vrr/Pulse
2
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-05-22 03:02:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
Pulse/internal/api
History
rcourtman 1bf9cfea88 Fix critical P0 security and crash issues in API/WebSocket layer 
This commit addresses 5 critical P0 bugs that cause security vulnerabilities, crashes, and data corruption:

**P0-1: Recovery Tokens Replay Attack Vulnerability** (recovery_tokens.go:153-159)
- **SECURITY CRITICAL**: Single-use recovery tokens could be replayed
- **Problem**: Lock upgrade race - two concurrent requests both pass initial Used check
  1. Both acquire RLock, see token.Used = false
  2. Both release RLock
  3. Both acquire Lock and mark token.Used = true
  4. Both return true - TOKEN REUSED
- **Impact**: Attacker with intercepted token can use it multiple times
- **Fix**: Re-check token.Used after acquiring write lock (TOCTOU prevention)

**P0-2: WebSocket Hub Concurrent Map Panic** (hub.go:345-347, 376-378)
- **Problem**: Initial state goroutine reads h.clients map without lock
  - Line 345: `if _, ok := h.clients[client]` (NO LOCK)
  - Main loop writes to h.clients with lock (line 326, 394)
- **Impact**: "fatal error: concurrent map read and write" crashes hub
- **Fix**: Acquire RLock before all client map reads in goroutine

**P0-3: WebSocket Send on Closed Channel Panic** (hub.go:348, 380)
- **Problem**: Check client exists, then send - channel can close between
- **Impact**: "send on closed channel" panic crashes hub
- **Fix**: Hold RLock during both check and send (defensive select already present)

**P0-4: CSRF Store Shutdown Data Corruption** (csrf_store.go:189-196)
- **Problem**: Stop() calls save() after signaling worker. Both hold only RLock
  - Worker's final save writes to csrf_tokens.json.tmp
  - Stop()'s save writes to same file concurrently
- **Impact**: Corrupted/truncated csrf_tokens.json on shutdown
- **Fix**: Added saveMu mutex to serialize all disk writes

**P0-5: CSRF Store Deadlock on Double-Stop** (csrf_store.go:103-108)
- **Problem**: stopChan unbuffered, no sync.Once guard, uses send not close
- **Impact**: Second Stop() call blocks forever waiting for receiver
- **Fix**:
  - Added sync.Once field stopOnce
  - Changed to close(stopChan) within stopOnce.Do()
  - Prevents double-close panic and deadlock

All fixes maintain backwards compatibility. The recovery token fix is particularly critical as it closes a security vulnerability allowing replay attacks on password reset flows.
2025-11-07 10:13:15 +00:00
..
alerts.go Implement Pulse tag overrides and alert clear persistence 2025-10-25 14:28:32 +00:00
alerts_test.go Allow printable alert IDs for acknowledgements (#550) 2025-10-14 16:48:22 +00:00
auth.go Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
auth_scope_test.go Add API token scopes and standalone host agent 2025-10-23 11:40:31 +00:00
bootstrap_token.go Improve bootstrap token UX for easier discovery 2025-11-06 17:29:49 +00:00
config_handlers.go Fix config backup/restore failures (related to #646) 2025-11-06 17:53:54 +00:00
config_handlers_auto_register_test.go Harden setup token flow and enforce encrypted persistence 2025-10-25 16:00:37 +00:00
config_handlers_cluster_test.go Respect custom ports when discovering Proxmox clusters 2025-10-22 17:42:52 +00:00
config_handlers_setup_script_test.go Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
csrf_store.go Fix critical P0 security and crash issues in API/WebSocket layer 2025-11-07 10:13:15 +00:00
demo_middleware.go Fix demo mode to allow authentication endpoints 2025-11-06 13:48:28 +00:00
diagnostics.go Fix guest agent disk data regression on Proxmox 8.3+ 2025-11-06 18:42:46 +00:00
DO_NOT_EDIT_FRONTEND_HERE.md Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
docker_agents.go Add custom display name support for Docker hosts 2025-11-05 23:18:03 +00:00
docker_metadata.go Consolidate pending changes 2025-10-28 23:20:44 +00:00
frontend_embed.go Improve static asset caching for hashed files 2025-11-06 13:54:26 +00:00
guest_metadata.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
host_agents.go Improve host agent onboarding flow 2025-10-25 09:37:29 +00:00
host_agents_test.go perf: reduce polling allocations and guest metadata load 2025-10-25 13:12:47 +00:00
http_metrics.go feat: comprehensive diagnostics and observability improvements 2025-10-21 12:37:39 +00:00
middleware.go feat: comprehensive diagnostics and observability improvements 2025-10-21 12:37:39 +00:00
notification_queue.go Add comprehensive alert system reliability improvements 2025-11-06 16:46:30 +00:00
notifications.go Add encryption status to notification health endpoint (P2) 2025-11-07 08:36:55 +00:00
oidc_handlers.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
oidc_service.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
rate_limit_config.go Add comprehensive release validation to prevent missing artifacts 2025-11-06 16:33:49 +00:00
rate_limit_config_test.go test: add X-RateLimit-Limit header regression test 2025-10-20 15:10:59 +00:00
ratelimit.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
README.md Fix settings security tab navigation 2025-10-11 23:29:47 +00:00
recovery_tokens.go Fix critical P0 security and crash issues in API/WebSocket layer 2025-11-07 10:13:15 +00:00
router.go Add comprehensive release validation to prevent missing artifacts 2025-11-06 16:33:49 +00:00
router_integration_test.go Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
security.go Fix CSRF token validation and improve token management 2025-11-05 09:23:44 +00:00
security_oidc.go feat: add professional logging with runtime configuration and performance optimization 2025-10-20 15:13:38 +00:00
security_setup_fix.go Improve bootstrap token UX for easier discovery 2025-11-06 17:29:49 +00:00
security_setup_fix_test.go Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
security_test.go Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
security_tokens.go Refactor: Code cleanup and localStorage consolidation 2025-11-04 21:50:46 +00:00
security_tokens_test.go Add API token scopes and standalone host agent 2025-10-23 11:40:31 +00:00
session_store.go Fix P1/P2 infrastructure issues: panic recovery and optimizations 2025-11-07 09:55:22 +00:00
system_settings.go Fix CSRF token validation and improve token management 2025-11-05 09:23:44 +00:00
types.go Add per-node temperature monitoring and fix critical config update bug 2025-11-05 14:11:53 +00:00
updates.go Fix settings security tab navigation 2025-10-11 23:29:47 +00:00

README.md

Internal API Package

This directory contains the API server implementation for Pulse.

Important Note About frontend-modern/

The frontend-modern/ subdirectory that appears here is:

  • AUTO-GENERATED during builds
  • NOT the source code - just a build artifact
  • IN .gitignore - never committed
  • REQUIRED BY GO - The embed directive needs it here

Frontend Development Location

👉 Edit frontend files at: /opt/pulse/frontend-modern/src/

Why This Structure?

Go's //go:embed directive has limitations:

  1. Cannot use ../ paths to access parent directories
  2. Cannot follow symbolic links
  3. Must embed files within the Go module

This is a known Go limitation and our structure works around it.