- Add clear documentation that auth settings are intentionally excluded from exports
- Update API docs to explicitly state what is/isn't included in exports
- Enhance migration guide with security notes about auth exclusion
- Add UI warning in export dialog about auth settings not transferring
- Each Pulse instance should configure its own authentication for security
Related to user feedback about auth settings not transferring between instances
- No longer shows 'Use your login password' option when no auth is configured
- Defaults to passphrase-only mode for auth-less instances
- Shows 'Encryption Passphrase' instead of confusing login password references
- Always enforces 12-character minimum for auth-less users
- Clearer messaging throughout for different auth states
- Homelab users on private networks (192.168.x.x, 10.x.x.x, 172.16.x.x) can now export/import without any configuration
- No need to set ALLOW_UNPROTECTED_EXPORT=true for typical homelab setups
- Public network access still requires authentication for security
- Simplifies backup/restore for users who don't need authentication
- Clarify that session auth (password login) is sufficient for export/import
- Document that guest metadata and custom console URLs are included
- Update FAQ with clearer backup instructions
- Add UI-first approach to README backup section
- Bring back the blue-cyan gradient background
- Restore animated Pulse logo with hover effects
- Keep the semi-transparent backdrop-blur card design
- Maintain the improved form field styling with icons
- Guest metadata handler now reloads from disk after import
- Custom console URLs are immediately available after import
- No longer requires service restart to see imported guest URLs
- Export/import now uses PULSE_DATA_DIR env var (defaults to /etc/pulse)
- Guest console URLs and metadata are now properly included in backups
- Fixed path mismatch between runtime (/etc/pulse) and export (/var/lib/pulse)
- Export/import now includes X-CSRF-Token header from cookie
- Fixes 403 Forbidden error when exporting with session auth
- Both export and import endpoints now properly validate CSRF tokens
- Allow export/import with session auth when logged in with password
- No longer require API token when user is already authenticated
- Backend now accepts either session cookies OR API token
- Frontend only prompts for API token if no password auth exists
- Improved UX by eliminating redundant authentication requests
- Add visual cards for export/import actions with descriptive icons
- Allow users to use their login password by default for backups
- Add option for custom passphrase when needed
- Improve clarity around password requirements
- Add security notice with clear guidance
- Simplify the backup process by reducing password friction
- Fix clipboard copy buttons not working over HTTP by using fallback method
- Add proper clipboard utility with document.execCommand fallback
- Update all copy buttons to use the fallback-enabled utility
- Enhance Authentication section UI with better visual hierarchy
- Add colored headers with gradients for security sections
- Implement card-based buttons with icons and descriptions
- Show actual Pulse URL in API token examples instead of placeholder
- Improve overall security settings layout and accessibility
- Store API tokens in sessionStorage during security setup
- Add CurrentAPIToken component to display tokens from current session
- Show token section in Settings when authentication is enabled
- Tokens can only be retrieved during the session they were created
- After logout/restart, tokens cannot be recovered (stored as SHA3-256 hash)
This addresses user feedback about making API tokens retrievable after
initial setup, similar to other applications, while maintaining security.
The API Token Manager section was showing a different token than the one
created by Quick Security Setup, causing confusion.
Changes:
- Hide API Token Manager when using Quick Security Setup
- Quick Security Setup manages API tokens via systemd
- Add clarification that the token shown is for API automation
- Remove duplicate/confusing token management UI
The Quick Security Setup token is the only one that matters when using
that method of authentication setup.
Users can now choose between:
- Auto-Generate: Creates secure 16-character password (default)
- Custom: Set their own username and password
Features:
- Toggle between auto-generate and custom modes
- Custom username field (defaults to 'admin')
- Password validation (min 8 characters)
- Password confirmation field
- Clear messaging about password hashing
- Both modes use bcrypt hashing with cost factor 12
- Clarify that passwords are ALWAYS bcrypt hashed (never plain text)
- Document SHA3-256 hashing for API tokens
- Add Quick Security Setup as recommended method
- Update examples to show hashed format required
- Add security best practices section
- Add verification script reference
- Update troubleshooting for new auth variables
- Include CSRF token in change password requests
- Include CSRF token in remove password requests
- Get token from pulse_csrf cookie
- Add credentials: 'include' to ensure cookies are sent
This fixes the 'CSRF token validation failed' error when
trying to change or remove passwords.
New Feature:
- Add "Remove Password" button in Settings → Security tab
- Allows users to disable password authentication completely
- Returns Pulse to open access mode (no auth required)
- Requires current password confirmation for security
Implementation:
- New API endpoint: POST /api/security/remove-password
- New modal component: RemovePasswordModal.tsx
- Removes password from systemd override files
- Clears auth configuration from running instance
- Invalidates all sessions after removal
This addresses the issue where users couldn't disable authentication
once it was enabled. Now they can easily toggle between secured and
open modes as needed for their use case.
Documentation Updates:
- Fix CORS documentation to reflect new secure defaults (no CORS by default)
- Add API token management endpoints to API.md
- Document CORS configuration in SECURITY.md
- Update environment variable documentation with defaults
- Add authentication variables (PULSE_PASSWORD, API_TOKEN, etc.)
- Add troubleshooting for CORS and authentication issues
- Remove outdated references to ALLOWED_ORIGINS=*
- Clarify that CORS defaults to same-origin only
All documentation now accurately reflects:
- Security improvements from recent audit
- New API token management features
- Correct CORS behavior and configuration
- Complete environment variable reference
Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
- Validate and sanitize paths from tar archives
- Prevent directory traversal attacks via ../
- Ensure extracted files stay within destination directory
- Remove weak SHA-256 password hashing code (MEDIUM)
- Removed unused SHA-256 hash function from crypto package
- All password hashing now uses bcrypt (cost 12) exclusively
- Added warning comment about proper password hashing
- Fix error information leakage (MEDIUM)
- Add sanitizeErrorMessage helper function
- Log detailed errors internally while returning generic messages
- Prevent exposure of system internals in error responses
- Change default CORS from * to restrictive (MEDIUM)
- Default to no CORS headers (same-origin only)
- Allow localhost origins only in development mode
- Require explicit configuration for production CORS
These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.
- Remove registration tokens feature in favor of simpler API token auth
- Add password authentication with change password functionality
- Centralize API client logic with proper auth handling
- Add development scripts for better DX (hot-reload, proxy setup)
- Refactor auth middleware and handlers for cleaner separation
- Update frontend to use new centralized API client
- Exit cleanly with os.Exit(0) instead of trying systemctl restart
- Let systemd's Restart=always bring service back up
- New environment variables loaded automatically on restart
- Same proven approach used by update system
- Try automatic setup first (if sudo available)
- Fall back to generating a simple apply script
- Show single command to run: sudo bash /etc/pulse/apply-security.sh
- Script handles all systemd configuration steps
- Clear UI shows when manual step is needed
- Replace vague 'see documentation' with actual commands
- Show systemd and Docker examples with credentials filled in
- Include the restart command in the instructions
- Make commands copy-paste ready with proper formatting
- Show Quick Setup prominently when no auth configured
- Hide API tokens and registration tokens when not needed
- Consolidate Export/Import into single Backup & Restore section
- Only show advanced features when authentication is enabled
- Remove redundant descriptions and duplicate sections
- Add build.sh script that ensures frontend is copied before Go build
- Update backend-watch.sh to sync frontend on every restart
- Remove duplicate frontend files from internal/api/
- Frontend embed directory already in .gitignore
- No more manual copying needed - just run ./build.sh
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- Created QuickSecuritySetup component with password/token generation
- Added /api/security/quick-setup endpoint to generate config
- Shows credentials once with copy/download functionality
- Generates systemd environment configuration file
- Only shows when authentication is not already enabled
- ALL archives now use bin/pulse structure (including architecture-specific)
- Matches what Proxmox community script expects
- Install script checks bin/ first, falls back to root for old archives
- Eliminates confusion from having two different structures
- One consistent path forward: archives have bin/ directory
- Current dual-path logic needed for backwards compatibility
- v4.3.0 universal archive has bin/ structure
- Architecture-specific archives have pulse in root
- TODO: Standardize on single structure in v5
- Install script now handles both archive layouts (with/without bin directory)
- Service file points to correct path: /opt/pulse/pulse (not /opt/pulse/bin/pulse)
- Fixes service startup issue in fresh LXC installations
- Created MIGRATION.md with clear backup/migration procedures
- Emphasizes export/import as the only supported migration method
- Warns against direct file copying
- Includes security notes about passphrase protection
- Added troubleshooting and pro tips
- Updated README and SECURITY docs to reference migration guide
- guest URLs are now backed up with config export
- restored on import to preserve custom URLs across migrations
- stored in plain text (not encrypted) as they're just service URLs, not credentials
- import failures for guest metadata are non-fatal (logged as warnings)
- moved modal state to Dashboard component level
- removed local modal state from GuestRow
- modal now persists through API updates and component re-renders
- passed openUrlEditor callback from Dashboard to GuestRow components
- guests can now have custom URLs that make their names clickable
- added metadata store for persisting guest metadata to JSON files
- added API endpoints for managing guest metadata
- integrated edit button in dashboard to set/edit custom URLs
- guest names become clickable links when custom URL is set
- Node names in the summary cards at the top now link to Proxmox web interface
- Matches the behavior of node names in the table rows below
- Uses same hover effect (blue color) for consistency
- Telegram was available in backend but missing from frontend dropdown
- Added 'telegram' to service list and display name mapping
- Fixes issue where users couldn't select Telegram as webhook service
- Add interactive API token management in Settings > Security tab
- Users can now generate, view, regenerate, and delete API tokens from the UI
- Tokens are persisted in system.json and survive restarts
- Environment variable API_TOKEN still takes precedence for backward compatibility
- Proper authentication enforcement when tokens are configured
- Secure token generation using crypto/rand (32 bytes, hex encoded)
- Clean UI with copy-to-clipboard functionality for newly generated tokens
The Pulse logo now displays an orange "RC" badge when running a release
candidate version. This helps users identify when they're testing pre-release
versions.
- Backend now detects RC versions and sets channel field accordingly
- Frontend displays RC badge next to Pulse logo when channel is "rc"
- Works for both git-based and VERSION file-based builds
addresses #306 - The dashboard and storage views were hardcoding port 8006 for node links,
but now they properly use the host URLs from the node configuration. This ensures users
are redirected to the correct URL when clicking on node names, respecting custom ports
and protocols configured in the settings.
- Added host field to Node struct in Go models
- Updated monitor.go to populate host field from instance config
- Added host field to TypeScript Node interface
- Modified Dashboard and Storage components to use nodeHostMap for correct URLs
- Falls back to old behavior if host field is not available
- Add custom JSON payload template support for generic webhooks
- Users can now define custom webhook formats with Go template syntax
- Fix Telegram webhook issue where chat_id in URL caused 400 errors
- Automatically strip chat_id from URL and place in JSON body for Telegram
- Add comprehensive webhook documentation with examples
- Update API documentation with webhook endpoints
Addresses #305
