The temporary auth tokens generated by authenticated users are now properly
validated even when Pulse has authentication enabled. This fixes the issue
where fresh installs (which are secured by default) couldn't use the
auto-registration feature.
Replaced the two-step setup code process with a simpler token-in-URL approach:
- Auth token is now embedded directly in the setup URL
- No more prompting users for setup codes
- Same security level with better UX
- Backwards compatible with old setupCode field
The new flow generates a command like:
curl -sSL "http://pulse/api/setup-script?...&auth_token=TOKEN" | bash
This makes it much easier for users, especially in Proxmox shell where
interactive prompts can be problematic.
- Add bulk acknowledge and clear operations for alerts
- Support selecting multiple alerts with checkboxes
- Add select all functionality for bulk operations
- Improve Proxmox permission setup to handle both PVE 8 and 9+
- Use PVEAuditor role which includes VM.GuestAgent.Audit for PVE 9+
- Add fallback VM.Monitor role for PVE 8 and below
- Bump version to 4.7.3
- redesigned global defaults section with compact table layout
- fixed bug where editing without changes created unnecessary overrides
- improved visual consistency across the alerts interface
- ProxmoxVE community script uses pulse-backend.service
- Our install script now detects and preserves existing service name
- Removed pulse-backend.service from pre-v4 detection (it's used by v4 too)
- Install script stops the correct service during upgrades
- New installs use 'pulse', existing use whatever they have
This ensures compatibility with all deployment methods without breaking changes.
- Add pending restart detection when .env exists but not loaded
- Update frontend to show pending state instead of re-showing setup
- Fix QuickSecuritySetup to refresh security status after configuration
- Remove auto-restart attempts from security setup
- Show deployment-appropriate restart instructions
- Update documentation to reflect new update mechanism
Related to security setup issues after removing sudo/auto-restart capabilities
Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
- Validate and sanitize paths from tar archives
- Prevent directory traversal attacks via ../
- Ensure extracted files stay within destination directory
- Remove weak SHA-256 password hashing code (MEDIUM)
- Removed unused SHA-256 hash function from crypto package
- All password hashing now uses bcrypt (cost 12) exclusively
- Added warning comment about proper password hashing
- Fix error information leakage (MEDIUM)
- Add sanitizeErrorMessage helper function
- Log detailed errors internally while returning generic messages
- Prevent exposure of system internals in error responses
- Change default CORS from * to restrictive (MEDIUM)
- Default to no CORS headers (same-origin only)
- Allow localhost origins only in development mode
- Require explicit configuration for production CORS
These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.
The Pulse logo now displays an orange "RC" badge when running a release
candidate version. This helps users identify when they're testing pre-release
versions.
- Backend now detects RC versions and sets channel field accordingly
- Frontend displays RC badge next to Pulse logo when channel is "rc"
- Works for both git-based and VERSION file-based builds
- Fix auto-updater to handle single-binary structure
- Fix Docker build to copy frontend before Go compilation
- Add development script for frontend rebuilds
- Remove unnecessary frontend directory copying in updater
The embedded frontend change simplifies deployment but required
updates to various build and update systems.
- Support both old (root) and new (bin/) tarball structures
- Use writable directories for temp and backup files (data dir instead of /tmp)
- Fixes update failures for users on v4.1.5 and earlier
- Fixed hardcoded version fallback showing 4.1.1 instead of current version
- Fixed install script syntax error that prevented fresh installations
- Identified root cause of Docker persistence issue (notification UI not saving)
- Identified missing save functionality in frontend notification settings
Issues addressed: #277, #278, #282
Replaced sudo-based updater with a cleaner directory-based approach:
- Pulse binary now installs to /opt/pulse/bin/pulse (owned by pulse user)
- Symlink created at /usr/local/bin/pulse for PATH convenience
- Pulse user has full write access to /opt/pulse, enabling self-updates
- Removed sudo dependency and security risks
- Simplified update logic - no special scripts or permissions needed
This is more secure, simpler, and works in all environments (containers, VMs, bare metal)
