17 commits

Author	SHA1	Message	Date
rcourtman	b5757c38fd	Harden security handlers and apprise execution	2026-03-28 11:03:16 +00:00
rcourtman	3e2824a7ff	feat: remove Enterprise badges, simplify Pro upgrade prompts ... - Replace barrel import in AuditLogPanel.tsx to fix ad-blocker crash - Remove all Enterprise/Pro badges from nav and feature headers - Simplify upgrade CTAs to clean 'Upgrade to Pro' links - Update docs: PULSE_PRO.md, API.md, README.md, SECURITY.md - Align terminology: single Pro tier, no separate Enterprise tier Also includes prior refactoring: - Move auth package to pkg/auth for enterprise reuse - Export server functions for testability - Stabilize CLI tests	2026-01-09 16:51:08 +00:00
rcourtman	bbbeb45973	test: Add CheckCSRF valid token test for 100% coverage ... Test the success path where a valid CSRF token is provided with a matching session. This covers the final branch in CheckCSRF.	2025-12-02 13:51:27 +00:00
rcourtman	f7a0c2b055	test: Add RequireAuth tests for API package ... Add comprehensive tests for the RequireAuth middleware covering: - No auth configured (allows access by design) - API-only mode (rejects requests without token) - API-only mode (accepts valid X-API-Token) - Basic auth with invalid credentials - Basic auth JSON vs plain text error responses - Valid basic auth (allowed) - Proxy auth (allowed) - Proxy auth with invalid secret (rejected) - Bearer token with basic auth configured (allowed) - Invalid Bearer token (rejected) Coverage: RequireAuth 7.1% → 78.6% Coverage: CheckAuth 66.9% → 69.1% Coverage: API package 31.9% → 32.1%	2025-12-02 13:09:48 +00:00
rcourtman	d2f1cc21a7	test: Add RequireAdmin tests for API package ... Add comprehensive tests for the RequireAdmin middleware covering: - No auth configured (allows access by design) - API-only mode (rejects requests without token) - Basic auth with invalid credentials - Proxy auth with admin role (allowed) - Proxy auth with non-admin role (forbidden) - Proxy auth with invalid secret (unauthorized) - Proxy auth without role header (defaults to admin) - Proxy auth with custom role separator - Proxy auth with spaces in roles (trimmed) - Basic auth authenticated users (allowed as admin) - JSON vs plain text error responses based on path/Accept header Also improves CheckProxyAuth coverage as a side effect. Coverage: RequireAdmin 20.8% → 87.5% Coverage: CheckProxyAuth 0.0% → 89.3% Coverage: API package 30.9% → 31.9%	2025-12-02 13:06:06 +00:00
rcourtman	c82e3d5bb3	test: Add CheckCSRF tests for API package ... Add comprehensive tests for the CheckCSRF function covering: - Safe methods (GET, HEAD, OPTIONS) bypass - API token authentication bypass - Basic auth bypass - No session cookie handling - Missing CSRF token rejection with new token issuance - Invalid CSRF token rejection with new token issuance - CSRF token from FormValue - Unsafe methods (POST, PUT, DELETE, PATCH) enforcement Coverage: CheckCSRF 32.0% → 96.0% Coverage: API package 30.5% → 30.7%	2025-12-02 12:53:32 +00:00
rcourtman	836303755f	test: Add adminBypassEnabled tests ... Add 5 tests to cover all branches: - Not requested (ALLOW_ADMIN_BYPASS != "1") - Enabled with PULSE_DEV=true - Enabled with NODE_ENV=development - Case-insensitive NODE_ENV check - Declined when outside dev mode Coverage: 40% → 100%	2025-12-02 01:53:55 +00:00
rcourtman	677d4417aa	test: Add loadTrustedProxyCIDRs tests ... Cover invalid CIDR, invalid IP, IPv6, and empty entry handling (48% to 100%)	2025-12-02 01:48:41 +00:00
rcourtman	daa11a072c	test: Add LogAuditEvent tests ... Cover success and failure logging branches (66.7% to 100%)	2025-12-02 01:46:27 +00:00
rcourtman	b9578b0665	test: Add SecurityHeadersWithConfig tests ... Cover all CSP/X-Frame-Options embedding configurations (57.1% to 100%)	2025-12-02 01:44:22 +00:00
rcourtman	49f71015c8	Fix backup indicator being reset when VMs/Containers are re-polled ... UpdateVMsForInstance and UpdateContainersForInstance were replacing guest data without preserving the LastBackup field that was populated by SyncGuestBackupTimes. This caused backup indicators to always show "no backup found" since the LastBackup would be wiped every time guests were polled (which happens more frequently than backup polling). Now both functions preserve LastBackup from existing data when the incoming guest data has a zero value. Related to #762	2025-12-02 00:12:31 +00:00
rcourtman	e471001d29	test: Add edge cases for isTrustedProxyIP and GetClientIP ... Tests empty string, invalid IP, and IP not matching CIDR for isTrustedProxyIP. Also adds tests for GetClientIP empty RemoteAddr and X-Real-IP fallback paths.	2025-12-02 00:09:23 +00:00
rcourtman	b2eb110005	test: Add comprehensive test cases for isPrivateIP function ... Expand test coverage from 5 cases to 26 cases: - Public IPv4/IPv6 addresses - All RFC1918 private ranges (10.x, 172.16-31.x, 192.168.x) - Loopback addresses (127.x.x.x, ::1) - Link-local addresses (169.254.x.x, fe80::) - Link-local multicast (224.0.0.x, ff02::) - Unique local IPv6 (fc00::/7, fd00::) - Edge cases: empty string, invalid IP, invalid format - Addresses with port numbers Coverage unchanged at 93.8% (remaining 6.2% is defensive error handling for hardcoded valid CIDRs).	2025-12-01 22:54:56 +00:00
rcourtman	e57e2e696b	test: Improve coverage for security utility functions ... - Add fmt.Stringer test cases for isEmptyInterface (80% -> 100%) - Expand isTrustedNetwork tests with edge cases (80% -> 100%) - Empty/invalid IP strings - Invalid CIDR handling - Whitespace trimming in CIDRs - Multiple network matching	2025-12-01 14:33:31 +00:00
rcourtman	2d87746eb0	Add unit tests for security lockout and session management functions ... Tests for internal/api/security.go: - RecordFailedLogin: increments counts, triggers lockout at max attempts - ClearFailedLogins: clears count and lockout state - GetLockoutInfo: returns correct attempts/lockout status - ResetLockout: admin lockout reset functionality - TrackUserSession: user/session tracking - GetSessionUsername: session lookup - clearCSRFCookie: nil safety, cookie attributes - issueNewCSRFCookie: nil safety, empty session handling - FailedLogin/AuditEvent struct field validation 30 test cases covering lockout, session tracking, and CSRF functions.	2025-11-30 23:33:51 +00:00
rcourtman	4431c8773e	Add unit tests for security.go IP parsing utilities ... - extractRemoteIP: 17 test cases for remote address parsing (IPv4/IPv6 with/without ports, bracketed notation, edge cases) - firstValidForwardedIP: 21 test cases for X-Forwarded-For parsing (single/multiple IPs, invalid entries, IPv4/IPv6 mixed) - isPrivateIPExtended: 33 test cases extending existing coverage (RFC 1918 boundaries, loopback range, IPv6 private/local, ports) Total: 71 new test cases for IP address handling utilities.	2025-11-30 15:48:45 +00:00
rcourtman	6eb1a10d9b	Refactor: Code cleanup and localStorage consolidation ... This commit includes comprehensive codebase cleanup and refactoring: ## Code Cleanup - Remove dead TypeScript code (types/monitoring.ts - 194 lines duplicate) - Remove unused Go functions (GetClusterNodes, MigratePassword, GetClusterHealthInfo) - Clean up commented-out code blocks across multiple files - Remove unused TypeScript exports (helpTextClass, private tag color helpers) - Delete obsolete test files and components ## localStorage Consolidation - Centralize all storage keys into STORAGE_KEYS constant - Update 5 files to use centralized keys: * utils/apiClient.ts (AUTH, LEGACY_TOKEN) * components/Dashboard/Dashboard.tsx (GUEST_METADATA) * components/Docker/DockerHosts.tsx (DOCKER_METADATA) * App.tsx (PLATFORMS_SEEN) * stores/updates.ts (UPDATES) - Benefits: Single source of truth, prevents typos, better maintainability ## Previous Work Committed - Docker monitoring improvements and disk metrics - Security enhancements and setup fixes - API refactoring and cleanup - Documentation updates - Build system improvements ## Testing - All frontend tests pass (29 tests) - All Go tests pass (15 packages) - Production build successful - Zero breaking changes Total: 186 files changed, 5825 insertions(+), 11602 deletions(-)	2025-11-04 21:50:46 +00:00