New Feature:
- Add "Remove Password" button in Settings → Security tab
- Allows users to disable password authentication completely
- Returns Pulse to open access mode (no auth required)
- Requires current password confirmation for security
Implementation:
- New API endpoint: POST /api/security/remove-password
- New modal component: RemovePasswordModal.tsx
- Removes password from systemd override files
- Clears auth configuration from running instance
- Invalidates all sessions after removal
This addresses the issue where users couldn't disable authentication
once it was enabled. Now they can easily toggle between secured and
open modes as needed for their use case.
Documentation Updates:
- Fix CORS documentation to reflect new secure defaults (no CORS by default)
- Add API token management endpoints to API.md
- Document CORS configuration in SECURITY.md
- Update environment variable documentation with defaults
- Add authentication variables (PULSE_PASSWORD, API_TOKEN, etc.)
- Add troubleshooting for CORS and authentication issues
- Remove outdated references to ALLOWED_ORIGINS=*
- Clarify that CORS defaults to same-origin only
All documentation now accurately reflects:
- Security improvements from recent audit
- New API token management features
- Correct CORS behavior and configuration
- Complete environment variable reference
Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
- Validate and sanitize paths from tar archives
- Prevent directory traversal attacks via ../
- Ensure extracted files stay within destination directory
- Remove weak SHA-256 password hashing code (MEDIUM)
- Removed unused SHA-256 hash function from crypto package
- All password hashing now uses bcrypt (cost 12) exclusively
- Added warning comment about proper password hashing
- Fix error information leakage (MEDIUM)
- Add sanitizeErrorMessage helper function
- Log detailed errors internally while returning generic messages
- Prevent exposure of system internals in error responses
- Change default CORS from * to restrictive (MEDIUM)
- Default to no CORS headers (same-origin only)
- Allow localhost origins only in development mode
- Require explicit configuration for production CORS
These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.
- Remove registration tokens feature in favor of simpler API token auth
- Add password authentication with change password functionality
- Centralize API client logic with proper auth handling
- Add development scripts for better DX (hot-reload, proxy setup)
- Refactor auth middleware and handlers for cleaner separation
- Update frontend to use new centralized API client
- Exit cleanly with os.Exit(0) instead of trying systemctl restart
- Let systemd's Restart=always bring service back up
- New environment variables loaded automatically on restart
- Same proven approach used by update system
- Try automatic setup first (if sudo available)
- Fall back to generating a simple apply script
- Show single command to run: sudo bash /etc/pulse/apply-security.sh
- Script handles all systemd configuration steps
- Clear UI shows when manual step is needed
- Replace vague 'see documentation' with actual commands
- Show systemd and Docker examples with credentials filled in
- Include the restart command in the instructions
- Make commands copy-paste ready with proper formatting
- Show Quick Setup prominently when no auth configured
- Hide API tokens and registration tokens when not needed
- Consolidate Export/Import into single Backup & Restore section
- Only show advanced features when authentication is enabled
- Remove redundant descriptions and duplicate sections
- Add build.sh script that ensures frontend is copied before Go build
- Update backend-watch.sh to sync frontend on every restart
- Remove duplicate frontend files from internal/api/
- Frontend embed directory already in .gitignore
- No more manual copying needed - just run ./build.sh
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- Created QuickSecuritySetup component with password/token generation
- Added /api/security/quick-setup endpoint to generate config
- Shows credentials once with copy/download functionality
- Generates systemd environment configuration file
- Only shows when authentication is not already enabled
- ALL archives now use bin/pulse structure (including architecture-specific)
- Matches what Proxmox community script expects
- Install script checks bin/ first, falls back to root for old archives
- Eliminates confusion from having two different structures
- One consistent path forward: archives have bin/ directory
- Current dual-path logic needed for backwards compatibility
- v4.3.0 universal archive has bin/ structure
- Architecture-specific archives have pulse in root
- TODO: Standardize on single structure in v5
- Install script now handles both archive layouts (with/without bin directory)
- Service file points to correct path: /opt/pulse/pulse (not /opt/pulse/bin/pulse)
- Fixes service startup issue in fresh LXC installations
- Created MIGRATION.md with clear backup/migration procedures
- Emphasizes export/import as the only supported migration method
- Warns against direct file copying
- Includes security notes about passphrase protection
- Added troubleshooting and pro tips
- Updated README and SECURITY docs to reference migration guide
- guest URLs are now backed up with config export
- restored on import to preserve custom URLs across migrations
- stored in plain text (not encrypted) as they're just service URLs, not credentials
- import failures for guest metadata are non-fatal (logged as warnings)
- moved modal state to Dashboard component level
- removed local modal state from GuestRow
- modal now persists through API updates and component re-renders
- passed openUrlEditor callback from Dashboard to GuestRow components
- guests can now have custom URLs that make their names clickable
- added metadata store for persisting guest metadata to JSON files
- added API endpoints for managing guest metadata
- integrated edit button in dashboard to set/edit custom URLs
- guest names become clickable links when custom URL is set
- Node names in the summary cards at the top now link to Proxmox web interface
- Matches the behavior of node names in the table rows below
- Uses same hover effect (blue color) for consistency
- Telegram was available in backend but missing from frontend dropdown
- Added 'telegram' to service list and display name mapping
- Fixes issue where users couldn't select Telegram as webhook service
- Add interactive API token management in Settings > Security tab
- Users can now generate, view, regenerate, and delete API tokens from the UI
- Tokens are persisted in system.json and survive restarts
- Environment variable API_TOKEN still takes precedence for backward compatibility
- Proper authentication enforcement when tokens are configured
- Secure token generation using crypto/rand (32 bytes, hex encoded)
- Clean UI with copy-to-clipboard functionality for newly generated tokens
The Pulse logo now displays an orange "RC" badge when running a release
candidate version. This helps users identify when they're testing pre-release
versions.
- Backend now detects RC versions and sets channel field accordingly
- Frontend displays RC badge next to Pulse logo when channel is "rc"
- Works for both git-based and VERSION file-based builds
addresses #306 - The dashboard and storage views were hardcoding port 8006 for node links,
but now they properly use the host URLs from the node configuration. This ensures users
are redirected to the correct URL when clicking on node names, respecting custom ports
and protocols configured in the settings.
- Added host field to Node struct in Go models
- Updated monitor.go to populate host field from instance config
- Added host field to TypeScript Node interface
- Modified Dashboard and Storage components to use nodeHostMap for correct URLs
- Falls back to old behavior if host field is not available
- Add custom JSON payload template support for generic webhooks
- Users can now define custom webhook formats with Go template syntax
- Fix Telegram webhook issue where chat_id in URL caused 400 errors
- Automatically strip chat_id from URL and place in JSON body for Telegram
- Add comprehensive webhook documentation with examples
- Update API documentation with webhook endpoints
Addresses #305
- Fix Discord webhook templates to use logo.svg instead of non-existent favicon.svg
- Add comprehensive release notes for v4.3.0 about embedded frontend breaking change
- Document migration path and benefits of embedded frontend
The embedded frontend is a significant architectural improvement that eliminates
path-related issues but requires clear communication to users about the change.
- Fix auto-updater to handle single-binary structure
- Fix Docker build to copy frontend before Go compilation
- Add development script for frontend rebuilds
- Remove unnecessary frontend directory copying in updater
The embedded frontend change simplifies deployment but required
updates to various build and update systems.
Addresses #304 - Eliminates redirect loops and path issues by embedding
the frontend directly in the Go binary using go:embed
- Frontend is now embedded at compile time, no separate files needed
- Simplified tarball structure - just the binary and config files
- No more path searching or frontend directory issues
- Works consistently across all installation methods
- Smaller deployment footprint and simpler installation
This change makes Pulse a true single-binary deployment, eliminating
the complexity of managing separate frontend files and the issues that
arose from different installation structures.
- Add multiple search paths for frontend files
- Check parent directories when binary is in bin/ subdirectory
- Support both tarball extraction and installed structures
- Fixes issue #304 where manual tarball extraction caused redirect loops
- Maintains compatibility with community scripts
- Remove excessive emojis
- Match professional tone of main repository README
- Use technical language appropriately
- Improve structure and clarity
- Focus on technical details over marketing language
- Modern, comprehensive overview for Docker Hub
- Clear quick start instructions
- Feature highlights with emojis
- Security information
- Multi-arch support details
- Current version info (v4.2.1)
- Proper setup instructions with auto-setup script
- Alert configuration overview
- Delete old screenshots directory (proper ones are in docs/images)
- Remove .devdata test directory
- Update .gitignore to exclude these directories
- Keep repository focused on production code only
- Remove all temporary test files and documentation
- Delete testing-tools directory with old screenshots and scripts
- Remove stray package.json files from root
- Update .gitignore to prevent test files from being committed
- Keep repository clean and focused on production code
- Add registration tokens documentation to SECURITY.md
- Add email configuration guide to README.md
- Create comprehensive API.md with all endpoints documented
- Include examples for bash, PowerShell, and Python API usage
- Document WebSocket connection for real-time updates
- Add rate limiting information and error response formats
- Keep full token format (user@realm\!token-name) in edit form for PBS nodes
- Properly detect token vs password authentication based on hasToken/hasPassword fields
- Extract username from token format for internal use only
- Addresses issue #296 follow-up where PBS edit forms weren't populated correctly
- Editing state is now tracked at parent component level
- Edit state persists across WebSocket updates and re-renders
- Save/Cancel buttons no longer disappear during 5-second refresh cycle
- Fixes issue where users lost ability to save threshold changes
- Test email button now works without re-entering password
- Backend uses saved password if test request has empty password
- Fixes authentication error when testing email notifications
