Updated logging to exclude request bodies that may contain passwords
or other sensitive information. Now only logs metadata about requests
without exposing actual credentials.
Fixed two critical issues with email notifications:
1. Test email API now returns errors properly instead of always showing success
2. Added timeouts to SMTP connections to prevent hanging (10s dial, 30s overall)
The root cause of users not receiving emails was that errors were being
silently logged instead of returned to the API, making it appear successful
when it wasn't. SMTP connections could also hang indefinitely on unreachable
servers.
Note: API uses "server" and "port" JSON fields, not "smtpHost"/"smtpPort"
Frontend fixes:
- Fixed VM thresholds incorrectly showing as 'CT' in alerts UI (issue #295)
- Fixed threshold slider not reaching 0% and 100% edges (issue #295)
- Fixed PBS form auto-filling with PVE settings (issue #296)
- Fixed email config property mapping (server/port instead of smtpHost/smtpPort)
Backend fixes:
- Updated EmailConfig struct to use 'server' and 'port' JSON tags for consistency
- Added 'provider' and 'startTLS' fields to EmailConfig
- Fixed PORT env var to correctly set FrontendPort instead of BackendPort
- Changed default log level from Debug to Info
All changes tested and verified working correctly.
- filter out vztmpl (container templates) from backup list
- filter out iso files from backup list
- only show actual vm/container backups in the backup tab
- remove unnecessary checks for template/iso content types
- check if vm/container status is "running" before using cpu value
- set cpu to 0 for stopped, paused, suspended states
- prevents false high cpu alerts for offline vms
- handles all non-running states, not just "stopped"
- extend webhook template support to all services (slack, teams, pagerduty)
- properly detect service type and apply correct template
- add pagerduty routing_key support from headers
- fallback to generic json only when no template exists
- handle both individual and grouped alerts for all services
- add proper telegram bot api support with chat_id and text fields
- fix frontend pbs red dot display (was checking 'error' instead of 'unhealthy')
- fix qemu guest agent memory reporting (fallback to mem when freemem is 0)
- extract chat_id from telegram webhook urls when present
- Fall back to vmStatus.Mem when guest agent doesn't report FreeMem
- Fixes issue where VMs with guest agent showed 0% memory usage
- Addresses issue #294
- Import was saving configs to disk but not updating in-memory state
- Added explicit reloading of alert thresholds after import
- Added explicit reloading of webhooks after import
- Added explicit reloading of email config after import
- Settings now show immediately in UI without requiring restart
Fixes#291 where imported alert thresholds and webhooks weren't
visible until after service restart
- Use consistent utils.GetDataDir() helper instead of duplicating logic
- Handle migration failures gracefully - log warnings but continue using old key
- Add detailed logging for migration with source and destination paths
- Prevent unnecessary migration when paths are identical
- Improve error messages for debugging
Addresses review feedback on the Docker persistence fix
- Move encryption key from /etc/pulse to PULSE_DATA_DIR (/data in Docker)
- Add automatic migration for existing installations
- Key now persists across container restarts when using volume mount
- Maintains backward compatibility for non-Docker installations
Fixes#290 reported by da99Beast where Docker containers lost
configuration on restart due to encryption key being regenerated
- Support both old (root) and new (bin/) tarball structures
- Use writable directories for temp and backup files (data dir instead of /tmp)
- Fixes update failures for users on v4.1.5 and earlier
- Fixed hardcoded version fallback showing 4.1.1 instead of current version
- Fixed install script syntax error that prevented fresh installations
- Identified root cause of Docker persistence issue (notification UI not saving)
- Identified missing save functionality in frontend notification settings
Issues addressed: #277, #278, #282
- Fixed incorrect RAM usage display for VMs without guest agent (issue #280)
- VMs without guest agent now show 0% usage instead of 100%
- Only show actual usage when guest agent provides FreeMem data
- Containers continue to show accurate usage as before
- Fixed webhook test functionality (issue #279)
- Added proper webhook ID handling in test notification endpoint
- Created SendTestWebhook method to test specific webhooks
- Frontend can now successfully trigger webhook tests
Replaced sudo-based updater with a cleaner directory-based approach:
- Pulse binary now installs to /opt/pulse/bin/pulse (owned by pulse user)
- Symlink created at /usr/local/bin/pulse for PATH convenience
- Pulse user has full write access to /opt/pulse, enabling self-updates
- Removed sudo dependency and security risks
- Simplified update logic - no special scripts or permissions needed
This is more secure, simpler, and works in all environments (containers, VMs, bare metal)
Token names now include both Pulse server IP and Unix timestamp (e.g. pulse-192-168-0-176-1754816525) ensuring each script run creates a unique token. This completely eliminates 'token already exists' errors when running setup scripts multiple times.
When running the setup script multiple times from different Pulse servers, tokens now include the Pulse server's IP address in the name (e.g. pulse-192-168-0-176) to avoid conflicts. This prevents 'token already exists' errors when managing multiple Pulse instances.
- Fixed Docker entrypoint to properly handle running as root (PUID=0)
- Improved alert history loading to handle permission errors gracefully
- Container now correctly runs as root when PUID=0 is set
- Alert history continues loading even if backup file has permission issues
Addresses #266 and #262
- PBS instances now show as online when datastores are accessible even if version endpoint fails
- Email sending now uses proper STARTTLS support for compatibility with providers like SMTP2GO
- Email recipient input no longer filters entries while typing
- Auto-update setting now properly persists and loads from config
- Fixed CPU usage alerts for offline VMs (already addressed in previous commits)
- Added format field checking for pbs-ct and pbs-vm
- Changed unknown type fallback from VM to LXC (more common)
- Fixes issue where all backups showed as VM type
- Added service field to WebhookConfig to identify Discord webhooks
- Use Discord-specific template when sending Discord webhooks
- Fixed backup type detection for PBS backups (vm/ct)
- Fixed shared storage duplicate IDs across instances
- Fixed alert acknowledge/clear response format to match frontend expectations
- Fix CPU core display to show for all guests with CPU data
- Previously only showed cores when CPU > 0 (truthy)
- Now shows "(0.0/X cores)" consistently for all running/stopped guests
- Improve code organization with new helper utilities
- Clean up import statements and remove debug logs
- System.json settings now take priority over environment variables
- Fixed issue where POLLING_INTERVAL env var would override saved settings
- Polling interval changes in UI now persist correctly after restart
- Remove token logging - tokens were being logged in plaintext
- Add client IP logging for security auditing
- Add HTTPS warning when tokens sent over HTTP
- Remove debug output that exposed tokens in console
- Add optional auth requirement via REQUIRE_AUTH_FOR_AUTO_REGISTER env var
- Prevent token exposure in error messages
- Already has duplicate node prevention
Security improvements:
- Tokens no longer logged anywhere
- Source IPs tracked for audit trail
- Optional authentication for high-security environments
- HTTPS enforcement warnings
- Fix unsafe JSON parsing in WebSocket with proper error handling
- Fix unsafe JSON parsing in Settings import with validation
- Improve API token security by using sessionStorage as primary storage
- Remove debug console statements from production code
- Fix race conditions in WebSocket alert handling with atomic updates
- Add NaN validation for parseFloat operations in search queries
- Add safer error handling alternatives in generics utility
- Improve graceful shutdown in Settings API with proper timing
- All changes verified with successful frontend and backend builds
- Fix XSS vulnerabilities in Tooltip component by replacing innerHTML with textContent and adding content sanitization
- Fix XSS vulnerability in UnifiedBackups by replacing innerHTML with safe DOM manipulation
- Add proper null checks for props.guest.cpu in GuestRow to prevent NaN errors
- Replace unsafe non-null assertions with proper conditional rendering
- Fix memory leak in Settings component by improving interval cleanup
- Fix WebSocket reconnection race condition by adding proper timeout cleanup
- Create standardized error handler utility for consistent error handling
- Enable VM state support in monitoring (resolves TODO)
- Improve type safety throughout the codebase
- All changes verified with successful frontend and backend builds
- Remove .env syncing - UI no longer writes to .env file
- system.json is the single source for UI-managed settings
- .env files are read-only for deployment overrides
- Environment variables still override everything (Docker/systemd)
- Cleaner separation: env vars for deployment, JSON for runtime
- Updated documentation to clarify configuration hierarchy
- Simpler code with less failure points
- UI settings now automatically update .env file when changed
- .env file and system.json stay in sync
- Settings hierarchy preserved: env vars > .env > UI
- .env file is auto-generated/updated when UI saves settings
- Improved user experience - changes in UI reflect in .env and vice versa
- Fix release channel not saving when changed in UI
- Add system settings persistence for update-related config
- Expand .env file support to include all non-sensitive settings:
- UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME
- POLLING_INTERVAL, CONNECTION_TIMEOUT, ALLOWED_ORIGINS, LOG_LEVEL
- Update documentation with all available .env settings
- Settings now properly persist across restarts
- Environment variables override saved settings at startup
- Fix bug where RC channel always returned first release without proper comparison
- Ensure RC channel returns the latest release (newest by creation date)
- Stable channel correctly returns first non-prerelease
- Add manual update instructions for users stuck on rc.1
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
- Add checkbox to control whether backup write permissions are granted
- When checked: adds PVEDatastoreAdmin role on /storage (allows backup management)
- When unchecked: only PVEAuditor role (read-only, no PVE backups in Storage tab)
- Update setup script generation to conditionally add storage permissions
- Update UI to clearly explain the implications of each choice
Frontend:
- Enhanced cluster vs standalone node visual distinction in Settings
- Added glassmorphic style to all toast notifications for consistency
- Fixed test connection in edit modal to use stored encrypted credentials
- Added batch credential modal for bulk node operations
- Added network discovery modal with auto-subnet detection
- Improved notification system with dual toast/notification support
- Added event bus for component communication
Backend:
- Fixed duplicate toast notifications during auto-registration
- Fixed PBS auto-registration token extraction from JSON output
- Added network discovery service with background scanning
- Improved cluster detection with actual cluster name from API
- Added helper function to reduce code duplication in cluster detection
- Fixed host URL normalization in auto-registration
- Enhanced PBS client token authentication parsing
Bug Fixes:
- Fixed stacking toast notifications creating visual bugs
- Fixed PBS authentication failures after auto-registration
- Fixed network discovery not finding Proxmox servers
- Fixed test connection for existing nodes with encrypted tokens
- Removed duplicate WebSocket broadcasts for auto-registration events
- PBS host now automatically gets https:// prefix and :8007 port if missing
- Fixed auto-naming to work after host normalization
- Token auth now correctly displays 'Token:' instead of 'User:'
- Edit mode now correctly identifies token vs password auth
- Backend properly clears unused auth fields when switching types
Fixes#263, #261
- Fixed NodeModal to correctly detect token auth based on tokenName instead of user field
- Backend now properly clears user field when using token authentication
- Backend now properly clears token fields when using password authentication
- This fixes the issue where PBS nodes using token auth would show "User:" instead of "Token:"
Fixes#263, #261
- Removed PBS summary card from Dashboard and Backups tabs (not needed)
- Fixed backup frequency chart to use local timezone instead of UTC
- Chart now properly includes today in the date range
- Dates display according to user's browser timezone
- Add System tab with Performance, Network, and Updates sections
- Implement Check for Updates and Apply Update functionality
- Add support for PULSE_UPDATE_SERVER environment variable for testing
- Fix Settings tab navigation issues
- Version bump to v4.1.0-rc.1
The issue was that the binary was looking for frontend files relative to the current working directory instead of relative to the binary location. This caused a redirect loop when the binary was installed in /opt/pulse but run from elsewhere.
Fixed by:
- Making the binary detect its own location and look for frontend files there
- Adding fallback paths for common installation locations
- Logging where frontend files are being served from for debugging
