Releases: Sync-in/server
Release list
v2.4.2
v2.4.1
Security
- backend:auth: centralize local password timing mitigation GHSA-29hq-23m2-2j47 (b80efe0)
Thanks to @456789TZ for reporting this. The mitigation against username enumeration via timing attacks has been completed.
Bug Fixes
- auth: require step-up for app password mutations (db19b3e)
- backend:auth: invalidate WebDAV cache on app password deletion (6dae284)
- backend:sync: await usersManager.updateAccesses in 2FA recovery code validation (8f55344)
- docker: add editors section in
environment.yaml(1de3e09) - docker: add Euro-Office config to nginx volumes (a864684)
- frontend:files: add support for dynamic editor naming in OnlyOffice components and error handling (98031da)
v2.4.0
⭐ Highlights
- Euro-Office is now available as an online document editor alongside OnlyOffice and Collabora
- Cancellable file tasks: uploads, downloads, archive creation, extraction, copies, moves and deletions can now be canceled from the task panel
- Task queue management: file operations are now queued and limited per user to avoid too many heavy tasks running in parallel
- Detailed task progress: long-running operations can now show clearer progress instead of only a running state
- ZIP archive creation: Sync-in can now create ZIP archives, in addition to TAR and TGZ
- OIDC verified email control: administrators can require verified OIDC email addresses before account linking or profile synchronization
- Grouped editor configuration: editor settings are now centralized under
applications.files.editors, with legacy OnlyOffice and Collabora settings deprecated
🐞 Bug Fixes
- More reliable URL downloads: compressed server responses are now handled correctly, preventing size errors and incomplete downloads
- CJK full-text search support: search now supports Chinese, Japanese, Korean and other languages without space-separated words
- Text and Markdown editor fixes: editors now preserve focus more reliably, detect changes correctly and refresh file size after saving
- Improved filtered selection: multi-selection remains more consistent when file lists are filtered
- More reliable server startup: MySQL connection errors are detected earlier, allowing a clean exit and automatic restart
- Safer configuration loading: quoted sensitive values such as secrets, database URLs and initial credentials are now loaded without keeping quote characters
-
Stronger 2FA enforcement for API tokens
Fixed vulnerability GHSA-92cr-jxw4-5wjg.
API token creation now correctly requires the second factor when 2FA is enabled. -
Better protection against repeated TOTP attempts
Fixed vulnerability GHSA-274f-6w77-8qm9.
Failed TOTP attempts during desktop sync client registration are now counted correctly, including repeated or concurrent attempts. -
Safer synchronization filters
Fixed vulnerability GHSA-jx63-h26r-8cph.
Sync filters are now validated and limited before use to prevent malicious overload during synchronization. -
More reliable synchronization uploads
Uploaded files are checked before replacing the destination file, preserving the existing file in case of size, quota or checksum errors. -
Sessions aligned with account state
Browser and WebSocket sessions now better reflect role, permission and active/inactive account changes. -
OIDC and LDAP hardening
New OIDC directives allow verified email enforcement and explicit private IP avatar downloads. Insecure OIDC/LDAP password authentication defaults are now disabled. -
Stricter external login validation
Logins from external identity providers are now limited to valid names, preventing file-path interpretation. -
Safer archive extraction
Archive extraction now blocks unexpected paths more reliably, cleans up interrupted extractions and applies storage quotas during extraction.
Contributors: @Stephan-P, @7185, @rchan96, @o2asdv,
Special thanks to @SakusenSec for responsibly reporting these security issues.
➡️ Read the release announcement
Features
- auth: refresh browser user state with token renewal (cad5f12)
- backend:auth: add OIDC verified email enforcement option (cd71b04)
- backend:cache: add atomic bounded counter increments (c172825)
- backend:files: add cancellable copy, move and delete tasks (e23151e)
- backend:files: add Euro-Office editor support (9fe93bd)
- backend:files: improve task progress tracking for copy and move operations (7939491)
- backend:files: queue and limit concurrent tasks per user (395f841)
- backend:files: track download, compression and extraction progress (caa6a92)
- config: group editor config under files.editors (bd50a29)
- files: add ZIP archive creation with optional compression (7c94d6a)
- files: batch active task polling (e36af62)
- files: expose task cancellation capability (14e5b9e)
- files: make downloads and (de)compression abortable (a43025e)
- frontend:files: add global task cancellation action (8a044bd)
- frontend:files: cancel uploads from tasks sidebar (b01dc90)
- frontend:files: limit concurrent uploads (81a95bc)
- frontend:files: track queued uploads and throttle progress updates (a0ff216)
Bug Fixes
- backend:auth: disable insecure OIDC requests by default (9e59a09)
- backend:auth: disable LDAP local password fallback by default (d57c42d)
- backend:auth: disable OIDC local password fallback by default (315fc75)
- backend:auth: enforce 2FA and isolate JWT token types (3ec74e2)
- backend:auth: harden OIDC avatar synchronization (5024afa)
- backend:auth: increment failed attempts for 2FA-enabled users (b13a4aa)
- backend:auth: prevent 2FA password attempt counter bypass (5f53f7f)
- backend:auth: tolerate OIDC avatar downloads using maxSize guard (597afbf)
- backend:auth: update failed login attempts atomically (285b870)
- backend:auth: validate current user state for active sessions (1022355)
- backend:config: make logger optional and quote sensitive YAML values (5390ba9)
- backend:config: normalize quoted admin credentials (5fea5b4)
- backend:config: support single-quoted environment values (715e761)
- backend:files: align HEAD and GET encoding for downloads (67667f6)
- backend:files: centralize path containment checks (e96c3f1)
- backend:files: clean orphan task files (0d4b306)
- backend:files: clean up task watchers on module shutdown (0ccf212)
- backend:files: enforce storage quota during archive extraction (8fffc17)
- backend:files: extend scheduler cleanup to stale user tmp files (c115ec2)
- backend:files: harden archive extraction and clean up partial output (9615ed0)
- backend:files: improve filtered file selection behavior (3ab86bc)
- backend:files: stage archive extraction in user temp directory (06f1425)
- backend:files: stage downloads and archives in user tmp paths bef...
v2.3.0
⭐ Highlights
- Integrated Markdown editor: visual/source Markdown editing with tables, task lists, images, code blocks, file locking and unsaved-change protection
- Unified editor search: shared search UI for text and Markdown editors, with result count and previous/next navigation
- Configurable document creation: administrators can show or hide OpenDocument and Microsoft Office templates
- Optional trash retention: automatic cleanup can now be configured separately for user spaces and collaborative spaces
- Improved content indexing: more memory-efficient full-text indexing, batched metadata processing and safer cleanup
- OIDC/LDAP synchronization extended: OIDC avatar synchronization and storage quota synchronization through LDAP attributes or OIDC claims
- User visibility controls: users without a group can now be hidden from global visibility with
showUngroupedUsers: false - Text and Markdown editing improvements: better text file detection and increased edit size limit from 10 MB to 25 MB
🐞 Bug Fixes
- Guest link temporary paths: temporary paths for accounts associated with guest links are now created correctly
- File storage consistency: stronger uniqueness checks prevent rare duplicate file storage cases (@zjean)
- More reliable file unlocking: editable file locks are now released more reliably when editors or the browser are closed
- MIME type updates: MIME types are now recalculated after file rename, move or replacement
- Disabled space trash handling: trash for disabled spaces is now shown as disabled and can no longer be browsed
- Improved file selection: range selection works more reliably with filtering enabled
- Safer renaming: renaming now selects only the file name, without the extension
- Web interface polish: sidebar submenu visibility, table row height, dialog spacing and viewer tooltips were refined
-
Trash immutability for spaces
Files in the trash are now treated as read-only items. Modifying files in the trash and creating new files there are now blocked. -
More reliable uploads
Failed uploads are no longer kept in the destination space. File replacements now use temporary files before replacing the destination. -
Better guest link isolation
Accounts created from guest links now have restricted visibility over users and groups, limited to their managers and personal groups. -
Fixed a security vulnerability: CVE-2026-47684
SSRF protection for URL downloads has been strengthened, notably against IPv4-mapped IPv6 bypasses, DNS rebinding, unsafe redirects, proxy bypasses and oversized data streams.
Reported by @x0root
Contributors: @Stephan-P, @7185, @q16marvin, @zjean, @fyr77, @TheLouD1, @markussbk, @Maxmystere, @romainsady
➡️ Read the release announcement
Features
- backend:auth: allow trusted private IPs for OIDC avatar downloads (9c9b682)
- backend:auth: harden OIDC avatar sync and add avatar metadata tracking (22ac4f0)
- backend:auth: map configurable OIDC/LDAP storage quota to user profile (76b4b8c)
- backend:files: enable HTML-to-text conversion for all base elements (6352393)
- backend:files: optimize content indexing memory usage with batched metadata, run_id cleanup, and pending scheduler state (3d819cd)
- backend:files: prevent file mutations in trash repository (738402c)
- backend:files: split trash retention by repository type (1c490ee)
- backend:files: support trusted private IP downloads (44261ea)
- backend:files: trash retention support with indexing and cleanup (c990335)
- backend:users: add avatar synchronization for OIDC users (8790c19)
- backend:users: add showUngroupedUsers toggle for ungrouped account visibility (2fad377)
- backend:users: convert uploaded avatars to PNG during update (47af28b)
- backend:users: hide all users and groups for guest-link accounts (c5e1988)
- files: add a disabled indexing state and update scheduler/admin indexing workflows (f7fc4f1)
- files: add optional document types for frontend (7e8f64f)
- frontend:files: add binary probe for unknown text files (fea9e17)
- frontend:files: implement common file viewer search (ae3866e)
- frontend:files: improve markdown detection and viewer handling (3d2d871)
- frontend:files: refine file actions for trash and selection menus (666d661)
- frontend:files: refresh MIME metadata after move (bb85795)
- frontend:files: select filename without extension when renaming files (163b5c9)
- frontend:files: start implementing markdown viewer editor (f36a2bc)
- frontend:files: WIP markdown viewer editor (c2bf44f)
Bug Fixes
- backend:files: harden multipart upload replacement (c63f83c)
- backend:files: harden remote downloads against SSRF, redirects, proxy bypasses and oversized streams (22e773e)
- backend:files: make space file lookup resilient to stale kind (5f64673)
- backend:links: ensure tmp path is created after authentication for guest links (d782aaa)
- backend:spaces: invalidate spaces cache when space state changes (0c95836)
- backend:users: restrict usersWhitelist so guests only see shared-group or managed users (17fd9ba)
- backend:users: unify avatar rendering to 512px and tune dynamic font scaling (6ecd91d)
- files,comments: prevent duplicate file rows and handle undefined fileId (c04adef)
- frontend:admin: adjust group dialog spacing (c30b72d)
- frontend:admin: allow admins to see all users when selecting members in spaces and child shares (cba4eeb)
- frontend:auth: handle impersonation logout without token refresh retry and force fallback logout on error (ead2508)
- frontend:files: unlock extensionless text files on viewer close (9595153)
- frontend:files: fix range file selection when filtering is enabled (43125d5)
- frontend:files: hide PDF viewer toggle label on mobile (9d1154e)
- frontend:files: initialize file selection after dialog view init (9d0fe08)
- frontend:files: prevent stale save tooltip in viewers (70b3b98)
- frontend:files: release editable viewer lock on destroy (5fdc7b2)
- frontend:files: unlock text editors on page unload ([4f9025e](4f9025e...
v2.2.1
Security
- deps: update Fastify to 5.8.5 to address CVE-2026-33806
Features
- admin: add indexing box to admin tools (8686147)
- backend:files: treat "_" as a term boundary in regex search (bcd3577)
Bug Fixes
v2.2.0
⭐ Highlights
- Full-text search upgrade: PDF OCR indexing and Markdown content indexing
- Admin improvements: spaces can now be created/managed from the administration UI, with direct quota management
- New file event system: automatic storage usage recalculation and full-text reindexing
- Guest management enhancement: managers can now administer guests’ personal groups from profile settings
- LDAP support extended with tlsOptions (including ca, rejectUnauthorized, etc.)
- Better PDF experience: pdf.js is now the default viewer, with edit-mode fallback to OnlyOffice. Thanks @zjean
- Reliability : indexing scheduler concurrency fix, cache/WebDAV/URL fixes.
-
Basic Auth security hardening
The cache key is now based on a hash, eliminating case-related collisions and preventing the storage of decodable identifiers.
Thanks @zalo-alex and @naif-alfardan -
Fixed a security vulnerability: CVE-2026-41161 GHSA-43fj-qp3h-hrh5
A flaw allowed user account enumeration via the login endpoint through response time analysis, particularly in brute-force scenarios.
Reported by @ppfeister, fixed by @7185
➡️ Read the release announcement
Features
- admin: allow managing spaces from the admin section (9822209)
- backend:auth: add tlsOptions support for ldap provider (2042ade)
- backend:files: add indexing support for markdown files (abf59e7)
- backend:files: add pdf ocr indexing (d37c531)
- backend:files: add support for configurable OCR language paths (48443aa)
- backend:files: align emitted FileEvent actions with real file mutations (e0c7175)
- backend:files: emit file event on document modification (e7ed38c)
- backend:files: extend indexing key generation for anchored roots (824bff8)
- backend:files: implement file event manager (c9951d7)
- backend:files: implement incremental indexing triggers for full-text search (468c1c3)
- backend:infrastructure: allow null or undefined args in cache key slug generation (9d661ea)
- backend:users: allow searching groups by description (434bd30)
- frontend:admin: show cumulative storage usage for users and spaces (5af4996)
- frontend: extend group parent model with description and adjust anchor file dialog layout (01bc72b)
- users: allow to manage personal groups from the guest profile dialog (c5d3c70)
Bug Fixes
- backend:auth: derive basic auth cache key from hashed credentials instead of Authorization header (be98def)
- backend:auth: prevent user enumeration via timing attacks (80eebf3)
- backend:files: ensure content indexing scheduling has no parallel executions (0bef5a6)
- backend:files: ensure storage quota is updated in cache (030b87e)
- backend:files: handle locks without scope in checkConflicts (f9bcbde)
- backend:files: handle optional chaining in indexing key generation (2b2c238)
- backend:users: ensure whitelist cache entries with parameters are properly cleared (5e21b8d)
- backend:users: handle guest login rename without space location rename (2627d2d)
- backend:users: sanitize group and app password names for safe route params (d1b21a8)
- backend:webdav: restore access to shares repository via WebDAV (bec04e1)
- files: encode special characters not handled by AuthInterceptor (d9e81f0)
- files: handle document-open error messages for HEAD requests (328d823)
- frontend:users: add button behavior inside groups (d13132a)
- users: ensure guests cannot be elected as group managers (24e0d57)
v2.1.0
⭐ Highlights
- 🎨 Major frontend UI refresh for a cleaner, more modern experience
- 🔐 New OIDC provider toggle:
security.supportPKCEfor PKCE flow control - 🐳 Docker enhancement: new
FORCE_PERMISSIONSenv var to enforce data file permissions (@7185) - 🌍 Internationalization update: Dutch (
nl) locale added (@Stephan-P) - 🕒 Database reliability: MySQL connections now consistently use UTC timezone
- 📂 File handling hardening: better PDF cleanup and safer directory scanning (skips unreadable paths)
- ➕ Additional quality and stability improvements across backend and frontend
➡️ Read the release announcement
Features
- frontend refresh UI (#127)
- backend:auth: add toggle for security.supportPKCE in OIDC provider (d90cbf7)
- docker: add FORCE_PERMISSIONS variable to set permissions on data files (1eb57d6)
- frontend:i18n: add nl (4c3a0cb)
Bug Fixes
- backend:database: ensure MySQL connection uses UTC timezone (e7d2ed9)
- backend:files: avoid buffer copy and ensure PDF document cleanup (f28c71b)
- backend:files: skip unreadable directories when walking for size and entry counts (6b0a6a7)
- frontend:recents: move user avatar tooltip container to body to fix overlap with card (5029911)
v2.0.0
⭐ Highlights
- 🆔 OpenID Connect (OIDC) authentication support
⚠️ Breaking change: authentication configuration renamed and refactored- 🔐 New authentication architecture enabling Desktop & CLI registration via OIDC
- 🏢 Advanced LDAP support (service bind, admin break-glass, DN/CN, auto user & permissions)
- 🔑 Support for OTP recovery codes and application-based client registration
- 🧩 Improved configuration validation and error diagnostics
- ✨ User experience improvements (recent items redesign, file rename behavior)
- 📊 JSON logging output for improved observability
- ➕ And many other improvements and refinements
➡️ Read the release announcement
⚠ BREAKING CHANGES
- auth: rename method to provider in AuthConfig and replace authMethod with authProvider for naming consistency (9d187e0)
- backend:auth:ldap: move adminGroup to options (96d52c9)
Features
- auth:oidc: enhance OIDC configuration (8bcf35d)
- auth:oidc: revise authentication flow logic (abb9979)
- auth:sync: introduce
registerWithAuthto enable desktop client registration from external process (OIDC) (b6525ec) - auth: implement OIDC authentication support and refactor auth providers (28bbf1d)
- auth: refactor authentication services and add desktop client registration support (08c6e0f)
- auth: support desktop app OIDC authentication flow (0d6963f)
- backend:auth:ldap: add service bind support, adminGroup DN/CN handling, optimized search flow, tests, and updated docs (f7b9d0f)
- backend:auth:ldap: add autoCreateUser and autoCreatePermissions (96d52c9)
- backend:auth: add LDAP/OIDC local password fallback and admin break-glass access (23a93b5)
- backend:config: improve error messages for environment config validation (a5df529)
- backend:sync: add support for TOTP recovery codes during client registration (3cb3ea4)
- backend:sync: improve sync path error handling and enforce subdirectory selection (549ada3)
- backend: add
jsonOutputoption to logger (02cbe04) - frontend:spaces: improve server connection error handling and UI feedback (097b230)
- frontend/backend: add
clientauth scope for password-based apps to register servers across desktop apps and CLI (5f131bf) - frontend: allow filename rename validation on blur (da930b8)
- frontend: restyle recents widget (9845502)
- frontend: update widget badge styles and color scheme (10feb97)
Bug Fixes
- backend:webdav: ensure lock paths in headers are decoded correctly (ceb2f38)
- backend:webdav: set correct http status line (a651fc3)
- frontend:routes: remove redundant
canActivateChildguard from app routes (3b5a80a) - frontend:spaces: remove tap directive keyboard handler blocking spaces in edit input and preserve whitespace in displayed file name (e0b328b)
v1.11.0
Security
- backend: upgrade tar to 7.5.4 (GHSA-8qq5-rm4j-mr97) (a42c1079)
Features
- frontend: add delayed auto-collapse functionality for right sidebar (315bad2)