github AtalayaLabs/OxiCloud v0.5.1
v0.5.1 — Security Hardening, Photos, Nextcloud Compatibility & Performance
on GitHub

latest releases: v0.5.6, v0.5.5, v0.5.4...
one month ago

v0.5.1 — Security Hardening, Photos, Nextcloud Compatibility & Performance

We are thrilled to announce OxiCloud v0.5.1! This release packs an incredible amount of work — 70+ commits spanning security hardening, a brand-new Photos feature, full Nextcloud-compatible API, major performance optimizations, and countless bug fixes. This would not have been possible without the amazing contributions from our community. Thank you so much!

🔒 Security

  • Critical IDOR & auth vulnerability patches — comprehensive security audit fixes (VULN-01 through VULN-16)
  • IP rate limiting + account lockout on authentication endpoints
  • HttpOnly cookies + CSP headers + CSRF double-submit protection
  • Strict CSP compliance — removed all inline styles, scripts, and event handlers
  • Admin escalation prevention and path traversal hardening
  • MIME type detection via magic bytes instead of trusting client headers

📸 New Features

  • Photos timeline view with lightbox and infinite scroll
  • EXIF metadata extraction and storage for photos
  • Day / Month / Year grouping in photo views
  • Nextcloud-compatible API layer — full compatibility for Nextcloud clients
  • Nextcloud Android app connectivity and uploads support
  • App Passwords UI on the profile page with active/revoked status display
  • OAuth 2.0 Device Authorization Grant (RFC 8628) for WebDAV/CalDAV/CardDAV
  • Auto-persist JWT secret — removed setup token requirement

⚡ Performance

  • BLAKE3 replaces SHA-256 across WebDAV/WOPI with multithreaded hashing for files >10 MB
  • mimalloc global allocator for faster memory allocation
  • HTTP/2 enabled with socket2 TCP_NODELAY + socket tuning
  • Zero-alloc iCal generation with write!() for CalDAV
  • Single UNION ALL query for WebDAV path resolution
  • GIN trigram indexes for ILIKE substring search
  • moka cache for Basic Auth verification and JWT validation
  • cargo-chef multi-stage Docker build for faster CI
  • Arc for repetitive DTO fields — eliminates clone allocations
  • Concrete types replace dyn trait objects — eliminates vtable overhead
  • Batch concurrency, pagination, sorting, transcoding, and folder ops optimized
  • Removed dead redirect middleware that ran on every request doing nothing

🐛 Bug Fixes

  • Fixed CalDAV PROPFIND returning empty property values
  • Fixed WebDAV path translation for all operations and MKCOL recursive creation
  • Fixed cross-device rename and MKCOL on existing folders
  • Fixed thumbnail blob path resolution and display in file grid/list
  • Fixed WOPI intercepting all file opens
  • Fixed auth middleware for /me, /change-password, /logout and admin endpoints
  • Fixed URL-decode DAV paths with spaces
  • Fixed pagination usize underflow when total_pages is zero
  • Fixed SQL type mismatch and pagination panic in photos
  • Fixed profile page auth-error and main-content div visibility
  • Fixed logout fetch to prevent token refresh race condition
  • Fixed invisible modals and missing button icons in admin panel
  • Fixed list view column spacing and rubber-band selection
  • Eliminated 420+ compiler warnings
  • Resolved all clippy warnings for --all-features CI build

🧹 Maintenance

  • Replaced anyhow with thiserror in db.rs and auth_factory.rs
  • Replaced md5 crate with RustCrypto md-5
  • Replaced WebDAV LOCK stub with moka-backed lock store (auto-expire TTL)
  • Removed redundant hyper dependency and migrations directory
  • Applied rustfmt formatting across the codebase

🙏 Huge Thanks to Our Contributors!

This release would not have been possible without the incredible dedication, skill, and passion of every single contributor. We are deeply grateful for your time, expertise, and commitment to making OxiCloud better. Thank you from the bottom of our hearts!

  • @jaredwolff (Jared Wolff) — Outstanding contributions across the board! Built the entire Photos feature (timeline, lightbox, EXIF extraction, grouping), the App Passwords UI, Nextcloud Android connectivity, strict CSP compliance, thumbnail fixes, auth middleware fixes, WebDAV path translation, and so much more. Your work has been absolutely phenomenal. Thank you immensely, Jared!

  • @zjean (zjean) — Fantastic work delivering the full Nextcloud-compatible API layer, fixing schema initialization, duplicate routes, image preview bugs, MIME detection via magic bytes, and tirelessly resolving clippy warnings and formatting across the entire codebase. Your attention to detail and quality is remarkable. Thank you so much, zjean!

Every single contribution — whether a massive feature, a small fix, or a formatting pass — has made OxiCloud stronger, faster, and more secure. We are incredibly lucky to have such a talented and dedicated community. Thank you all! 🎉

Full Changelog: v0.5.0...v0.5.1

Check out latest releases or
releases around AtalayaLabs/OxiCloud v0.5.1

Don't miss a new OxiCloud release

NewReleases is sending notifications on new releases.

Get notifications