Delete and recreate the PulseMonitor role each time instead of trying to modify it. This ensures a clean, predictable state with exactly the permissions needed.
Also fixes incorrect pveum command syntax - should be 'role add' not 'role create'.
Addresses issue reported by NameLessJedi in #340
- Theme changes now broadcast instantly via WebSocket to all connected browsers
- No page refresh needed - theme updates in real-time across all devices
- Theme preference is persisted server-side and loaded on new sessions
- Added WebSocket message type 'settingsUpdate' for broadcasting settings changes
- Updated SystemSettingsHandler to broadcast theme changes to all clients
- Added frontend event listener to handle incoming theme change messages
- Fixed API endpoint routing to use the new handler with broadcast support
- Added proper DISABLE_AUTH check in CheckAuth for auth-disabled environments
This creates a seamless experience where toggling dark/light mode on one device
instantly updates all other connected devices (phones, tablets, browsers).
PBS was incorrectly appending default port :8007 even when custom ports were specified, resulting in malformed URLs like domain:443:8007. Now properly detects existing ports after the protocol prefix.
Implements header-based proxy authentication for SSO integration with
Authentik, Authelia, and other authentication proxies.
- Add CheckProxyAuth function to validate proxy headers
- Support for username and role-based access control
- Frontend integration with logout URL support
- Comprehensive documentation with examples
- Backwards compatible - no breaking changes
Addresses #327
Configuration via environment variables:
- PROXY_AUTH_SECRET: Shared secret for validation
- PROXY_AUTH_USER_HEADER: Header containing username
- PROXY_AUTH_ROLE_HEADER: Header containing roles/groups
- PROXY_AUTH_LOGOUT_URL: SSO logout endpoint
- Add GetVMFSInfo method to fetch filesystem data from guest agent
- Integrate guest agent disk stats for VMs in both polling modes
- Aggregate real disk usage from all filesystems (skip special mounts)
- Fall back gracefully to allocated size when agent unavailable
- Add VM.Monitor permission to auto-negotiation script via PulseMonitor role
- Update frontend NodeModal with new permission instructions
VMs with QEMU guest agent now show actual disk usage like LXCs do.
Addresses #344
Addresses #343 - users can now disable Proxmox/PBS server discovery through:
- UI toggle in Settings > System > Network Settings
- Environment variable DISCOVERY_ENABLED=false
- system.json configuration
Discovery runs by default but can be completely disabled for environments where automatic scanning causes issues (e.g., shared hosting networks).
- Auto-detects Proxmox VE hosts and creates LXC containers
- Quick mode with sensible defaults (1GB RAM, 4GB disk)
- Advanced mode for full customization
- Automatic cleanup on failure
- Simple 'update' command in containers
- Improved error handling and network detection
- Professional, clean output without verbose noise
- Docker detection to prevent container-in-container
- Removed all references to community scripts
This is now the primary recommended installation method.
addresses #340 - more secure authentication for Quick Token Setup
Major security improvement:
- Replaced URL-embedded tokens with 6-character one-time setup codes
- Setup codes are entered interactively, never transmitted in URLs
- Codes are hashed for storage and expire after 5 minutes
- Each code can only be used once
How it works:
1. User clicks "copy command" in Pulse UI
2. A unique setup code is generated and shown to the user
3. User runs the curl command on their Proxmox server
4. Script prompts for the setup code
5. Code is validated and node is auto-registered
This approach is much more secure as no authentication tokens travel over the network in URLs, and the codes are short-lived and single-use.
addresses #340 - Quick Token Setup improvements
Changed:
- Auto-registration now uses temporary setup tokens instead of API tokens (API tokens are hashed and can't be passed directly)
- Setup script shows token value for manual configuration when auto-registration fails
- Improved error messages to explain why auto-registration might fail
- Auto-register endpoint now accepts either API tokens or temporary setup tokens
This ensures the Quick Token Setup feature works as intended - automatically registering nodes without manual token copying when possible, while providing clear fallback instructions when authentication is required.
- API tokens now work even when DISABLE_AUTH is set
- Added API token section back to Security tab in settings
- API tokens can protect API access for automation while keeping UI open
- Invalid tokens are rejected even with auth disabled
- Export/import endpoints still require valid API token
- Added DISABLE_AUTH env var to completely bypass authentication
- Useful for reverse proxy setups (Authentik, Authelia, etc.)
- Updated documentation in CONFIGURATION.md and REVERSE_PROXY.md
- Fixed security tests to handle auth disabled state
Frontend (TypeScript):
- Eliminated all 'any' types (7 → 0)
- Added proper types for event system with generics
- Fixed event data interfaces with specific types
- Replaced any with unknown where appropriate
Backend (Go):
- Created central types.go with 30+ typed API structures
- Eliminated all interface{} in /internal/api package (158 → 0)
- Replaced map[string]interface{} with typed structs:
- ChartResponse, VMChartData, NodeChartData, StorageChartData
- DiagnosticsInfo with NodeDetails, ClusterInfo, PBSDetails
- StorageChartsResponse with StorageMetrics
- Improved compile-time type safety for all API responses
Benefits:
- Better IDE support and autocomplete
- Compile-time error detection
- Clearer API contracts
- Improved maintainability
All tests passing, service running successfully with typed code.
- Add helpful "No Proxmox VE nodes configured" message to Storage and Backup tabs
- Include "Go to Settings" button for easy navigation when no nodes exist
- Enhance network discovery for Docker environments with smart subnet detection
- Auto-detect Docker network configuration and scan appropriate subnets
- Add support for common Docker network ranges (172.16.0.0/12, 10.0.0.0/8)
- Improve discovery logging to show subnet being scanned
- Fix discovery API endpoint to properly return discovered servers
- Automatically hash plain text API tokens (SHA3-256) and passwords (bcrypt) when loaded from env vars
- Remove unnecessary PULSE_SETUP_TOKEN feature in favor of simpler env var approach
- Remove HandleInitialSetup endpoint - not needed with env var configuration
- Update authentication to always use hashed comparisons (no plain text warnings)
- Update documentation to clearly explain auto-hashing capability
- Maintain backward compatibility with pre-hashed credentials
This makes Pulse secure by default while keeping deployment simple - users can
provide plain text credentials via environment variables and Pulse automatically
hashes them for security.
- Track which settings are overridden by env vars in backend
- Expose env override information in system settings API
- Show clear warnings in UI when settings are controlled by env vars
- Disable input fields when overridden by environment variables
- Add helpful instructions for users to remove env vars if needed
This improves UX by making it clear why UI changes don't take effect
when environment variables are set. Follows container best practices
where env vars have highest precedence, while clearly communicating
this behavior to users.
Addresses user confusion when UI settings don't work due to env var overrides.
- API tokens now hashed before storage (never stored in plain text)
- Raw token shown only once during generation
- Backward compatible with existing plain text tokens
- Added migration warnings for users with plain tokens
- Updated documentation to reflect security improvements
- Move development scripts to scripts/ directory (dev.sh, hot-dev.sh, build.sh, etc.)
- Move UPGRADE_NOTICE to docs/ directory
- Remove empty 2025-08-14 file
- Update all references to moved scripts in documentation
- Grant enhanced Audit permissions to PBS tokens for system stats access
- Create PBSCard component to display CPU, memory, disk, uptime metrics
- Detect Docker PBS instances and show appropriate info without stats
- Add adaptive node layout on dashboard for better scalability
- Move PBS status card to Backups tab above frequency chart
- Create CompactNodeCard for handling many nodes efficiently
- Update PBS setup script to grant Audit role to both user and token
This addresses the request in issue #259 to show PBS system stats on the dashboard.
The implementation uses read-only Audit permissions to access the /nodes endpoint
while maintaining security. Docker PBS instances are detected and handled gracefully
since they cannot provide host system statistics.
- Only check cluster status during initial configuration, not during polling
- Cache cluster membership in config to avoid repeated API calls
- Skip cluster/resources endpoint entirely for standalone nodes
- Change cluster detection failure from WARN to DEBUG (expected for standalone)
This addresses #322 where standalone PVE nodes were causing certificate
lookup errors in syslog every minute during polling.
- Detect when running behind a proxy/tunnel (X-Forwarded-*, CF-Ray headers)
- Use SameSite=None for cookies when proxied to allow cross-origin access
- Properly detect HTTPS when behind proxy using X-Forwarded-Proto
- Fixes authentication not working through Cloudflare tunnels
The issue was that SameSite=Strict/Lax cookies don't work when the origin
changes (which happens with tunnels/proxies). Now we detect proxy headers
and relax the cookie policy to SameSite=None when needed.
- Login component now handles 429 rate limit responses correctly
- When rate limited, assume auth is configured and show login form
- /api/security/status endpoint excluded from strict auth rate limiting
- Status checks now use general API rate limit (500/min) instead of auth limit (10/min)
- Fixes issue where rapid logout/login could trigger rate limiting
- Fixes setup screen appearing incorrectly when rate limited
- Re-enable JSON validation that was accidentally commented out
- Fix Telegram chat_id handling with proper validation
- Add smart retry logic that distinguishes retryable from permanent errors
- Enhance error logging to include response bodies for debugging
- Add webhook URL validation for security (prevent SSRF)
- Fix deprecated strings.Title function usage
- Add webhook delivery history tracking
- Improve template variable substitution
- Add exponential backoff for retries (max 30 seconds)
- Validate numeric chat IDs for Telegram webhooks
- Add comprehensive error handling and logging
Tested with Telegram, Discord, and Slack - all working correctly now
- Fixed copy button not working in Quick Token Setup modal
- Button was conditionally rendered only when host was populated
- Now always visible and shows error if host is empty
- Updated placeholder text to be clearer
- Fixed toast notifications appearing behind modals
- Increased z-index from z-50 to z-[9999] to ensure visibility
- Fixed Generate API Token section intermittently not showing
- Added proper loading state for security status
- Prevents race condition where component renders before data loads
- Added loadSecurityStatus() function for reusability
- Refresh security status after password change
- Skip CSRF validation for /api/setup-script-url endpoint
- Endpoint generates temporary tokens, not a state change
- Fixes 403 Forbidden error when generating setup scripts
All API token functionality confirmed working with token rotation
- Fix alternating zero I/O metrics by implementing rate caching for stale data from Proxmox
- Hardcode polling interval to 10 seconds (matching Proxmox cluster/resources update cycle)
- Remove polling interval settings from UI (no longer user-configurable)
- Implement efficient VM/container polling using single cluster/resources API call
- Remove 'Remove Password' feature (auth is now mandatory)
- Fix CSRF validation for Basic Auth (exempt from CSRF checks)
- Fix Generate API Token modal and authentication
- Remove redundant 'Active' status from Authentication section
- Remove Connection Timeout setting from frontend (backend-only)
- Clean up frontend console logging (reduce verbosity)
- Remove PBS polling interval setting (fixed at 10s)
- Add frontend rebuild detection to backend-watch script
- Improve first-run setup flow and error handling
- Remove old /api/system/api-token endpoints
- Remove APIToken field from SystemSettings struct
- Remove token handling from system_settings.go
- Clean up config.Load() to not read token from system.json
- Remove unused frontend API token functions
- Remove unused APITokenManager and CurrentAPIToken components
API tokens are now managed exclusively via .env file with the new
/api/security/regenerate-token endpoint. This eliminates confusion
between the two systems and ensures consistency.
- Add backend endpoint to regenerate API tokens without resetting auth
- Updates .env file with new token while preserving other settings
- Frontend component with clear UX for token generation
- Shows new token once with copy functionality
- Indicates restart required to activate new token
- Works across all deployment types (Docker, LXC, native)
Much better UX than telling users to 'reconfigure security' just for a new token
- Add pending restart detection when .env exists but not loaded
- Update frontend to show pending state instead of re-showing setup
- Fix QuickSecuritySetup to refresh security status after configuration
- Remove auto-restart attempts from security setup
- Show deployment-appropriate restart instructions
- Update documentation to reflect new update mechanism
Related to security setup issues after removing sudo/auto-restart capabilities
Emergency release to fix critical issues in v4.3.7:
- Install script now correctly installs binary to /opt/pulse/bin/pulse
- Password changes no longer require sudo (addresses #317)
These fixes restore basic functionality for new installations
and Docker deployments.
- ProxmoxVE script can now check if auth is already set without credentials
- Quick-setup endpoint is now public but handler checks if setup should be skipped
- Prevents duplicate auth configuration attempts
- Critical for automated setup scripts
- Remove old buggy Quick Security Setup handler
- New handler in security_setup_fix.go handles all cases properly
- Tested and working with Docker, systemd, and manual installations
- adds logout button next to connection status indicator
- implements /api/logout endpoint to clear sessions
- button only shows when authentication is configured
- clears session cookie and invalidates server-side session
implements #315
addresses #314 - bcrypt hashes with $ signs were being interpreted as shell variables
by godotenv, causing authentication to fail after Docker container restarts
Script outputs from change-password and remove-password operations could
potentially contain sensitive information. Removed output logging while
keeping error logging for debugging.
The export/import handlers were using direct string comparison for API tokens
instead of proper hash comparison. This caused auth to fail when tokens were
stored as hashes (which is what the security wizard does).
addresses #314
- Docker containers were not saving credentials to persistent storage
- Non-Docker setups were saving plain text instead of hashed credentials
- After container restart, saved credentials would not work
This fixes issue #314 where users couldn't login after setting up security
in Docker containers. The Quick Security Setup now:
1. Properly hashes passwords and tokens before saving
2. Saves to /etc/pulse/.env for persistence in Docker volumes
3. Correctly loads credentials after container restart
- Homelab users on private networks (192.168.x.x, 10.x.x.x, 172.16.x.x) can now export/import without any configuration
- No need to set ALLOW_UNPROTECTED_EXPORT=true for typical homelab setups
- Public network access still requires authentication for security
- Simplifies backup/restore for users who don't need authentication
- Guest metadata handler now reloads from disk after import
- Custom console URLs are immediately available after import
- No longer requires service restart to see imported guest URLs
- Allow export/import with session auth when logged in with password
- No longer require API token when user is already authenticated
- Backend now accepts either session cookies OR API token
- Frontend only prompts for API token if no password auth exists
- Improved UX by eliminating redundant authentication requests
New Feature:
- Add "Remove Password" button in Settings → Security tab
- Allows users to disable password authentication completely
- Returns Pulse to open access mode (no auth required)
- Requires current password confirmation for security
Implementation:
- New API endpoint: POST /api/security/remove-password
- New modal component: RemovePasswordModal.tsx
- Removes password from systemd override files
- Clears auth configuration from running instance
- Invalidates all sessions after removal
This addresses the issue where users couldn't disable authentication
once it was enabled. Now they can easily toggle between secured and
open modes as needed for their use case.
Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
- Validate and sanitize paths from tar archives
- Prevent directory traversal attacks via ../
- Ensure extracted files stay within destination directory
- Remove weak SHA-256 password hashing code (MEDIUM)
- Removed unused SHA-256 hash function from crypto package
- All password hashing now uses bcrypt (cost 12) exclusively
- Added warning comment about proper password hashing
- Fix error information leakage (MEDIUM)
- Add sanitizeErrorMessage helper function
- Log detailed errors internally while returning generic messages
- Prevent exposure of system internals in error responses
- Change default CORS from * to restrictive (MEDIUM)
- Default to no CORS headers (same-origin only)
- Allow localhost origins only in development mode
- Require explicit configuration for production CORS
These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.
- Remove registration tokens feature in favor of simpler API token auth
- Add password authentication with change password functionality
- Centralize API client logic with proper auth handling
- Add development scripts for better DX (hot-reload, proxy setup)
- Refactor auth middleware and handlers for cleaner separation
- Update frontend to use new centralized API client
- Exit cleanly with os.Exit(0) instead of trying systemctl restart
- Let systemd's Restart=always bring service back up
- New environment variables loaded automatically on restart
- Same proven approach used by update system
- Try automatic setup first (if sudo available)
- Fall back to generating a simple apply script
- Show single command to run: sudo bash /etc/pulse/apply-security.sh
- Script handles all systemd configuration steps
- Clear UI shows when manual step is needed
