Webhooks now stored encrypted (webhooks.enc) instead of plain text:
- Automatic migration from webhooks.json to webhooks.enc
- Uses same AES-256-GCM encryption as nodes and email configs
- Original file backed up as webhooks.json.backup
- Protects sensitive webhook URLs and authentication headers
This addresses the security concern where webhook URLs containing API tokens
(like Telegram bot tokens) were stored in plain text.
Implements header-based proxy authentication for SSO integration with
Authentik, Authelia, and other authentication proxies.
- Add CheckProxyAuth function to validate proxy headers
- Support for username and role-based access control
- Frontend integration with logout URL support
- Comprehensive documentation with examples
- Backwards compatible - no breaking changes
Addresses #327
Configuration via environment variables:
- PROXY_AUTH_SECRET: Shared secret for validation
- PROXY_AUTH_USER_HEADER: Header containing username
- PROXY_AUTH_ROLE_HEADER: Header containing roles/groups
- PROXY_AUTH_LOGOUT_URL: SSO logout endpoint
- Install script now prompts for custom port (default: 7655)
- Can skip prompt with FRONTEND_PORT environment variable
- Fixed incorrect port configuration instructions in UI
- Updated documentation to reflect new installation options
- Fixed FAQ.md references to pulse-backend (should be pulse)
addresses #110
- Added comprehensive PORT_CONFIGURATION.md guide
- Updated CONFIGURATION.md to clarify .env is for auth only
- Install script no longer loads .env for environment variables
- Documented proper port configuration methods (systemd, system.json)
- Added port config guide to README documentation section
addresses #110 - helps users understand where to configure ports
Addresses #343 - users can now disable Proxmox/PBS server discovery through:
- UI toggle in Settings > System > Network Settings
- Environment variable DISCOVERY_ENABLED=false
- system.json configuration
Discovery runs by default but can be completely disabled for environments where automatic scanning causes issues (e.g., shared hosting networks).
- Auto-detects Proxmox VE hosts and creates LXC containers
- Quick mode with sensible defaults (1GB RAM, 4GB disk)
- Advanced mode for full customization
- Automatic cleanup on failure
- Simple 'update' command in containers
- Improved error handling and network detection
- Professional, clean output without verbose noise
- Docker detection to prevent container-in-container
- Removed all references to community scripts
This is now the primary recommended installation method.
- Documented the new /api/setup-script-url endpoint
- Explained the one-time setup code security features
- Updated auto-register endpoint documentation
- Added security features section highlighting the improvements
- Included environment variable option for automation
- Added DISABLE_AUTH env var to completely bypass authentication
- Useful for reverse proxy setups (Authentik, Authelia, etc.)
- Updated documentation in CONFIGURATION.md and REVERSE_PROXY.md
- Fixed security tests to handle auth disabled state
- Auto-detect Docker environment and scan common home/office subnets
- Scans 192.168.1.0/24, 192.168.0.0/24, 10.0.0.0/24, 192.168.88.0/24, 172.16.0.0/24
- Removes friction - nodes are discovered automatically without configuration
- DISCOVERY_SUBNET env var now optional (only for non-standard networks)
- Update documentation to reflect automatic discovery
This makes the first-run experience much smoother - users see their
Proxmox nodes immediately without having to figure out subnet configuration.
- Automatically hash plain text API tokens (SHA3-256) and passwords (bcrypt) when loaded from env vars
- Remove unnecessary PULSE_SETUP_TOKEN feature in favor of simpler env var approach
- Remove HandleInitialSetup endpoint - not needed with env var configuration
- Update authentication to always use hashed comparisons (no plain text warnings)
- Update documentation to clearly explain auto-hashing capability
- Maintain backward compatibility with pre-hashed credentials
This makes Pulse secure by default while keeping deployment simple - users can
provide plain text credentials via environment variables and Pulse automatically
hashes them for security.
- Clarify that env vars have highest priority and override system.json
- Document UI warning behavior when env vars override settings
- Add FAQ entry for disabled UI fields
- Fix incorrect priority order in CONFIGURATION.md
- Add clear warnings about env var override behavior
This ensures users understand why UI changes might not work when
environment variables are set, and how to resolve the issue.
- Add clear warnings that env vars override UI/system.json settings
- Update log messages to indicate when env vars are overriding values
- Document standard container practice: env vars have highest precedence
- Users must remove env vars to allow UI configuration to take effect
This prevents confusion when UI changes don't work due to env var overrides.
- Re-enable DISCOVERY_SUBNET env var for Docker network configuration
- Re-enable LOG_LEVEL env var for runtime logging control
- Re-enable CONNECTION_TIMEOUT env var for timeout configuration
- Re-enable ALLOWED_ORIGINS env var for CORS configuration
- Update documentation to reflect working env vars
These env vars were accidentally disabled but are useful for Docker deployments.
Env vars override system.json settings when present.
Addresses #214 - user requested DISCOVERY_SUBNET env var support
- Remove all PBS-AGENT.md references (hallucinated feature)
- Fix DISCOVERY_SUBNET env var name in Docker docs (was incorrectly PULSE_DISCOVERY_SUBNET)
- Add DISCOVERY_SUBNET examples to README for Docker users
- Update FAQ to clarify PBS push mode is not supported
Addresses #214 - user reported 404 on PBS-AGENT.md link
- API tokens now hashed before storage (never stored in plain text)
- Raw token shown only once during generation
- Backward compatible with existing plain text tokens
- Added migration warnings for users with plain tokens
- Updated documentation to reflect security improvements
- Move development scripts to scripts/ directory (dev.sh, hot-dev.sh, build.sh, etc.)
- Move UPGRADE_NOTICE to docs/ directory
- Remove empty 2025-08-14 file
- Update all references to moved scripts in documentation
- Add HTTPS_ENABLED, TLS_CERT_FILE, TLS_KEY_FILE environment variables
- Server automatically starts in HTTPS mode when configured
- Falls back to HTTP with warning if certs missing
- WebSocket origins automatically adjust for HTTPS
- Fully backward compatible - defaults to HTTP
- Documented in README and CONFIGURATION.md
Addresses kenrmayfield's request for HTTPS support
- Grant enhanced Audit permissions to PBS tokens for system stats access
- Create PBSCard component to display CPU, memory, disk, uptime metrics
- Detect Docker PBS instances and show appropriate info without stats
- Add adaptive node layout on dashboard for better scalability
- Move PBS status card to Backups tab above frequency chart
- Create CompactNodeCard for handling many nodes efficiently
- Update PBS setup script to grant Audit role to both user and token
This addresses the request in issue #259 to show PBS system stats on the dashboard.
The implementation uses read-only Audit permissions to access the /nodes endpoint
while maintaining security. Docker PBS instances are detected and handled gracefully
since they cannot provide host system statistics.
- Add clear ProxmoxVE LXC update instructions (just type 'update')
- Fix incorrect FAQ about UI updates (no longer possible)
- Explain why Pulse cannot self-update for security reasons
- Make it clear that most users run in LXC containers
- Add clear First-Time Setup section explaining the wizard
- Reorganize to show basic setup first (recommended)
- Move pre-configured auth to Advanced section
- Add troubleshooting for common Docker-specific issues
- Include examples for generating credentials
- Clarify the 206728 escaping requirement in docker-compose.yml
- Add security best practices section
- Remove outdated v3 to v4 migration guide
- Update README with mandatory security setup steps
- Clarify that authentication is now required, not optional
- Update Docker, Security, and Troubleshooting docs
- Remove references to optional authentication
- Theme now persists when user logs out and logs back in
- Added documentation for BACKEND_HOST environment variable (addresses #321)
- Users can now bind to localhost only for reverse proxy setups
- Improved documentation for network configuration options
Removed outdated DISCOVERY_SUBNET environment variable references and documented the correct way to configure discovery subnet in Docker containers via system.json. Docker containers detect their internal network by default, so manual configuration is needed for LAN discovery.
- Fix alternating zero I/O metrics by implementing rate caching for stale data from Proxmox
- Hardcode polling interval to 10 seconds (matching Proxmox cluster/resources update cycle)
- Remove polling interval settings from UI (no longer user-configurable)
- Implement efficient VM/container polling using single cluster/resources API call
- Remove 'Remove Password' feature (auth is now mandatory)
- Fix CSRF validation for Basic Auth (exempt from CSRF checks)
- Fix Generate API Token modal and authentication
- Remove redundant 'Active' status from Authentication section
- Remove Connection Timeout setting from frontend (backend-only)
- Clean up frontend console logging (reduce verbosity)
- Remove PBS polling interval setting (fixed at 10s)
- Add frontend rebuild detection to backend-watch script
- Improve first-run setup flow and error handling
- Add pending restart detection when .env exists but not loaded
- Update frontend to show pending state instead of re-showing setup
- Fix QuickSecuritySetup to refresh security status after configuration
- Remove auto-restart attempts from security setup
- Show deployment-appropriate restart instructions
- Update documentation to reflect new update mechanism
Related to security setup issues after removing sudo/auto-restart capabilities
- Add critical docker-compose bcrypt escaping documentation
- Create comprehensive TROUBLESHOOTING.md guide
- Create dedicated DOCKER.md deployment guide
- Update CONFIGURATION.md with service name variations
- Document that .env file is not created when using env vars
- Add warnings about dollar sign escaping in docker-compose.yml
These docs address the main confusion points from recent issues,
especially the docker-compose bcrypt hash problem affecting many users.
- ProxmoxVE script can now check if auth is already set without credentials
- Quick-setup endpoint is now public but handler checks if setup should be skipped
- Prevents duplicate auth configuration attempts
- Critical for automated setup scripts
- explains purpose of each file type
- clarifies that .env is only for auth, not a regression
- documents the technical reasoning behind the architecture
- addresses confusion raised in #314
- clarified .env file usage for Docker (it's acceptable for Docker volumes)
- emphasized need for quotes around bcrypt hashes to prevent shell expansion
- removed incorrect SHA3-256 'cost factor' reference (only bcrypt has cost factor)
- added notes about proper quoting in Docker examples
Updated security documentation to explicitly mention that Docker uses
the Quick Security Setup wizard and persists credentials via /data/.env
file in the volume, making it clear how auth works in Docker deployments.
Docker now supports .env files in /data for auth credentials created
by the security wizard. This was added to fix the credential persistence
issue in Docker containers.
- Add clear documentation that auth settings are intentionally excluded from exports
- Update API docs to explicitly state what is/isn't included in exports
- Enhance migration guide with security notes about auth exclusion
- Add UI warning in export dialog about auth settings not transferring
- Each Pulse instance should configure its own authentication for security
Related to user feedback about auth settings not transferring between instances
- Homelab users on private networks (192.168.x.x, 10.x.x.x, 172.16.x.x) can now export/import without any configuration
- No need to set ALLOW_UNPROTECTED_EXPORT=true for typical homelab setups
- Public network access still requires authentication for security
- Simplifies backup/restore for users who don't need authentication
- Clarify that session auth (password login) is sufficient for export/import
- Document that guest metadata and custom console URLs are included
- Update FAQ with clearer backup instructions
- Add UI-first approach to README backup section
- Clarify that passwords are ALWAYS bcrypt hashed (never plain text)
- Document SHA3-256 hashing for API tokens
- Add Quick Security Setup as recommended method
- Update examples to show hashed format required
- Add security best practices section
- Add verification script reference
- Update troubleshooting for new auth variables
Documentation Updates:
- Fix CORS documentation to reflect new secure defaults (no CORS by default)
- Add API token management endpoints to API.md
- Document CORS configuration in SECURITY.md
- Update environment variable documentation with defaults
- Add authentication variables (PULSE_PASSWORD, API_TOKEN, etc.)
- Add troubleshooting for CORS and authentication issues
- Remove outdated references to ALLOWED_ORIGINS=*
- Clarify that CORS defaults to same-origin only
All documentation now accurately reflects:
- Security improvements from recent audit
- New API token management features
- Correct CORS behavior and configuration
- Complete environment variable reference
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- Created MIGRATION.md with clear backup/migration procedures
- Emphasizes export/import as the only supported migration method
- Warns against direct file copying
- Includes security notes about passphrase protection
- Added troubleshooting and pro tips
- Updated README and SECURITY docs to reference migration guide
- Add custom JSON payload template support for generic webhooks
- Users can now define custom webhook formats with Go template syntax
- Fix Telegram webhook issue where chat_id in URL caused 400 errors
- Automatically strip chat_id from URL and place in JSON body for Telegram
- Add comprehensive webhook documentation with examples
- Update API documentation with webhook endpoints
Addresses #305
- Add registration tokens documentation to SECURITY.md
- Add email configuration guide to README.md
- Create comprehensive API.md with all endpoints documented
- Include examples for bash, PowerShell, and Python API usage
- Document WebSocket connection for real-time updates
- Add rate limiting information and error response formats
- Added detailed reverse proxy guide for nginx, Caddy, Apache, Traefik, HAProxy, and Cloudflare Tunnel
- Emphasized WebSocket requirement for v4
- Added testing instructions and troubleshooting tips
- Updated README and CONFIGURATION docs to reference the new guide
- Addresses user feedback from issue #244 about WebSocket requirement
