Addresses #222 - Allow Pulse to be embedded in iframes (e.g., Homepage dashboard)
- Add AllowEmbedding and AllowedEmbedOrigins settings to SystemSettings
- Update security headers to respect embedding configuration
- When disabled: X-Frame-Options: DENY, frame-ancestors 'none'
- When enabled (same-origin): X-Frame-Options: SAMEORIGIN, frame-ancestors 'self'
- When enabled with origins: Adds specified origins to frame-ancestors
- Add UI controls in Settings → System → Network Settings
- Properly handle CSP frame-ancestors directive for cross-origin embedding
Users can now enable iframe embedding and specify allowed origins for embedding Pulse in Homepage or other dashboard applications.
addresses #346
The issue was that the code was checking for specific ports (:8007 or :443) in the host string, which would incorrectly add the default port even when a custom port was already specified. Now it properly checks if any port exists after the protocol before adding the default.
Webhooks now stored encrypted (webhooks.enc) instead of plain text:
- Automatic migration from webhooks.json to webhooks.enc
- Uses same AES-256-GCM encryption as nodes and email configs
- Original file backed up as webhooks.json.backup
- Protects sensitive webhook URLs and authentication headers
This addresses the security concern where webhook URLs containing API tokens
(like Telegram bot tokens) were stored in plain text.
Implements header-based proxy authentication for SSO integration with
Authentik, Authelia, and other authentication proxies.
- Add CheckProxyAuth function to validate proxy headers
- Support for username and role-based access control
- Frontend integration with logout URL support
- Comprehensive documentation with examples
- Backwards compatible - no breaking changes
Addresses #327
Configuration via environment variables:
- PROXY_AUTH_SECRET: Shared secret for validation
- PROXY_AUTH_USER_HEADER: Header containing username
- PROXY_AUTH_ROLE_HEADER: Header containing roles/groups
- PROXY_AUTH_LOGOUT_URL: SSO logout endpoint
Addresses #343 - users can now disable Proxmox/PBS server discovery through:
- UI toggle in Settings > System > Network Settings
- Environment variable DISCOVERY_ENABLED=false
- system.json configuration
Discovery runs by default but can be completely disabled for environments where automatic scanning causes issues (e.g., shared hosting networks).
- Auto-detects Proxmox VE hosts and creates LXC containers
- Quick mode with sensible defaults (1GB RAM, 4GB disk)
- Advanced mode for full customization
- Automatic cleanup on failure
- Simple 'update' command in containers
- Improved error handling and network detection
- Professional, clean output without verbose noise
- Docker detection to prevent container-in-container
- Removed all references to community scripts
This is now the primary recommended installation method.
- Added migration logic to set I/O thresholds to 0 when loading saved configs
- Only migrates if values match old defaults (150 MB/s disk, 200 MB/s network)
- Ensures existing users get the new "Off by default" behavior
- Prevents saved configs from overriding the new defaults
- Added DISABLE_AUTH env var to completely bypass authentication
- Useful for reverse proxy setups (Authentik, Authelia, etc.)
- Updated documentation in CONFIGURATION.md and REVERSE_PROXY.md
- Fixed security tests to handle auth disabled state
- Automatically hash plain text API tokens (SHA3-256) and passwords (bcrypt) when loaded from env vars
- Remove unnecessary PULSE_SETUP_TOKEN feature in favor of simpler env var approach
- Remove HandleInitialSetup endpoint - not needed with env var configuration
- Update authentication to always use hashed comparisons (no plain text warnings)
- Update documentation to clearly explain auto-hashing capability
- Maintain backward compatibility with pre-hashed credentials
This makes Pulse secure by default while keeping deployment simple - users can
provide plain text credentials via environment variables and Pulse automatically
hashes them for security.
- Track which settings are overridden by env vars in backend
- Expose env override information in system settings API
- Show clear warnings in UI when settings are controlled by env vars
- Disable input fields when overridden by environment variables
- Add helpful instructions for users to remove env vars if needed
This improves UX by making it clear why UI changes don't take effect
when environment variables are set. Follows container best practices
where env vars have highest precedence, while clearly communicating
this behavior to users.
Addresses user confusion when UI settings don't work due to env var overrides.
- Add clear warnings that env vars override UI/system.json settings
- Update log messages to indicate when env vars are overriding values
- Document standard container practice: env vars have highest precedence
- Users must remove env vars to allow UI configuration to take effect
This prevents confusion when UI changes don't work due to env var overrides.
- Re-enable DISCOVERY_SUBNET env var for Docker network configuration
- Re-enable LOG_LEVEL env var for runtime logging control
- Re-enable CONNECTION_TIMEOUT env var for timeout configuration
- Re-enable ALLOWED_ORIGINS env var for CORS configuration
- Update documentation to reflect working env vars
These env vars were accidentally disabled but are useful for Docker deployments.
Env vars override system.json settings when present.
Addresses #214 - user requested DISCOVERY_SUBNET env var support
- API tokens now hashed before storage (never stored in plain text)
- Raw token shown only once during generation
- Backward compatible with existing plain text tokens
- Added migration warnings for users with plain tokens
- Updated documentation to reflect security improvements
- Add HTTPS_ENABLED, TLS_CERT_FILE, TLS_KEY_FILE environment variables
- Server automatically starts in HTTPS mode when configured
- Falls back to HTTP with warning if certs missing
- WebSocket origins automatically adjust for HTTPS
- Fully backward compatible - defaults to HTTP
- Documented in README and CONFIGURATION.md
Addresses kenrmayfield's request for HTTPS support
- Fix alternating zero I/O metrics by implementing rate caching for stale data from Proxmox
- Hardcode polling interval to 10 seconds (matching Proxmox cluster/resources update cycle)
- Remove polling interval settings from UI (no longer user-configurable)
- Implement efficient VM/container polling using single cluster/resources API call
- Remove 'Remove Password' feature (auth is now mandatory)
- Fix CSRF validation for Basic Auth (exempt from CSRF checks)
- Fix Generate API Token modal and authentication
- Remove redundant 'Active' status from Authentication section
- Remove Connection Timeout setting from frontend (backend-only)
- Clean up frontend console logging (reduce verbosity)
- Remove PBS polling interval setting (fixed at 10s)
- Add frontend rebuild detection to backend-watch script
- Improve first-run setup flow and error handling
- Remove old /api/system/api-token endpoints
- Remove APIToken field from SystemSettings struct
- Remove token handling from system_settings.go
- Clean up config.Load() to not read token from system.json
- Remove unused frontend API token functions
- Remove unused APITokenManager and CurrentAPIToken components
API tokens are now managed exclusively via .env file with the new
/api/security/regenerate-token endpoint. This eliminates confusion
between the two systems and ensures consistency.
- Add clear error message for truncated bcrypt hashes (addresses #316)
- Detect hashes between 55-59 chars and warn they're invalid
- Only accept exactly 60 character bcrypt hashes as valid
- Treat truncated hashes as plaintext to force users to fix them
- Export/import now uses PULSE_DATA_DIR env var (defaults to /etc/pulse)
- Guest console URLs and metadata are now properly included in backups
- Fixed path mismatch between runtime (/etc/pulse) and export (/var/lib/pulse)
Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
- Validate and sanitize paths from tar archives
- Prevent directory traversal attacks via ../
- Ensure extracted files stay within destination directory
- Remove weak SHA-256 password hashing code (MEDIUM)
- Removed unused SHA-256 hash function from crypto package
- All password hashing now uses bcrypt (cost 12) exclusively
- Added warning comment about proper password hashing
- Fix error information leakage (MEDIUM)
- Add sanitizeErrorMessage helper function
- Log detailed errors internally while returning generic messages
- Prevent exposure of system internals in error responses
- Change default CORS from * to restrictive (MEDIUM)
- Default to no CORS headers (same-origin only)
- Allow localhost origins only in development mode
- Require explicit configuration for production CORS
These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.
- Remove registration tokens feature in favor of simpler API token auth
- Add password authentication with change password functionality
- Centralize API client logic with proper auth handling
- Add development scripts for better DX (hot-reload, proxy setup)
- Refactor auth middleware and handlers for cleaner separation
- Update frontend to use new centralized API client
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- guest URLs are now backed up with config export
- restored on import to preserve custom URLs across migrations
- stored in plain text (not encrypted) as they're just service URLs, not credentials
- import failures for guest metadata are non-fatal (logged as warnings)
- guests can now have custom URLs that make their names clickable
- added metadata store for persisting guest metadata to JSON files
- added API endpoints for managing guest metadata
- integrated edit button in dashboard to set/edit custom URLs
- guest names become clickable links when custom URL is set
- Add interactive API token management in Settings > Security tab
- Users can now generate, view, regenerate, and delete API tokens from the UI
- Tokens are persisted in system.json and survive restarts
- Environment variable API_TOKEN still takes precedence for backward compatibility
- Proper authentication enforcement when tokens are configured
- Secure token generation using crypto/rand (32 bytes, hex encoded)
- Clean UI with copy-to-clipboard functionality for newly generated tokens
Frontend fixes:
- Fixed VM thresholds incorrectly showing as 'CT' in alerts UI (issue #295)
- Fixed threshold slider not reaching 0% and 100% edges (issue #295)
- Fixed PBS form auto-filling with PVE settings (issue #296)
- Fixed email config property mapping (server/port instead of smtpHost/smtpPort)
Backend fixes:
- Updated EmailConfig struct to use 'server' and 'port' JSON tags for consistency
- Added 'provider' and 'startTLS' fields to EmailConfig
- Fixed PORT env var to correctly set FrontendPort instead of BackendPort
- Changed default log level from Debug to Info
All changes tested and verified working correctly.
- Fix CPU core display to show for all guests with CPU data
- Previously only showed cores when CPU > 0 (truthy)
- Now shows "(0.0/X cores)" consistently for all running/stopped guests
- Improve code organization with new helper utilities
- Clean up import statements and remove debug logs
- System.json settings now take priority over environment variables
- Fixed issue where POLLING_INTERVAL env var would override saved settings
- Polling interval changes in UI now persist correctly after restart
- Remove .env syncing - UI no longer writes to .env file
- system.json is the single source for UI-managed settings
- .env files are read-only for deployment overrides
- Environment variables still override everything (Docker/systemd)
- Cleaner separation: env vars for deployment, JSON for runtime
- Updated documentation to clarify configuration hierarchy
- Simpler code with less failure points
- UI settings now automatically update .env file when changed
- .env file and system.json stay in sync
- Settings hierarchy preserved: env vars > .env > UI
- .env file is auto-generated/updated when UI saves settings
- Improved user experience - changes in UI reflect in .env and vice versa
- Fix release channel not saving when changed in UI
- Add system settings persistence for update-related config
- Expand .env file support to include all non-sensitive settings:
- UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME
- POLLING_INTERVAL, CONNECTION_TIMEOUT, ALLOWED_ORIGINS, LOG_LEVEL
- Update documentation with all available .env settings
- Settings now properly persist across restarts
- Environment variables override saved settings at startup
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
- Removed PBS summary card from Dashboard and Backups tabs (not needed)
- Fixed backup frequency chart to use local timezone instead of UTC
- Chart now properly includes today in the date range
- Dates display according to user's browser timezone
- Add /api/diagnostics endpoint for detailed troubleshooting info
- Shows connection status, auth methods, errors for each node
- Auto-fix PBS hosts missing https:// prefix instead of crashing
- Skip invalid PBS instances instead of failing to start
- Fixes issue #251 where invalid PBS config crashed the service
- Added secure config export/import with passphrase-based encryption
- CLI commands: pulse config export/import with AES-256-GCM encryption
- Auto-import on Docker startup via PULSE_INIT_CONFIG_FILE/DATA env vars
- API endpoints /api/config/export and /api/config/import (require API_TOKEN)
- Configs remain encrypted throughout export/import process
- Perfect for GitOps, CI/CD, and infrastructure as code workflows
This allows users to configure Pulse once via UI, export the encrypted
config, and deploy it automatically to multiple instances without
manual reconfiguration.
Addresses #249 - Config management for automation enthusiasts
ConfigPersistence was initialized with empty string instead of cfg.DataPath,
causing webhooks to save to /etc/pulse instead of PULSE_DATA_DIR.
This affected Docker deployments where /data is the persistent volume.
Fixes#249
- Fixed VERSION file not being included in Docker image
- Fixed config persistence using wrong directory in Docker (/etc/pulse instead of /data)
- Config now correctly uses PULSE_DATA_DIR environment variable
- Parse user@realm from token name if provided in full format
- Better handle various token input formats
- Require user info for token auth (either in token name or user field)
- Fix realm defaulting logic for different auth types
- Add GetDataDir() function to respect PULSE_DATA_DIR environment variable
- Update all hardcoded /var/lib/pulse paths to use configurable data directory
- Fix circular import by moving GetDataDir to utils package
- Ensures Docker containers can properly persist configuration and alerts
- Support both UPDATE_CHANNEL and PULSE_UPDATE_CHANNEL env vars
- Add logging when update channel is overridden from environment
- Fixes RC channel detection in containerized deployments
- Remove all unencrypted configuration fallback logic
- Fix PBS user realm handling with automatic @pbs appending
- Enable test connection for existing nodes using stored credentials
- Delete legacy migration code and unified config system
- Fix redundant "No guests found" message when no PVE nodes configured
- Remove old example yml and migration binary
- Ensure all credentials stored only in encrypted .enc files
- Fix Gmail email configuration (field mapping between frontend/backend)
- Implement proper AES-256-GCM encryption for sensitive config files
- Add responsive column hiding for Storage tab on mobile devices
- Fix email configuration persistence and auto-populate recipients
- Add comprehensive testing tools for UI and API validation
- Fix alert acknowledge/clear functionality returning 404 errors
- Improve mobile UX: Storage shows only essential columns on small screens
- Revert dashboard to consistent table view (removed card layout experiment)
- Fix various UI issues: threshold detection, email template spacing
- Update notification system to use actual node data in test emails
- Backend update manager with GitHub Releases API integration
- Support for stable and RC update channels
- Safe update process with backups and rollback capability
- Docker environment detection
- Update API endpoints (check, apply, status)
- Frontend update UI in Settings with progress tracking
- WebSocket events for real-time update progress
- Auto-update configuration options
- Version display in app footer
- TypeScript types for update operations
