔧 Other

• Fix cargo run — Added default-run = "oxicloud" to Cargo.toml. (#80)
• Migrate to Rust Edition 2024 — Updated edition in Cargo.toml.
• Standardize folder naming — Unified home folder convention to English (My Folder - {username}).
• Admin can create users manually — Admin panel now supports manual user creation and can disable public registration. (#85)
• Code quality — Applied cargo fmt, resolved 162 clippy warnings, removed dead code and orphan files.
• Italian localization — Added it.json with all translation keys. (Thanks @albanobattistella!)

---

🙏 Community

Huge thanks to the incredible contributors and bug reporters who made this release possible:

• @frenzeldk — Filed 10+ detailed issues (#87, #88, #89, #93, #94, #95, #96, #97, #98, #99, #107, #110) with clear reproduction steps, screenshots, and environment details. Absolute hero. 🏆
• @mihha — Reported the compilation fix (#80) and OIDC flow issues (#90, #91, #92).
• @gbw — Contributed ES256 JWKS support for OIDC. (#115)
• @albanobattistella — Contributed Italian localization. (#86)

You are the best. Every contribution makes OxiCloud better for everyone. Keep them coming! 💪

---

What's Changed

• Create Italian localization file it.json by @albanobattistella in #86
• Add ES256 JWKS support for OIDC by @gbw in #115

New Contributors

• @albanobattistella made their first contribution in #86
• @gbw made their first contribution in #115

Full Changelog: v0.3.4...v0.4.0