rcourtman
a6f6f66078
Improve auto-register auth errors and setup token grace window ( #1319 )
...
Build and Test / Secret Scan (push) Waiting to run
Build and Test / Frontend & Backend (push) Waiting to run
Core E2E Tests / Playwright Core E2E (push) Waiting to run
The /api/auto-register endpoint returned a generic "Invalid or expired
setup code" for all auth failures, making cluster registration issues
impossible to diagnose. Now returns specific errors for expired tokens,
wrong scope, invalid API tokens, etc.
Also extend the setup token grace window to /api/auto-register so
multiple cluster nodes can register with the same token within the
1-minute grace period after first use.
2026-03-07 13:39:26 +00:00
rcourtman
499ab812e3
Fix post-release regressions and lock v5 to single-tenant runtime
2026-03-05 23:46:35 +00:00
rcourtman
d43dfbc490
feat(ui): add host removal action to hosts table
...
Add an actions menu to the hosts overview with a "Remove host from
Pulse" button. Includes permission checks (requires settings:write
scope), confirmation handling, and a security regression test for
the delete endpoint scope enforcement.
2026-03-01 23:28:33 +00:00
rcourtman
0f961054c6
fix: allow agent tokens to auto-register Proxmox nodes
...
The security hardening in beae4c86Fixes #1191
2026-02-04 22:55:25 +00:00
rcourtman
7e55c4dc52
Expand proxy non-admin coverage for permissioned routes
2026-02-04 18:12:30 +00:00
rcourtman
422271d103
Require proxy admin for permissioned endpoints
2026-02-04 18:11:12 +00:00
rcourtman
4741307c4c
Require proxy admin for quick security setup
2026-02-04 18:08:40 +00:00
rcourtman
25285e64bc
Require proxy admin for AI test endpoints
2026-02-04 16:30:22 +00:00
rcourtman
5a494b10a5
Cover proxy auth for AI settings updates
2026-02-04 16:27:48 +00:00
rcourtman
34f35f0322
Protect discovery notes secrets for proxy users
2026-02-04 16:25:16 +00:00
rcourtman
12038e4e9a
Guard discovery settings against proxy non-admin
2026-02-04 16:23:08 +00:00
rcourtman
a2f01f14af
Require proxy admin for token regeneration
2026-02-04 16:19:57 +00:00
rcourtman
0867490ae0
Block proxy non-admin password changes
2026-02-04 16:17:00 +00:00
rcourtman
27d8cc92dc
Cover proxy auth on config export/import
2026-02-04 16:13:15 +00:00
rcourtman
ce9ee2481a
Enforce proxy user RBAC via RequirePermission
2026-02-04 16:11:41 +00:00
rcourtman
f7bc69fac2
Add AI reapprove scope and license tests
2026-02-04 16:04:46 +00:00
rcourtman
c724bb04cf
Extend proxy admin denial coverage
2026-02-04 16:00:43 +00:00
rcourtman
5f2990deec
Require proxy admin for SSH config endpoints
2026-02-04 15:57:59 +00:00
rcourtman
145e5c46bb
Require admin for host config patch and delete
2026-02-04 15:56:07 +00:00
rcourtman
5ede1f6a97
Harden apply-restart auth for proxy/OIDC
2026-02-04 15:48:06 +00:00
rcourtman
0f2122ea85
Cover proxy admin gating for config management
2026-02-04 15:45:31 +00:00
rcourtman
093235b0a9
Extend proxy admin gating to agent manage endpoints
2026-02-04 15:44:24 +00:00
rcourtman
df799c66d5
Expand proxy admin gating for host and profiles
2026-02-04 15:42:54 +00:00
rcourtman
e9860eb4c6
Block proxy non-admin for security restart and OIDC
2026-02-04 15:41:50 +00:00
rcourtman
248f4c69a5
Ensure proxy non-admins blocked for AI admin endpoints
2026-02-04 15:40:14 +00:00
rcourtman
773ba13ada
Require ai:execute for approvals approve/deny
2026-02-04 15:39:04 +00:00
rcourtman
23cc5af69f
Require proxy admin for test-notification
2026-02-04 15:34:30 +00:00
rcourtman
e3179e49ac
Cover RBAC mutation license gating
2026-02-04 15:22:38 +00:00
rcourtman
4e3811e69e
Cover RBAC mutations in permission denial tests
2026-02-04 15:21:02 +00:00
rcourtman
af1a14f3a7
Cover checksum token auth
2026-02-04 13:28:54 +00:00
rcourtman
bbfc5a9fc4
Fix OIDC login bypass test to expect 302
...
redirectOIDCError uses http.StatusFound (302) but the test expected
307. The test was stale after the error redirect was introduced.
2026-02-04 13:27:10 +00:00
rcourtman
0d564bfd8f
Clarify download checksum auth
2026-02-04 13:23:55 +00:00
rcourtman
41c10e60d7
Add auth bypass inventory coverage
2026-02-04 13:16:29 +00:00
rcourtman
8951b6f7f9
Require monitoring scope for socket.io
2026-02-04 12:41:12 +00:00
rcourtman
216ccf0be5
Require auth for socket.io js
2026-02-04 12:39:19 +00:00
rcourtman
63a846cf3b
Allow bearer tokens for websocket auth
2026-02-04 12:37:46 +00:00
rcourtman
18ed23504d
Harden encoded path traversal coverage
2026-02-04 12:36:44 +00:00
rcourtman
36f1504355
Cover bearer token auth for stats
2026-02-04 12:34:47 +00:00
rcourtman
e23a2a793b
Cover socket.io query token auth
2026-02-04 12:32:30 +00:00
rcourtman
7fc9a98c47
Cover websocket query token auth
2026-02-04 12:25:25 +00:00
rcourtman
df08e45993
Require passphrase for config export/import
2026-02-04 12:19:53 +00:00
rcourtman
fb06ae00c1
Harden config export/import validation
2026-02-04 12:18:40 +00:00
rcourtman
0c1ff9da7f
Reject invalid pulse_url in setup script
2026-02-04 12:16:20 +00:00
rcourtman
4298d87485
Allow setup token via query param for SSH endpoints
2026-02-04 12:15:22 +00:00
rcourtman
3f51dbb7de
Assert security status auth token handling
2026-02-04 12:13:48 +00:00
rcourtman
77f23b35f7
Validate setup script input sanitization
2026-02-04 12:12:13 +00:00
rcourtman
f8c4a28600
Guard SSH key generation in containers
2026-02-04 12:10:10 +00:00
rcourtman
8313d66e64
Ensure public endpoints stay public in API mode
2026-02-04 12:06:50 +00:00
rcourtman
1fddbec07f
Ensure public download endpoints bypass auth
2026-02-04 12:05:32 +00:00
rcourtman
a49fa8514a
Cover OIDC callback public access
2026-02-04 12:03:56 +00:00
