New Feature:
- Add "Remove Password" button in Settings → Security tab
- Allows users to disable password authentication completely
- Returns Pulse to open access mode (no auth required)
- Requires current password confirmation for security
Implementation:
- New API endpoint: POST /api/security/remove-password
- New modal component: RemovePasswordModal.tsx
- Removes password from systemd override files
- Clears auth configuration from running instance
- Invalidates all sessions after removal
This addresses the issue where users couldn't disable authentication
once it was enabled. Now they can easily toggle between secured and
open modes as needed for their use case.
Security Fixes:
- Fix path traversal vulnerability in tar extraction (HIGH)
- Validate and sanitize paths from tar archives
- Prevent directory traversal attacks via ../
- Ensure extracted files stay within destination directory
- Remove weak SHA-256 password hashing code (MEDIUM)
- Removed unused SHA-256 hash function from crypto package
- All password hashing now uses bcrypt (cost 12) exclusively
- Added warning comment about proper password hashing
- Fix error information leakage (MEDIUM)
- Add sanitizeErrorMessage helper function
- Log detailed errors internally while returning generic messages
- Prevent exposure of system internals in error responses
- Change default CORS from * to restrictive (MEDIUM)
- Default to no CORS headers (same-origin only)
- Allow localhost origins only in development mode
- Require explicit configuration for production CORS
These fixes address all critical and medium severity issues found
in the security audit while maintaining backward compatibility.
- Remove registration tokens feature in favor of simpler API token auth
- Add password authentication with change password functionality
- Centralize API client logic with proper auth handling
- Add development scripts for better DX (hot-reload, proxy setup)
- Refactor auth middleware and handlers for cleaner separation
- Update frontend to use new centralized API client
- Exit cleanly with os.Exit(0) instead of trying systemctl restart
- Let systemd's Restart=always bring service back up
- New environment variables loaded automatically on restart
- Same proven approach used by update system
- Try automatic setup first (if sudo available)
- Fall back to generating a simple apply script
- Show single command to run: sudo bash /etc/pulse/apply-security.sh
- Script handles all systemd configuration steps
- Clear UI shows when manual step is needed
- Add build.sh script that ensures frontend is copied before Go build
- Update backend-watch.sh to sync frontend on every restart
- Remove duplicate frontend files from internal/api/
- Frontend embed directory already in .gitignore
- No more manual copying needed - just run ./build.sh
- Detect public vs private network access
- Show stronger warnings for public access without auth
- Red banner when accessed from internet without authentication
- Support for trusted networks configuration via PULSE_TRUSTED_NETWORKS
- Automatic RFC1918 private IP detection
- Enhanced security status API with network context
- Added debug logging for encryption key loading
- Created QuickSecuritySetup component with password/token generation
- Added /api/security/quick-setup endpoint to generate config
- Shows credentials once with copy/download functionality
- Generates systemd environment configuration file
- Only shows when authentication is not already enabled
- guests can now have custom URLs that make their names clickable
- added metadata store for persisting guest metadata to JSON files
- added API endpoints for managing guest metadata
- integrated edit button in dashboard to set/edit custom URLs
- guest names become clickable links when custom URL is set
- Node names in the summary cards at the top now link to Proxmox web interface
- Matches the behavior of node names in the table rows below
- Uses same hover effect (blue color) for consistency
- Add interactive API token management in Settings > Security tab
- Users can now generate, view, regenerate, and delete API tokens from the UI
- Tokens are persisted in system.json and survive restarts
- Environment variable API_TOKEN still takes precedence for backward compatibility
- Proper authentication enforcement when tokens are configured
- Secure token generation using crypto/rand (32 bytes, hex encoded)
- Clean UI with copy-to-clipboard functionality for newly generated tokens
The Pulse logo now displays an orange "RC" badge when running a release
candidate version. This helps users identify when they're testing pre-release
versions.
- Backend now detects RC versions and sets channel field accordingly
- Frontend displays RC badge next to Pulse logo when channel is "rc"
- Works for both git-based and VERSION file-based builds
addresses #306 - The dashboard and storage views were hardcoding port 8006 for node links,
but now they properly use the host URLs from the node configuration. This ensures users
are redirected to the correct URL when clicking on node names, respecting custom ports
and protocols configured in the settings.
- Added host field to Node struct in Go models
- Updated monitor.go to populate host field from instance config
- Added host field to TypeScript Node interface
- Modified Dashboard and Storage components to use nodeHostMap for correct URLs
- Falls back to old behavior if host field is not available
- Add custom JSON payload template support for generic webhooks
- Users can now define custom webhook formats with Go template syntax
- Fix Telegram webhook issue where chat_id in URL caused 400 errors
- Automatically strip chat_id from URL and place in JSON body for Telegram
- Add comprehensive webhook documentation with examples
- Update API documentation with webhook endpoints
Addresses #305
Addresses #304 - Eliminates redirect loops and path issues by embedding
the frontend directly in the Go binary using go:embed
- Frontend is now embedded at compile time, no separate files needed
- Simplified tarball structure - just the binary and config files
- No more path searching or frontend directory issues
- Works consistently across all installation methods
- Smaller deployment footprint and simpler installation
This change makes Pulse a true single-binary deployment, eliminating
the complexity of managing separate frontend files and the issues that
arose from different installation structures.
- Add multiple search paths for frontend files
- Check parent directories when binary is in bin/ subdirectory
- Support both tarball extraction and installed structures
- Fixes issue #304 where manual tarball extraction caused redirect loops
- Maintains compatibility with community scripts
- Test email button now works without re-entering password
- Backend uses saved password if test request has empty password
- Fixes authentication error when testing email notifications
Updated logging to exclude request bodies that may contain passwords
or other sensitive information. Now only logs metadata about requests
without exposing actual credentials.
- add proper telegram bot api support with chat_id and text fields
- fix frontend pbs red dot display (was checking 'error' instead of 'unhealthy')
- fix qemu guest agent memory reporting (fallback to mem when freemem is 0)
- extract chat_id from telegram webhook urls when present
- Import was saving configs to disk but not updating in-memory state
- Added explicit reloading of alert thresholds after import
- Added explicit reloading of webhooks after import
- Added explicit reloading of email config after import
- Settings now show immediately in UI without requiring restart
Fixes#291 where imported alert thresholds and webhooks weren't
visible until after service restart
- Fixed incorrect RAM usage display for VMs without guest agent (issue #280)
- VMs without guest agent now show 0% usage instead of 100%
- Only show actual usage when guest agent provides FreeMem data
- Containers continue to show accurate usage as before
- Fixed webhook test functionality (issue #279)
- Added proper webhook ID handling in test notification endpoint
- Created SendTestWebhook method to test specific webhooks
- Frontend can now successfully trigger webhook tests
Token names now include both Pulse server IP and Unix timestamp (e.g. pulse-192-168-0-176-1754816525) ensuring each script run creates a unique token. This completely eliminates 'token already exists' errors when running setup scripts multiple times.
When running the setup script multiple times from different Pulse servers, tokens now include the Pulse server's IP address in the name (e.g. pulse-192-168-0-176) to avoid conflicts. This prevents 'token already exists' errors when managing multiple Pulse instances.
- PBS instances now show as online when datastores are accessible even if version endpoint fails
- Email sending now uses proper STARTTLS support for compatibility with providers like SMTP2GO
- Email recipient input no longer filters entries while typing
- Auto-update setting now properly persists and loads from config
- Fixed CPU usage alerts for offline VMs (already addressed in previous commits)
- Added service field to WebhookConfig to identify Discord webhooks
- Use Discord-specific template when sending Discord webhooks
- Fixed backup type detection for PBS backups (vm/ct)
- Fixed shared storage duplicate IDs across instances
- Fixed alert acknowledge/clear response format to match frontend expectations
- Fix CPU core display to show for all guests with CPU data
- Previously only showed cores when CPU > 0 (truthy)
- Now shows "(0.0/X cores)" consistently for all running/stopped guests
- Improve code organization with new helper utilities
- Clean up import statements and remove debug logs
- Remove token logging - tokens were being logged in plaintext
- Add client IP logging for security auditing
- Add HTTPS warning when tokens sent over HTTP
- Remove debug output that exposed tokens in console
- Add optional auth requirement via REQUIRE_AUTH_FOR_AUTO_REGISTER env var
- Prevent token exposure in error messages
- Already has duplicate node prevention
Security improvements:
- Tokens no longer logged anywhere
- Source IPs tracked for audit trail
- Optional authentication for high-security environments
- HTTPS enforcement warnings
- Fix unsafe JSON parsing in WebSocket with proper error handling
- Fix unsafe JSON parsing in Settings import with validation
- Improve API token security by using sessionStorage as primary storage
- Remove debug console statements from production code
- Fix race conditions in WebSocket alert handling with atomic updates
- Add NaN validation for parseFloat operations in search queries
- Add safer error handling alternatives in generics utility
- Improve graceful shutdown in Settings API with proper timing
- All changes verified with successful frontend and backend builds
- Fix release channel not saving when changed in UI
- Add system settings persistence for update-related config
- Expand .env file support to include all non-sensitive settings:
- UPDATE_CHANNEL, AUTO_UPDATE_ENABLED, AUTO_UPDATE_CHECK_INTERVAL, AUTO_UPDATE_TIME
- POLLING_INTERVAL, CONNECTION_TIMEOUT, ALLOWED_ORIGINS, LOG_LEVEL
- Update documentation with all available .env settings
- Settings now properly persist across restarts
- Environment variables override saved settings at startup
- Fix Export/Import API token authentication (wasn't sending X-API-Token header)
- Add client-side passphrase validation (12+ chars with visual feedback)
- Fix settings persistence for AllowedOrigins field
- Fix hardcoded port display in diagnostics (now shows actual port)
- Add .env file support for non-sensitive configuration (ports, logging, etc)
- Keep sensitive data (API tokens, passwords) using secure methods (systemd env vars)
- Update documentation with configuration guide and latest features
- Document auto-discovery, cluster detection, and export/import features
- Add checkbox to control whether backup write permissions are granted
- When checked: adds PVEDatastoreAdmin role on /storage (allows backup management)
- When unchecked: only PVEAuditor role (read-only, no PVE backups in Storage tab)
- Update setup script generation to conditionally add storage permissions
- Update UI to clearly explain the implications of each choice
Frontend:
- Enhanced cluster vs standalone node visual distinction in Settings
- Added glassmorphic style to all toast notifications for consistency
- Fixed test connection in edit modal to use stored encrypted credentials
- Added batch credential modal for bulk node operations
- Added network discovery modal with auto-subnet detection
- Improved notification system with dual toast/notification support
- Added event bus for component communication
Backend:
- Fixed duplicate toast notifications during auto-registration
- Fixed PBS auto-registration token extraction from JSON output
- Added network discovery service with background scanning
- Improved cluster detection with actual cluster name from API
- Added helper function to reduce code duplication in cluster detection
- Fixed host URL normalization in auto-registration
- Enhanced PBS client token authentication parsing
Bug Fixes:
- Fixed stacking toast notifications creating visual bugs
- Fixed PBS authentication failures after auto-registration
- Fixed network discovery not finding Proxmox servers
- Fixed test connection for existing nodes with encrypted tokens
- Removed duplicate WebSocket broadcasts for auto-registration events
- PBS host now automatically gets https:// prefix and :8007 port if missing
- Fixed auto-naming to work after host normalization
- Token auth now correctly displays 'Token:' instead of 'User:'
- Edit mode now correctly identifies token vs password auth
- Backend properly clears unused auth fields when switching types
Fixes#263, #261
- Fixed NodeModal to correctly detect token auth based on tokenName instead of user field
- Backend now properly clears user field when using token authentication
- Backend now properly clears token fields when using password authentication
- This fixes the issue where PBS nodes using token auth would show "User:" instead of "Token:"
Fixes#263, #261
- Removed PBS summary card from Dashboard and Backups tabs (not needed)
- Fixed backup frequency chart to use local timezone instead of UTC
- Chart now properly includes today in the date range
- Dates display according to user's browser timezone
The issue was that the binary was looking for frontend files relative to the current working directory instead of relative to the binary location. This caused a redirect loop when the binary was installed in /opt/pulse but run from elsewhere.
Fixed by:
- Making the binary detect its own location and look for frontend files there
- Adding fallback paths for common installation locations
- Logging where frontend files are being served from for debugging
- Use background context for update downloads to prevent cancellation
- Detect actual binary location and update correct file
- Support both 'pulse' and 'pulse-backend' service names
- Copy VERSION file to multiple locations for compatibility
- Handle flat tarball structure from GitHub releases
- Frontend now passes currently selected channel when checking for updates
- Backend accepts channel parameter to check specific channel without saving
- Fixed applyUpdateFiles to handle flat tarball structure (not nested in pulse-* directory)
- Fixed extraction logic to properly copy pulse binary, frontend, and VERSION file
- Users no longer need to toggle channels and save to see update button
Security Features Added:
- Secure-by-default configuration export/import with ALLOW_UNPROTECTED_EXPORT environment variable
- Rate limiting (5 attempts/minute) to prevent brute force attacks on sensitive endpoints
- Comprehensive audit logging for all export/import attempts with IP tracking
- Frontend Security tab showing API protection status and configuration guidance
- Frontend now shows when export is blocked and disables buttons appropriately
- Strong passphrase requirement (minimum 12 characters) for exports
Technical Implementation:
- New RateLimiter component with automatic cleanup and middleware support
- Security status API endpoint showing protection state
- Enhanced error messaging with specific guidance for homelab vs production use
- Proper authentication flow with API token validation
- Updated documentation reflecting new security model
Breaking Changes:
- Export/import now requires API_TOKEN unless ALLOW_UNPROTECTED_EXPORT=true is set
- Minimum passphrase length increased from none to 12 characters
Additional Improvements:
- Fixed architecture-specific updates for better cross-platform support
- Removed RC label from UI header
- Updated security documentation with clear setup instructions
The ConfigHandlers were calling config.SaveConfig() which uses
globalPersistence initialized at startup with potentially wrong path.
Now handlers use their own persistence instance directly which is
initialized with the correct DataPath.
This was causing Docker configurations to still save to /etc/pulse
even though we thought we fixed it in v4.0.6.
Fixes#253 (for real this time)
- Fix Docker persistence bug where config was saved to /etc/pulse instead of /data
- Fix Windows VM memory reporting with balloon drivers
- Add GetVMStatus method to get detailed VM info including balloon memory
- Update diagnostics endpoint to use correct config paths
Fixes#253 (Docker persistence)
Fixes#258 (Windows VM memory reporting)
- Add /api/diagnostics endpoint for detailed troubleshooting info
- Shows connection status, auth methods, errors for each node
- Auto-fix PBS hosts missing https:// prefix instead of crashing
- Skip invalid PBS instances instead of failing to start
- Fixes issue #251 where invalid PBS config crashed the service
