github AtalayaLabs/OxiCloud v0.4.0
on GitHub

latest releases: v0.5.6, v0.5.5, v0.5.4...
3 months ago

🚀 OxiCloud v0.4.0

The biggest release yet — a complete storage architecture overhaul, 10× upload performance, critical security hardening, batch operations, and dozens of UI/UX polish fixes driven by community feedback. This version covers 53 commits addressing 19+ issues across security, performance, storage, OIDC, uploads, and quality-of-life improvements.

🏗️ Architecture — 100% Blob Storage Model

Complete storage rewrite — OxiCloud now uses a PostgreSQL-backed metadata model with content-addressable blob storage and built-in deduplication. All file & folder metadata lives in the database; binary content is stored once via SHA-256 hashing. This is a foundational change that unlocks future clustering and replication. (#113)

⚡ Performance

Uploads 10×, downloads 2×, concurrency 2× — Phase 4+5 optimizations include moka in-memory cache, 512 KB I/O buffers, removed unnecessary sync_all calls, hash-on-write pipeline, and preloaded queries. 500 MB upload went from 12.6 s → 1.3 s (392 MB/s). Memory usage: 69–113 MB RSS, 0 swap. New bench.sh v3 for reproducible benchmarking.

🔒 Security

  • Scope root folder listing to authenticated user — Non-admin users could previously see all users' root folders. Backend now filters GET /api/folders by JWT identity. (#94)
  • Scope recent files and favorites per user — Recent and favourites endpoints were returning data across users. Now strictly scoped to the authenticated user. (#106)
  • Enforce folder nesting inside user home — Prevented path-traversal by ensuring all folders are nested under the user's home directory. (#105)
  • Enforce storage quota on uploads — Uploads now check and enforce the user's storage quota, with accurate usage tracking. (#104)
  • Patch 3 critical vulnerabilities — Fixed IDOR on file access, ownership bypass on folder operations, and XSS in file name rendering.
  • Fix audit vulnerabilities — Resolved RUSTSEC-2026-0007 and RUSTSEC-2021-0141.

🔑 OIDC / Authentication

  • Add SSO login button — Login page queries /api/auth/oidc/providers and shows an SSO button when OIDC is configured. Password form is hidden when password login is disabled. (#88, #89)
  • Complete OIDC login flow — Frontend properly exchanges the authorization code for JWT tokens after the IdP redirect. (#90)
  • Fix async checkAuthentication — Was a regular function using await, causing a parse error that broke the entire app. (#90)
  • Fetch OIDC discovery before building authorization URLget_authorize_url() now async, fetching the real authorization_endpoint from the discovery document. (#91)
  • Hide password change form for OIDC-only setups — Profile page queries OIDC config and hides the change-password section. (#96)
  • ES256 JWKS support — Added support for ES256 (ECDSA P-256) JSON Web Keys in OIDC token validation. (#115, thanks @gbw!)

📁 Storage & Uploads

  • Increase upload body limit to 10 GB — Axum's default 2 MB limit was silently truncating uploads. Added DefaultBodyLimit::max(10 GB) globally. (#95)
  • File upload progress toast — New floating progress indicator with per-file byte-level tracking via XHR. (#93)
  • Notification bell with upload progress — Upload progress integrated into the notification bell UI. (#93)
  • Cap default storage quota to available disk space — Was hardcoded to 100 GB regardless of actual capacity. Now uses fs2::available_space(). (#92)

🎨 UI / UX

  • Multi-select for batch operations — Select multiple files/folders with checkboxes for batch delete, move, download, and favorites. (#100)
  • Batch favorites endpoint — Single POST /api/favorites/batch with multi-row INSERT replaces N+1 sequential requests. 40 HTTP calls → 1.
  • Server-authoritative favorites & recent — Display fields (icon, category, formatted size) computed server-side; frontend deduplication of formatFileSize, isTextViewable, formatDateTime.
  • Hide system directories.blobs, .trash, .dedup_temp and dot-prefixed folders no longer visible. (#87)
  • Make logo a clickable home link — Top-left logo and wordmark are <a href="/"> on all pages. (#97)
  • Close About modal with ESC — Standard keyboard shortcut now works. (#98)
  • Clean URLs/profile, /admin, /shared served via dedicated routes, no .html extensions. (#99)
  • Fix file name truncation — Proper truncation with ellipsis in both list and grid views. (#110)
  • Fix size column alignment — Consistent alignment in list view. (#101)
  • Dark mode toggle & search auth — Fixed dark mode persistence and search sending proper auth headers. (#102)
  • Share URL respects scheme — Share links honour OXICLOUD_SERVER_HOST scheme (http/https). (#103)
  • Trash/recent/favorites rendering — Fixed list view rendering bugs for trash, recent, and favorites panels. (#107)
  • Select filename without extension — Rename input now selects only the filename part.

🔧 Other

  • Fix cargo run — Added default-run = "oxicloud" to Cargo.toml. (#80)
  • Migrate to Rust Edition 2024 — Updated edition in Cargo.toml.
  • Standardize folder naming — Unified home folder convention to English (My Folder - {username}).
  • Admin can create users manually — Admin panel now supports manual user creation and can disable public registration. (#85)
  • Code quality — Applied cargo fmt, resolved 162 clippy warnings, removed dead code and orphan files.
  • Italian localization — Added it.json with all translation keys. (Thanks @albanobattistella!)

🙏 Community

Huge thanks to the incredible contributors and bug reporters who made this release possible:

You are the best. Every contribution makes OxiCloud better for everyone. Keep them coming! 💪

What's Changed

New Contributors

Full Changelog: v0.3.4...v0.4.0

Check out latest releases or
releases around AtalayaLabs/OxiCloud v0.4.0

Don't miss a new OxiCloud release

NewReleases is sending notifications on new releases.

Get notifications