github AtalayaLabs/OxiCloud v0.7.0
OxiCloud v0.7.0 — "Slipstream"
on GitHub

6 hours ago

🌀 OxiCloud v0.7.0 — "Slipstream"

Three weeks. 237 commits. One obsession: make OxiCloud not just complete, but fast — fast like it's not even there.

If 0.6.0 "Open Skies" was the release where OxiCloud became a real personal cloud — files, calendar, contacts, office, photos — then 0.7.0 "Slipstream" is the release where it learned to move. Uploads that only send the bytes that changed. Search that reads inside your documents. A storage path rewritten to stop copying, stop blocking, stop re-computing. Invites that reach people who don't even have an account yet.

This is the engine-room release. Less new furniture, more raw horsepower — and a few headline features that genuinely change how you use it.

Self-hosted. No vendor. No telemetry. Just your data, now moving at the speed it always should have.

✨ Headline features

⚡ Delta sync — upload only what changed

The marquee feature of this cycle. OxiCloud now does content-defined chunking (FastCDC) right in the browser, compiled to WebAssembly and pipelined across web workers:

  • Instant upload — if the server already has your content (by hash), the upload completes with zero bytes on the wire. Re-upload a 2 GB file you already have? Instant.
  • Delta upload — the client and server negotiate chunks by hash and transfer only the parts that actually changed. Edit one page of a huge document and you send a few kilobytes, not the whole file.
  • Delta download — a file manifest + user-scoped chunk fetch lets sync clients pull only the chunks they're missing.
  • Uploads stream directly into the CDC chunk store — no temp spool, a single write, one durability barrier per file instead of an fsync per chunk.

Combined with the existing BLAKE3 dedup, OxiCloud now stores and transfers the absolute minimum.

🔎 Search inside your files

Full-text search is no longer just filenames. OxiCloud now ships an embedded Tantivy content-search index — the actual text inside your documents is indexed and searchable, with relevance ranking, no external service required.

👥 External users & passwordless magic-link login

Sharing now reaches beyond your user list:

  • Invite anyone by email — grant access to people who don't have an account. They're created as lightweight external users (no storage of their own) and log in via a magic link.
  • Passwordless accounts — sign in with an emailed magic link, hardened with a low-TTL cookie challenge and rate limiting.
  • Login by email or username, usernameless and passwordless accounts, email verification flags, and full anti-enumeration (you can't tell whether an account exists).
  • SMTP support with templated, theme-matched emails and the /magic landing page, plus an admin-only SMTP test tool.

🧑‍🤝‍🧑 Groups & ReBAC grants

Permissions grew up. A first-class Groups implementation lets you grant files and folders to all users or to a defined group, built on the relationship-based access control (ReBAC) model. Legacy shares were merged into the unified grant system, with a normalized My Shares view, grant-expiration handling, and coalesced grant notifications.

📸 Photos that know when they were taken

A new photo/video capture-date pipeline extracts real capture dates from media metadata, paired with a premium UI/UX overhaul of the photos experience.

🌍 A frontend that flows

  • Infinite scrolling everywhere — no more "load more" buttons; every section streams as you scroll.
  • Normalized light / dark / follow-OS theming.
  • Server-side i18n with templating, tooltips on users and groups, user vignettes with given/family-name preferences, and a pile of new translations.
  • Native media streaming, requestAnimationFrame rubber-band scrolling, Map-based selection, delegated event handlers, and batched rendering across lists and search.

🏎️ Performance — the real story

This release landed dozens of measured backend and frontend optimizations. The greatest hits:

  • Storage write path rewritten to consume self and stop cloning; O(1) incremental quota updates instead of a full SUM on every upload; three per-upload DB round-trips collapsed into a single CTE.
  • GET /api/auth/me no longer recomputes storage usage on every call.
  • WebDAV / NextCloud large uploads stream straight to disk — no more OOM on huge files; direct-PUT size caps for safety.
  • CalDAV / CardDAV multiget stops loading entire collections into memory; indexed UID lookups for single-object ops.
  • PROPFIND streams in batches with Range + 304 support, and batched oc:fileid resolution kills the NextCloud N+1.
  • Smart compression — one layer that stops wastefully compressing already-compressed media on /api and downloads.
  • Thumbnails / transcode — decode permits before reading blobs, stop re-transcoding JPEGs, cache negative verdicts.
  • DB — statement-level tree-ETag triggers, batched trash purge, dropped two unused indexes, released the blob-cache index mutex before disk I/O.
  • Docker — dropped libpq runtime + postgresql-dev build deps, trimmed the build context, and skip recursive chown when the volume is already owned.

The result: less memory, fewer round-trips, lower latency under load — across uploads, downloads, listings, search, and sync.

🔒 Reliability & security

  • Per-IP + per-account login lockout — scoped the lockout key to (account, IP) to stop a login flood from locking everyone out (#326).
  • External users are sandboxed — they can only query themselves and their granters; unnecessary routes are blocked.
  • Magic links & /magic are no-cache, no-referrer, noindex, and rate-limited.
  • Always-on audit logging for every denied or rejected resource access.
  • Dedup ref-counting fix — count chunk ref_count per distinct chunk, not per occurrence.
  • NFC filename normalization fixes duplicate-name bugs; centralized, mtime-aware ETags that cascade correctly up the folder tree.
  • Orphan-share cleanup, refresh-token hardening carried forward, and a sweep of aborted-upload orphans from the periodic trash job.

⚙️ Upgrade notes

  • Requires Rust 1.93+ (edition 2024) and PostgreSQL 13+ with pg_trgm and ltree.
  • Database migrations apply automatically on startup.
  • Legacy blobs are re-chunked into CDC manifests at startup so existing data gets delta-sync and dedup benefits — first boot after upgrade may do extra one-time work.
  • New env knobs for operators: OXICLOUD_DIRECT_PUT_MAX_BYTES, OXICLOUD_CHUNK_DIR, OXICLOUD_SMTP_*, OXICLOUD_EXTERNAL_EMAIL_DOMAINS. See the storage fine-tuning and external-user docs.
  • The container can now run fully rootless (#393).

💛 Thank you — this one was built by the community

0.7.0 is, once again, a community triumph.

🏆 Edouard Vanbelle (@EdouardVanbelle) — still, simply, a crack 👑

131 commits this cycle. One hundred and thirty-one. Edouard didn't just contribute to "Slipstream" — in many ways he is "Slipstream." External users and the entire magic-link / passwordless / email pipeline. Groups and the ReBAC grant unification. Server-side i18n and email templating. The light/dark/like-OS theming. Streaming chunked uploads. Endless UX polish, test coverage, and the kind of relentless, caring craft that makes a project feel loved. Edouard — there aren't enough words. Thank you. 🙏

🙌 And huge thanks to:

  • @SAY-5 — for the per-IP/per-account login-lockout hardening (#326).
  • @Cilenco — for making the container run rootless (#393).
  • @jonathansmith9485 — for the Helm chart fix (#409).
  • @leofishman — for the admin-setup link fix after initialization (#432).
  • Christian Dielitz and everyone who filed an issue, tested a build, or translated a string.

To every self-hoster, every star-gazer, every person running OxiCloud on a Raspberry Pi in a closet: this one moves a little faster, for you. ❤️

What's Changed

New Contributors

Full Changelog: v0.6.0...v0.7.0

Built with 🦀 and stubborn love for open source.

What's Changed

New Contributors

Full Changelog: v0.6.0...v0.7.0

Check out latest releases or
releases around AtalayaLabs/OxiCloud v0.7.0

Don't miss a new OxiCloud release

NewReleases is sending notifications on new releases.

Get notifications