- Added required field validation for name, type, and host in node configuration
- Added duplicate node prevention by name (returns 409 Conflict)
- Added IP address format validation to reject invalid IPs
- Added port range validation (1-65535)
- Added validation for negative polling intervals in system settings
- Added HEAD request support for health and version endpoints
- Reduced node addition timeout from 10s to 3s to prevent UI hanging
These validation improvements were discovered through comprehensive testing
and prevent invalid data from being accepted by the API.
Addresses #222 - Allow Pulse to be embedded in iframes (e.g., Homepage dashboard)
- Add AllowEmbedding and AllowedEmbedOrigins settings to SystemSettings
- Update security headers to respect embedding configuration
- When disabled: X-Frame-Options: DENY, frame-ancestors 'none'
- When enabled (same-origin): X-Frame-Options: SAMEORIGIN, frame-ancestors 'self'
- When enabled with origins: Adds specified origins to frame-ancestors
- Add UI controls in Settings → System → Network Settings
- Properly handle CSP frame-ancestors directive for cross-origin embedding
Users can now enable iframe embedding and specify allowed origins for embedding Pulse in Homepage or other dashboard applications.
- Setup script no longer requires authentication (uses setup codes instead)
- Fixed discovery service not starting when toggled via settings
- Addresses #347 and discussion #344
- Theme changes now broadcast instantly via WebSocket to all connected browsers
- No page refresh needed - theme updates in real-time across all devices
- Theme preference is persisted server-side and loaded on new sessions
- Added WebSocket message type 'settingsUpdate' for broadcasting settings changes
- Updated SystemSettingsHandler to broadcast theme changes to all clients
- Added frontend event listener to handle incoming theme change messages
- Fixed API endpoint routing to use the new handler with broadcast support
- Added proper DISABLE_AUTH check in CheckAuth for auth-disabled environments
This creates a seamless experience where toggling dark/light mode on one device
instantly updates all other connected devices (phones, tablets, browsers).
Addresses #343 - users can now disable Proxmox/PBS server discovery through:
- UI toggle in Settings > System > Network Settings
- Environment variable DISCOVERY_ENABLED=false
- system.json configuration
Discovery runs by default but can be completely disabled for environments where automatic scanning causes issues (e.g., shared hosting networks).
- Auto-detects Proxmox VE hosts and creates LXC containers
- Quick mode with sensible defaults (1GB RAM, 4GB disk)
- Advanced mode for full customization
- Automatic cleanup on failure
- Simple 'update' command in containers
- Improved error handling and network detection
- Professional, clean output without verbose noise
- Docker detection to prevent container-in-container
- Removed all references to community scripts
This is now the primary recommended installation method.
- Track which settings are overridden by env vars in backend
- Expose env override information in system settings API
- Show clear warnings in UI when settings are controlled by env vars
- Disable input fields when overridden by environment variables
- Add helpful instructions for users to remove env vars if needed
This improves UX by making it clear why UI changes don't take effect
when environment variables are set. Follows container best practices
where env vars have highest precedence, while clearly communicating
this behavior to users.
Addresses user confusion when UI settings don't work due to env var overrides.
- Remove old /api/system/api-token endpoints
- Remove APIToken field from SystemSettings struct
- Remove token handling from system_settings.go
- Clean up config.Load() to not read token from system.json
- Remove unused frontend API token functions
- Remove unused APITokenManager and CurrentAPIToken components
API tokens are now managed exclusively via .env file with the new
/api/security/regenerate-token endpoint. This eliminates confusion
between the two systems and ensures consistency.
- Add interactive API token management in Settings > Security tab
- Users can now generate, view, regenerate, and delete API tokens from the UI
- Tokens are persisted in system.json and survive restarts
- Environment variable API_TOKEN still takes precedence for backward compatibility
- Proper authentication enforcement when tokens are configured
- Secure token generation using crypto/rand (32 bytes, hex encoded)
- Clean UI with copy-to-clipboard functionality for newly generated tokens
