Highlights
- Added pluggable authentication providers and LDAP login support, including just-in-time LDAP user provisioning and synced group membership.
- Added per-group root paths. A user's own root path still takes precedence; otherwise the least restrictive configured group root is used.
- Added visible entry action menus in the web UI, replacing hidden right-click/long-press-only actions.
- Embedded the built web UI and i18n assets into release binaries for simpler single-binary deployment.
- Added WebP thumbnail support and better shell thumbnail generation, including multiline commands and cached generation failures.
Breaking Changes
- Removed the
web-dir,lang-dir, anddefault-langconfiguration options. Release builds now serve embedded web and language assets, and the default language is fixed toen-US. - Changed the default
data-dirfrom./to./data, so fresh deployments and Docker containers use a dedicated data directory by default. - Release builds now require the web assets to be built before compiling the backend; non-release development builds keep the web UI embed gated behind the release build tag.
New Features
- Added LDAP as an authentication provider and reworked the auth API around provider start/callback flows for future OAuth/passkey-style methods.
- Added a
sourcefield for users so locally managed and externally managed accounts can be handled differently. - Added group root path editing in the admin UI, with special handling for the unrestricted admin group and externally synced users.
- Auto-create local drive subfolders under
<data-dir>/localwhenfree-fsis disabled. - Bundled
ffmpegandlibvipsin the Docker image for thumbnail generation. - Added WebP image decoding to the built-in thumbnail handler.
Bug Fixes and Hardening
- Fixed multiple script-drive reader lifecycle bugs so downloads and thumbnails no longer receive streams that were closed when a VM returned to the pool.
- Propagated request contexts into script VM calls and isolated pooled VM shared state to avoid stale interrupts and cross-runtime values.
- Fixed SFTP, FTP, S3, WebDAV, chunk upload, chroot, and key-lock edge cases, including S3 pagination and incorrect final-chunk sizing.
- Hardened chroot path handling so paths are cleaned and matched on real path boundaries.
- Persisted sessions in the database and hardened session expiry and revocation.
- Returned HTTP 403 for WebDAV filesystem permission errors.
- Fixed Docker builds with modern musl/Alpine and go-sqlite3.
- Updated WebDAV prefix tests for the Go 1.26
net/httptrailing-slash redirect behavior.
Improvements
- Replaced several unmaintained backend dependencies and moved the Go toolchain to the 1.26 series.
- Replaced task execution with Pond to protect task state, preserve cancellation behavior, and turn panics into failed task results.
- Replaced the generic JavaScript VM object pool with a typed bounded pool with explicit lifecycle handling.
- Replaced the reflection-based event bus with typed publish/subscribe APIs.
- Improved dialog, button, dropdown, and entry-list usability in the web UI.
Full Changelog: v0.12.1...v0.13.0