Pulse/internal/api/router.go
rcourtman bebe5efc3d fix: Setup script now verifies temperature SSH connectivity from Pulse
When Pulse runs in a container (LXC/Docker), the setup script would claim
temperature monitoring was enabled on cluster nodes, but Pulse couldn't
actually SSH to them. The script ran on the Proxmox host which could SSH
fine, but didn't verify connectivity from Pulse itself.

Changes:
- Added /api/system/verify-temperature-ssh endpoint that tests SSH from Pulse
- Setup script now calls this endpoint after configuring cluster nodes
- Detects when Pulse is containerized and provides ProxyJump config instructions
- Shows clear success/failure status for each node

Addresses #528
2025-10-12 20:36:48 +00:00

2636 lines
87 KiB
Go

package api
import (
"bufio"
"context"
"encoding/base64"
"encoding/json"
"fmt"
"net/http"
"os"
"os/exec"
"path"
"path/filepath"
"runtime"
"strings"
"sync"
"time"
"github.com/rcourtman/pulse-go-rewrite/internal/auth"
"github.com/rcourtman/pulse-go-rewrite/internal/config"
"github.com/rcourtman/pulse-go-rewrite/internal/dockeragent"
"github.com/rcourtman/pulse-go-rewrite/internal/models"
"github.com/rcourtman/pulse-go-rewrite/internal/monitoring"
"github.com/rcourtman/pulse-go-rewrite/internal/updates"
"github.com/rcourtman/pulse-go-rewrite/internal/utils"
"github.com/rcourtman/pulse-go-rewrite/internal/websocket"
"github.com/rs/zerolog/log"
)
// Router handles HTTP routing
type Router struct {
mux *http.ServeMux
config *config.Config
monitor *monitoring.Monitor
alertHandlers *AlertHandlers
configHandlers *ConfigHandlers
notificationHandlers *NotificationHandlers
dockerAgentHandlers *DockerAgentHandlers
systemSettingsHandler *SystemSettingsHandler
wsHub *websocket.Hub
reloadFunc func() error
updateManager *updates.Manager
exportLimiter *RateLimiter
persistence *config.ConfigPersistence
oidcMu sync.Mutex
oidcService *OIDCService
wrapped http.Handler
// Cached system settings to avoid loading from disk on every request
settingsMu sync.RWMutex
cachedAllowEmbedding bool
cachedAllowedOrigins string
}
// NewRouter creates a new router instance
func NewRouter(cfg *config.Config, monitor *monitoring.Monitor, wsHub *websocket.Hub, reloadFunc func() error) *Router {
// Initialize persistent session and CSRF stores
InitSessionStore(cfg.DataPath)
InitCSRFStore(cfg.DataPath)
r := &Router{
mux: http.NewServeMux(),
config: cfg,
monitor: monitor,
wsHub: wsHub,
reloadFunc: reloadFunc,
updateManager: updates.NewManager(cfg),
exportLimiter: NewRateLimiter(5, 1*time.Minute), // 5 attempts per minute
persistence: config.NewConfigPersistence(cfg.DataPath),
}
r.setupRoutes()
// Start forwarding update progress to WebSocket
go r.forwardUpdateProgress()
// Start background update checker
go r.backgroundUpdateChecker()
// Load system settings once at startup and cache them
r.reloadSystemSettings()
// Get cached values for middleware configuration
r.settingsMu.RLock()
allowEmbedding := r.cachedAllowEmbedding
allowedOrigins := r.cachedAllowedOrigins
r.settingsMu.RUnlock()
// Apply middleware chain:
// 1. Universal rate limiting (outermost to stop attacks early)
// 2. Demo mode (read-only protection)
// 3. Error handling
// 4. Security headers with embedding configuration
// Note: TimeoutHandler breaks WebSocket upgrades
handler := SecurityHeadersWithConfig(r, allowEmbedding, allowedOrigins)
handler = ErrorHandler(handler)
handler = DemoModeMiddleware(cfg, handler)
handler = UniversalRateLimitMiddleware(handler)
r.wrapped = handler
return r
}
// setupRoutes configures all routes
func (r *Router) setupRoutes() {
// Create handlers
r.alertHandlers = NewAlertHandlers(r.monitor, r.wsHub)
r.notificationHandlers = NewNotificationHandlers(r.monitor)
guestMetadataHandler := NewGuestMetadataHandler(r.config.DataPath)
r.configHandlers = NewConfigHandlers(r.config, r.monitor, r.reloadFunc, r.wsHub, guestMetadataHandler, r.reloadSystemSettings)
updateHandlers := NewUpdateHandlers(r.updateManager, r.config.DataPath)
r.dockerAgentHandlers = NewDockerAgentHandlers(r.monitor, r.wsHub)
// API routes
r.mux.HandleFunc("/api/health", r.handleHealth)
r.mux.HandleFunc("/api/state", r.handleState)
r.mux.HandleFunc("/api/agents/docker/report", RequireAuth(r.config, r.dockerAgentHandlers.HandleReport))
r.mux.HandleFunc("/api/agents/docker/hosts/", RequireAdmin(r.config, r.dockerAgentHandlers.HandleDeleteHost))
r.mux.HandleFunc("/api/version", r.handleVersion)
r.mux.HandleFunc("/api/storage/", r.handleStorage)
r.mux.HandleFunc("/api/storage-charts", r.handleStorageCharts)
r.mux.HandleFunc("/api/charts", r.handleCharts)
r.mux.HandleFunc("/api/diagnostics", RequireAuth(r.config, r.handleDiagnostics))
r.mux.HandleFunc("/api/config", r.handleConfig)
r.mux.HandleFunc("/api/backups", r.handleBackups)
r.mux.HandleFunc("/api/backups/", r.handleBackups)
r.mux.HandleFunc("/api/backups/unified", r.handleBackups)
r.mux.HandleFunc("/api/backups/pve", r.handleBackupsPVE)
r.mux.HandleFunc("/api/backups/pbs", r.handleBackupsPBS)
r.mux.HandleFunc("/api/snapshots", r.handleSnapshots)
// Guest metadata routes
r.mux.HandleFunc("/api/guests/metadata", guestMetadataHandler.HandleGetMetadata)
r.mux.HandleFunc("/api/guests/metadata/", func(w http.ResponseWriter, req *http.Request) {
switch req.Method {
case http.MethodGet:
guestMetadataHandler.HandleGetMetadata(w, req)
case http.MethodPut, http.MethodPost:
guestMetadataHandler.HandleUpdateMetadata(w, req)
case http.MethodDelete:
guestMetadataHandler.HandleDeleteMetadata(w, req)
default:
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Update routes
r.mux.HandleFunc("/api/updates/check", updateHandlers.HandleCheckUpdates)
r.mux.HandleFunc("/api/updates/apply", updateHandlers.HandleApplyUpdate)
r.mux.HandleFunc("/api/updates/status", updateHandlers.HandleUpdateStatus)
r.mux.HandleFunc("/api/updates/plan", updateHandlers.HandleGetUpdatePlan)
r.mux.HandleFunc("/api/updates/history", updateHandlers.HandleListUpdateHistory)
r.mux.HandleFunc("/api/updates/history/entry", updateHandlers.HandleGetUpdateHistoryEntry)
// Config management routes
r.mux.HandleFunc("/api/config/nodes", func(w http.ResponseWriter, req *http.Request) {
switch req.Method {
case http.MethodGet:
r.configHandlers.HandleGetNodes(w, req)
case http.MethodPost:
RequireAdmin(r.configHandlers.config, r.configHandlers.HandleAddNode)(w, req)
default:
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Test node configuration endpoint (for new nodes)
r.mux.HandleFunc("/api/config/nodes/test-config", func(w http.ResponseWriter, req *http.Request) {
if req.Method == http.MethodPost {
r.configHandlers.HandleTestNodeConfig(w, req)
} else {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Test connection endpoint
r.mux.HandleFunc("/api/config/nodes/test-connection", func(w http.ResponseWriter, req *http.Request) {
if req.Method == http.MethodPost {
r.configHandlers.HandleTestConnection(w, req)
} else {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
r.mux.HandleFunc("/api/config/nodes/", func(w http.ResponseWriter, req *http.Request) {
switch req.Method {
case http.MethodPut:
RequireAdmin(r.configHandlers.config, r.configHandlers.HandleUpdateNode)(w, req)
case http.MethodDelete:
RequireAdmin(r.configHandlers.config, r.configHandlers.HandleDeleteNode)(w, req)
case http.MethodPost:
// Handle test endpoint
if strings.HasSuffix(req.URL.Path, "/test") {
r.configHandlers.HandleTestNode(w, req)
} else {
http.Error(w, "Not found", http.StatusNotFound)
}
default:
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// System settings routes
r.mux.HandleFunc("/api/config/system", func(w http.ResponseWriter, req *http.Request) {
switch req.Method {
case http.MethodGet:
r.configHandlers.HandleGetSystemSettings(w, req)
case http.MethodPut:
// DEPRECATED - use /api/system/settings/update instead
RequireAdmin(r.configHandlers.config, r.configHandlers.HandleUpdateSystemSettingsOLD)(w, req)
default:
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Mock mode toggle routes
r.mux.HandleFunc("/api/system/mock-mode", func(w http.ResponseWriter, req *http.Request) {
switch req.Method {
case http.MethodGet:
r.configHandlers.HandleGetMockMode(w, req)
case http.MethodPost, http.MethodPut:
RequireAdmin(r.configHandlers.config, r.configHandlers.HandleUpdateMockMode)(w, req)
default:
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Registration token routes removed - feature deprecated
// Security routes
r.mux.HandleFunc("/api/security/change-password", r.handleChangePassword)
r.mux.HandleFunc("/api/logout", r.handleLogout)
r.mux.HandleFunc("/api/login", r.handleLogin)
r.mux.HandleFunc("/api/security/reset-lockout", r.handleResetLockout)
r.mux.HandleFunc("/api/security/oidc", RequireAdmin(r.config, r.handleOIDCConfig))
r.mux.HandleFunc("/api/oidc/login", r.handleOIDCLogin)
r.mux.HandleFunc(config.DefaultOIDCCallbackPath, r.handleOIDCCallback)
r.mux.HandleFunc("/api/security/status", func(w http.ResponseWriter, req *http.Request) {
if req.Method == http.MethodGet {
w.Header().Set("Content-Type", "application/json")
// Check if auth is globally disabled
if r.config.DisableAuth {
// Even with auth disabled, check for OIDC sessions
oidcCfg := r.ensureOIDCConfig()
oidcUsername := ""
if oidcCfg != nil && oidcCfg.Enabled {
if cookie, err := req.Cookie("pulse_session"); err == nil && cookie.Value != "" {
if ValidateSession(cookie.Value) {
oidcUsername = GetSessionUsername(cookie.Value)
}
}
}
// Even with auth disabled, report API token status for API access
var apiTokenHint string
if r.config.APIToken != "" && len(r.config.APIToken) >= 8 {
apiTokenHint = r.config.APIToken[:4] + "..." + r.config.APIToken[len(r.config.APIToken)-4:]
}
response := map[string]interface{}{
"configured": false,
"disabled": true,
"message": "Authentication is disabled via DISABLE_AUTH environment variable",
"apiTokenConfigured": r.config.APIToken != "",
"apiTokenHint": apiTokenHint,
"hasAuthentication": false,
}
// Add OIDC info if available
if oidcCfg != nil {
response["oidcEnabled"] = oidcCfg.Enabled
response["oidcIssuer"] = oidcCfg.IssuerURL
response["oidcClientId"] = oidcCfg.ClientID
response["oidcUsername"] = oidcUsername
response["oidcLogoutURL"] = oidcCfg.LogoutURL
if len(oidcCfg.EnvOverrides) > 0 {
response["oidcEnvOverrides"] = oidcCfg.EnvOverrides
}
}
json.NewEncoder(w).Encode(response)
return
}
// Check for basic auth configuration
// Check both environment variables and loaded config
oidcCfg := r.ensureOIDCConfig()
hasAuthentication := os.Getenv("PULSE_AUTH_USER") != "" ||
os.Getenv("REQUIRE_AUTH") == "true" ||
r.config.AuthUser != "" ||
r.config.AuthPass != "" ||
(oidcCfg != nil && oidcCfg.Enabled) ||
r.config.APIToken != "" ||
r.config.ProxyAuthSecret != ""
// Check if .env file exists but hasn't been loaded yet (pending restart)
configuredButPendingRestart := false
envPath := filepath.Join(r.config.ConfigPath, ".env")
if envPath == "" || r.config.ConfigPath == "" {
envPath = "/etc/pulse/.env"
}
authLastModified := ""
if stat, err := os.Stat(envPath); err == nil {
authLastModified = stat.ModTime().UTC().Format(time.RFC3339)
if !hasAuthentication && r.config.AuthUser == "" && r.config.AuthPass == "" {
configuredButPendingRestart = true
}
}
// Check for audit logging
hasAuditLogging := os.Getenv("PULSE_AUDIT_LOG") == "true" || os.Getenv("AUDIT_LOG_ENABLED") == "true"
// Credentials are always encrypted in current implementation
credentialsEncrypted := true
// Check network context
clientIP := utils.GetClientIP(
req.RemoteAddr,
req.Header.Get("X-Forwarded-For"),
req.Header.Get("X-Real-IP"),
)
isPrivateNetwork := utils.IsPrivateIP(clientIP)
// Get trusted networks from environment
trustedNetworks := []string{}
if nets := os.Getenv("PULSE_TRUSTED_NETWORKS"); nets != "" {
trustedNetworks = strings.Split(nets, ",")
}
isTrustedNetwork := utils.IsTrustedNetwork(clientIP, trustedNetworks)
// Create token hint if token exists
var apiTokenHint string
if r.config.APIToken != "" && len(r.config.APIToken) >= 8 {
apiTokenHint = r.config.APIToken[:4] + "..." + r.config.APIToken[len(r.config.APIToken)-4:]
}
// Check for proxy auth
hasProxyAuth := r.config.ProxyAuthSecret != ""
proxyAuthUsername := ""
proxyAuthIsAdmin := false
if hasProxyAuth {
// Check if current request has valid proxy auth
if valid, username, isAdmin := CheckProxyAuth(r.config, req); valid {
proxyAuthUsername = username
proxyAuthIsAdmin = isAdmin
}
}
// Check for OIDC session
oidcUsername := ""
if oidcCfg != nil && oidcCfg.Enabled {
if cookie, err := req.Cookie("pulse_session"); err == nil && cookie.Value != "" {
if ValidateSession(cookie.Value) {
oidcUsername = GetSessionUsername(cookie.Value)
}
}
}
requiresAuth := r.config.APIToken != "" ||
(r.config.AuthUser != "" && r.config.AuthPass != "") ||
(r.config.OIDC != nil && r.config.OIDC.Enabled) ||
r.config.ProxyAuthSecret != ""
status := map[string]interface{}{
"apiTokenConfigured": r.config.APIToken != "",
"apiTokenHint": apiTokenHint,
"requiresAuth": requiresAuth,
"exportProtected": r.config.APIToken != "" || os.Getenv("ALLOW_UNPROTECTED_EXPORT") != "true",
"unprotectedExportAllowed": os.Getenv("ALLOW_UNPROTECTED_EXPORT") == "true",
"hasAuthentication": hasAuthentication,
"configuredButPendingRestart": configuredButPendingRestart,
"hasAuditLogging": hasAuditLogging,
"credentialsEncrypted": credentialsEncrypted,
"hasHTTPS": req.TLS != nil,
"clientIP": clientIP,
"isPrivateNetwork": isPrivateNetwork,
"isTrustedNetwork": isTrustedNetwork,
"publicAccess": !isPrivateNetwork,
"hasProxyAuth": hasProxyAuth,
"proxyAuthLogoutURL": r.config.ProxyAuthLogoutURL,
"proxyAuthUsername": proxyAuthUsername,
"proxyAuthIsAdmin": proxyAuthIsAdmin,
"authUsername": r.config.AuthUser,
"authLastModified": authLastModified,
"oidcUsername": oidcUsername,
}
if oidcCfg != nil {
status["oidcEnabled"] = oidcCfg.Enabled
status["oidcIssuer"] = oidcCfg.IssuerURL
status["oidcClientId"] = oidcCfg.ClientID
status["oidcLogoutURL"] = oidcCfg.LogoutURL
if len(oidcCfg.EnvOverrides) > 0 {
status["oidcEnvOverrides"] = oidcCfg.EnvOverrides
}
}
json.NewEncoder(w).Encode(status)
} else {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Quick security setup route - using fixed version
r.mux.HandleFunc("/api/security/quick-setup", handleQuickSecuritySetupFixed(r))
// API token regeneration endpoint
r.mux.HandleFunc("/api/security/regenerate-token", r.HandleRegenerateAPIToken)
// API token validation endpoint
r.mux.HandleFunc("/api/security/validate-token", r.HandleValidateAPIToken)
// Apply security restart endpoint
r.mux.HandleFunc("/api/security/apply-restart", func(w http.ResponseWriter, req *http.Request) {
if req.Method == http.MethodPost {
// Only allow restart if we're running under systemd (safer)
isSystemd := os.Getenv("INVOCATION_ID") != ""
if !isSystemd {
response := map[string]interface{}{
"success": false,
"message": "Automatic restart is only available when running under systemd. Please restart Pulse manually.",
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
return
}
// Write a recovery flag file before restarting
recoveryFile := filepath.Join(r.config.DataPath, ".auth_recovery")
recoveryContent := fmt.Sprintf("Auth setup at %s\nIf locked out, delete this file and restart to disable auth temporarily\n", time.Now().Format(time.RFC3339))
if err := os.WriteFile(recoveryFile, []byte(recoveryContent), 0600); err != nil {
log.Warn().Err(err).Str("path", recoveryFile).Msg("Failed to write recovery flag file")
}
// Schedule restart with full service restart to pick up new config
go func() {
time.Sleep(2 * time.Second)
log.Info().Msg("Triggering restart to apply security settings")
// We need to do a full systemctl restart to pick up new environment variables
// First try daemon-reload
cmd := exec.Command("sudo", "-n", "systemctl", "daemon-reload")
if err := cmd.Run(); err != nil {
log.Error().Err(err).Msg("Failed to reload systemd daemon")
}
// Then restart the service - this will kill us and restart with new env
time.Sleep(500 * time.Millisecond)
// Try to restart with the detected service name
serviceName := detectServiceName()
cmd = exec.Command("sudo", "-n", "systemctl", "restart", serviceName)
if err := cmd.Run(); err != nil {
log.Error().Err(err).Str("service", serviceName).Msg("Failed to restart service, falling back to exit")
// Fallback to exit if restart fails
os.Exit(0)
}
// If restart succeeds, we'll be killed by systemctl
}()
response := map[string]interface{}{
"success": true,
"message": "Restarting Pulse to apply security settings...",
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
} else {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Initialize recovery token store
InitRecoveryTokenStore(r.config.DataPath)
// Recovery endpoint - requires localhost access OR valid recovery token
r.mux.HandleFunc("/api/security/recovery", func(w http.ResponseWriter, req *http.Request) {
// Get client IP
ip := strings.Split(req.RemoteAddr, ":")[0]
isLocalhost := ip == "127.0.0.1" || ip == "::1" || ip == "localhost"
// Check for recovery token in header
recoveryToken := req.Header.Get("X-Recovery-Token")
hasValidToken := false
if recoveryToken != "" {
hasValidToken = GetRecoveryTokenStore().ValidateRecoveryTokenConstantTime(recoveryToken, ip)
}
// Only allow from localhost OR with valid recovery token
if !isLocalhost && !hasValidToken {
log.Warn().
Str("ip", ip).
Bool("has_token", recoveryToken != "").
Msg("Unauthorized recovery endpoint access attempt")
http.Error(w, "Recovery endpoint requires localhost access or valid recovery token", http.StatusForbidden)
return
}
if req.Method == http.MethodPost {
// Parse action
var recoveryRequest struct {
Action string `json:"action"`
Duration int `json:"duration,omitempty"` // Duration in minutes for token generation
}
if err := json.NewDecoder(req.Body).Decode(&recoveryRequest); err != nil {
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
response := map[string]interface{}{}
switch recoveryRequest.Action {
case "generate_token":
// Only allow token generation from localhost
if !isLocalhost {
http.Error(w, "Token generation only allowed from localhost", http.StatusForbidden)
return
}
// Default to 15 minutes if not specified
duration := 15
if recoveryRequest.Duration > 0 && recoveryRequest.Duration <= 60 {
duration = recoveryRequest.Duration
}
token, err := GetRecoveryTokenStore().GenerateRecoveryToken(time.Duration(duration) * time.Minute)
if err != nil {
response["success"] = false
response["message"] = fmt.Sprintf("Failed to generate recovery token: %v", err)
} else {
response["success"] = true
response["token"] = token
response["expires_in_minutes"] = duration
response["message"] = fmt.Sprintf("Recovery token generated. Valid for %d minutes.", duration)
log.Warn().
Str("ip", ip).
Int("duration_minutes", duration).
Msg("Recovery token generated")
}
case "disable_auth":
// Temporarily disable auth by creating recovery file
recoveryFile := filepath.Join(r.config.DataPath, ".auth_recovery")
content := fmt.Sprintf("Recovery mode enabled at %s\nAuth temporarily disabled for local access\nEnabled by: %s\n", time.Now().Format(time.RFC3339), ip)
if err := os.WriteFile(recoveryFile, []byte(content), 0600); err != nil {
response["success"] = false
response["message"] = fmt.Sprintf("Failed to enable recovery mode: %v", err)
} else {
response["success"] = true
response["message"] = "Recovery mode enabled. Auth disabled for localhost. Delete .auth_recovery file to re-enable."
log.Warn().
Str("ip", ip).
Bool("via_token", hasValidToken).
Msg("AUTH RECOVERY: Authentication disabled via recovery endpoint")
}
case "enable_auth":
// Re-enable auth by removing recovery file
recoveryFile := filepath.Join(r.config.DataPath, ".auth_recovery")
if err := os.Remove(recoveryFile); err != nil {
response["success"] = false
response["message"] = fmt.Sprintf("Failed to disable recovery mode: %v", err)
} else {
response["success"] = true
response["message"] = "Recovery mode disabled. Authentication re-enabled."
log.Info().Msg("AUTH RECOVERY: Authentication re-enabled via recovery endpoint")
}
default:
response["success"] = false
response["message"] = "Invalid action. Use 'disable_auth' or 'enable_auth'"
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
} else if req.Method == http.MethodGet {
// Check recovery status
recoveryFile := filepath.Join(r.config.DataPath, ".auth_recovery")
_, err := os.Stat(recoveryFile)
response := map[string]interface{}{
"recovery_mode": err == nil,
"message": "Recovery endpoint accessible from localhost only",
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
} else {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
})
// Config export/import routes (requires authentication)
r.mux.HandleFunc("/api/config/export", r.exportLimiter.Middleware(func(w http.ResponseWriter, req *http.Request) {
if req.Method == http.MethodPost {
// Check proxy auth first
hasValidProxyAuth := false
proxyAuthIsAdmin := false
if r.config.ProxyAuthSecret != "" {
if valid, _, isAdmin := CheckProxyAuth(r.config, req); valid {
hasValidProxyAuth = true
proxyAuthIsAdmin = isAdmin
}
}
// Check authentication - accept proxy auth, session auth or API token
hasValidSession := false
if cookie, err := req.Cookie("pulse_session"); err == nil && cookie.Value != "" {
hasValidSession = ValidateSession(cookie.Value)
}
hasValidAPIToken := false
if r.config.APIToken != "" {
authHeader := req.Header.Get("X-API-Token")
// Check if stored token is hashed or plain text
if auth.IsAPITokenHashed(r.config.APIToken) {
// Compare against hash
hasValidAPIToken = auth.CompareAPIToken(authHeader, r.config.APIToken)
} else {
// Plain text comparison (legacy)
hasValidAPIToken = (authHeader == r.config.APIToken)
}
}
// Check if any valid auth method is present
hasValidAuth := hasValidProxyAuth || hasValidSession || hasValidAPIToken
// Determine if auth is required
authRequired := r.config.AuthUser != "" && r.config.AuthPass != "" ||
r.config.APIToken != "" ||
r.config.ProxyAuthSecret != ""
// Check admin privileges for proxy auth users
if hasValidProxyAuth && !proxyAuthIsAdmin {
log.Warn().
Str("ip", req.RemoteAddr).
Str("path", req.URL.Path).
Msg("Non-admin proxy auth user attempted export/import")
http.Error(w, "Admin privileges required for export/import", http.StatusForbidden)
return
}
if authRequired && !hasValidAuth {
log.Warn().
Str("ip", req.RemoteAddr).
Str("path", req.URL.Path).
Bool("proxyAuth", hasValidProxyAuth).
Bool("session", hasValidSession).
Bool("apiToken", hasValidAPIToken).
Msg("Unauthorized export attempt")
http.Error(w, "Unauthorized - please log in or provide API token", http.StatusUnauthorized)
return
} else if !authRequired {
// No auth configured - check if this is a homelab/private network
clientIP := utils.GetClientIP(req.RemoteAddr,
req.Header.Get("X-Forwarded-For"),
req.Header.Get("X-Real-IP"))
isPrivate := utils.IsPrivateIP(clientIP)
allowUnprotected := os.Getenv("ALLOW_UNPROTECTED_EXPORT") == "true"
if !isPrivate && !allowUnprotected {
// Public network access without auth - definitely block
log.Warn().
Str("ip", req.RemoteAddr).
Bool("private_network", isPrivate).
Msg("Export blocked - public network requires authentication")
http.Error(w, "Export requires authentication on public networks", http.StatusForbidden)
return
} else if isPrivate && !allowUnprotected {
// Private network but ALLOW_UNPROTECTED_EXPORT not set - show helpful message
log.Info().
Str("ip", req.RemoteAddr).
Msg("Export allowed - private network with no auth")
// Continue - allow export on private networks for homelab users
}
}
// Log successful export attempt
log.Info().
Str("ip", req.RemoteAddr).
Bool("proxy_auth", hasValidProxyAuth).
Bool("session_auth", hasValidSession).
Bool("api_token_auth", hasValidAPIToken).
Msg("Configuration export initiated")
r.configHandlers.HandleExportConfig(w, req)
} else {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
}))
r.mux.HandleFunc("/api/config/import", r.exportLimiter.Middleware(func(w http.ResponseWriter, req *http.Request) {
if req.Method == http.MethodPost {
// Check proxy auth first
hasValidProxyAuth := false
proxyAuthIsAdmin := false
if r.config.ProxyAuthSecret != "" {
if valid, _, isAdmin := CheckProxyAuth(r.config, req); valid {
hasValidProxyAuth = true
proxyAuthIsAdmin = isAdmin
}
}
// Check authentication - accept proxy auth, session auth or API token
hasValidSession := false
if cookie, err := req.Cookie("pulse_session"); err == nil && cookie.Value != "" {
hasValidSession = ValidateSession(cookie.Value)
}
hasValidAPIToken := false
if r.config.APIToken != "" {
authHeader := req.Header.Get("X-API-Token")
// Check if stored token is hashed or plain text
if auth.IsAPITokenHashed(r.config.APIToken) {
// Compare against hash
hasValidAPIToken = auth.CompareAPIToken(authHeader, r.config.APIToken)
} else {
// Plain text comparison (legacy)
hasValidAPIToken = (authHeader == r.config.APIToken)
}
}
// Check if any valid auth method is present
hasValidAuth := hasValidProxyAuth || hasValidSession || hasValidAPIToken
// Determine if auth is required
authRequired := r.config.AuthUser != "" && r.config.AuthPass != "" ||
r.config.APIToken != "" ||
r.config.ProxyAuthSecret != ""
// Check admin privileges for proxy auth users
if hasValidProxyAuth && !proxyAuthIsAdmin {
log.Warn().
Str("ip", req.RemoteAddr).
Str("path", req.URL.Path).
Msg("Non-admin proxy auth user attempted export/import")
http.Error(w, "Admin privileges required for export/import", http.StatusForbidden)
return
}
if authRequired && !hasValidAuth {
log.Warn().
Str("ip", req.RemoteAddr).
Str("path", req.URL.Path).
Bool("proxyAuth", hasValidProxyAuth).
Bool("session", hasValidSession).
Bool("apiToken", hasValidAPIToken).
Msg("Unauthorized import attempt")
http.Error(w, "Unauthorized - please log in or provide API token", http.StatusUnauthorized)
return
} else if !authRequired {
// No auth configured - check if this is a homelab/private network
clientIP := utils.GetClientIP(req.RemoteAddr,
req.Header.Get("X-Forwarded-For"),
req.Header.Get("X-Real-IP"))
isPrivate := utils.IsPrivateIP(clientIP)
allowUnprotected := os.Getenv("ALLOW_UNPROTECTED_EXPORT") == "true"
if !isPrivate && !allowUnprotected {
// Public network access without auth - definitely block
log.Warn().
Str("ip", req.RemoteAddr).
Bool("private_network", isPrivate).
Msg("Import blocked - public network requires authentication")
http.Error(w, "Import requires authentication on public networks", http.StatusForbidden)
return
} else if isPrivate && !allowUnprotected {
// Private network but ALLOW_UNPROTECTED_EXPORT not set - show helpful message
log.Info().
Str("ip", req.RemoteAddr).
Msg("Import allowed - private network with no auth")
// Continue - allow import on private networks for homelab users
}
}
// Log successful import attempt
log.Info().
Str("ip", req.RemoteAddr).
Bool("session_auth", hasValidSession).
Bool("api_token_auth", hasValidAPIToken).
Msg("Configuration import initiated")
r.configHandlers.HandleImportConfig(w, req)
} else {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
}))
// Discovery route
// Setup script route
r.mux.HandleFunc("/api/setup-script", r.configHandlers.HandleSetupScript)
// Generate setup script URL with temporary token (for authenticated users)
r.mux.HandleFunc("/api/setup-script-url", r.configHandlers.HandleSetupScriptURL)
// Auto-register route for setup scripts
r.mux.HandleFunc("/api/auto-register", r.configHandlers.HandleAutoRegister)
// Discovery endpoint
r.mux.HandleFunc("/api/discover", RequireAuth(r.config, r.configHandlers.HandleDiscoverServers))
// Test endpoint for WebSocket notifications
r.mux.HandleFunc("/api/test-notification", func(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Send a test auto-registration notification
r.wsHub.BroadcastMessage(websocket.Message{
Type: "node_auto_registered",
Data: map[string]interface{}{
"type": "pve",
"host": "test-node.example.com",
"name": "Test Node",
"tokenId": "test-token",
"hasToken": true,
},
Timestamp: time.Now().Format(time.RFC3339),
})
w.WriteHeader(http.StatusOK)
json.NewEncoder(w).Encode(map[string]string{"status": "notification sent"})
})
// Alert routes
r.mux.HandleFunc("/api/alerts/", r.alertHandlers.HandleAlerts)
// Notification routes
r.mux.HandleFunc("/api/notifications/", r.notificationHandlers.HandleNotifications)
// Settings routes
r.mux.HandleFunc("/api/settings", getSettings)
r.mux.HandleFunc("/api/settings/update", updateSettings)
// System settings and API token management
r.systemSettingsHandler = NewSystemSettingsHandler(r.config, r.persistence, r.wsHub, r.monitor, r.reloadSystemSettings)
r.mux.HandleFunc("/api/system/settings", r.systemSettingsHandler.HandleGetSystemSettings)
r.mux.HandleFunc("/api/system/settings/update", r.systemSettingsHandler.HandleUpdateSystemSettings)
r.mux.HandleFunc("/api/system/verify-temperature-ssh", r.configHandlers.HandleVerifyTemperatureSSH)
// Old API token endpoints removed - now using /api/security/regenerate-token
// Docker agent download endpoints
r.mux.HandleFunc("/install-docker-agent.sh", r.handleDownloadInstallScript)
r.mux.HandleFunc("/download/pulse-docker-agent", r.handleDownloadAgent)
r.mux.HandleFunc("/api/agent/version", r.handleAgentVersion)
// WebSocket endpoint
r.mux.HandleFunc("/ws", r.handleWebSocket)
// Socket.io compatibility endpoints
r.mux.HandleFunc("/socket.io/", r.handleSocketIO)
// Simple stats page
r.mux.HandleFunc("/simple-stats", r.handleSimpleStats)
// Note: Frontend handler is handled manually in ServeHTTP to prevent redirect issues
// See issue #334 - ServeMux redirects empty path to "./" which breaks reverse proxies
}
// Handler returns the router wrapped with middleware.
func (r *Router) Handler() http.Handler {
if r.wrapped != nil {
return r.wrapped
}
return r
}
// SetMonitor updates the router and associated handlers with a new monitor instance.
func (r *Router) SetMonitor(m *monitoring.Monitor) {
r.monitor = m
if r.alertHandlers != nil {
r.alertHandlers.SetMonitor(m)
}
if r.configHandlers != nil {
r.configHandlers.SetMonitor(m)
}
if r.notificationHandlers != nil {
r.notificationHandlers.SetMonitor(m)
}
if r.dockerAgentHandlers != nil {
r.dockerAgentHandlers.SetMonitor(m)
}
if r.systemSettingsHandler != nil {
r.systemSettingsHandler.SetMonitor(m)
}
}
// reloadSystemSettings loads system settings from disk and caches them
func (r *Router) reloadSystemSettings() {
r.settingsMu.Lock()
defer r.settingsMu.Unlock()
// Load from disk
if systemSettings, err := r.persistence.LoadSystemSettings(); err == nil && systemSettings != nil {
r.cachedAllowEmbedding = systemSettings.AllowEmbedding
r.cachedAllowedOrigins = systemSettings.AllowedEmbedOrigins
} else {
// On error, use safe defaults
r.cachedAllowEmbedding = false
r.cachedAllowedOrigins = ""
}
}
// ServeHTTP implements http.Handler
func (r *Router) ServeHTTP(w http.ResponseWriter, req *http.Request) {
// Prevent path traversal attacks by cleaning the path
cleanPath := filepath.Clean(req.URL.Path)
// Reject requests with path traversal attempts
if strings.Contains(req.URL.Path, "..") || cleanPath != req.URL.Path {
// Return 401 for API paths to match expected test behavior
if strings.HasPrefix(req.URL.Path, "/api/") {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
} else {
http.Error(w, "Invalid path", http.StatusBadRequest)
}
log.Warn().
Str("ip", req.RemoteAddr).
Str("path", req.URL.Path).
Str("clean_path", cleanPath).
Msg("Path traversal attempt blocked")
return
}
// Get cached system settings (loaded once at startup, not from disk every request)
r.settingsMu.RLock()
allowEmbedding := r.cachedAllowEmbedding
allowedEmbedOrigins := r.cachedAllowedOrigins
r.settingsMu.RUnlock()
// Apply security headers with embedding configuration
SecurityHeadersWithConfig(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
// Add CORS headers if configured
if r.config.AllowedOrigins != "" {
w.Header().Set("Access-Control-Allow-Origin", r.config.AllowedOrigins)
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization, X-API-Token, X-CSRF-Token")
}
// Handle preflight requests
if req.Method == "OPTIONS" {
w.WriteHeader(http.StatusOK)
return
}
// Check if we need authentication
needsAuth := true
// Check if auth is globally disabled
// BUT still check for API tokens if provided (for API access when auth is disabled)
if r.config.DisableAuth {
// Check if an API token was provided
providedToken := req.Header.Get("X-API-Token")
if providedToken == "" {
providedToken = req.URL.Query().Get("token")
}
// If a valid API token is provided, allow access even with DisableAuth
if providedToken != "" && r.config.APIToken != "" {
if auth.CompareAPIToken(providedToken, r.config.APIToken) {
// Valid API token provided, allow access
needsAuth = false
w.Header().Set("X-Auth-Method", "api-token")
} else {
// Invalid API token - reject even with DisableAuth
http.Error(w, "Invalid API token", http.StatusUnauthorized)
return
}
} else {
// No API token provided with DisableAuth - allow open access
needsAuth = false
w.Header().Set("X-Auth-Disabled", "true")
}
}
// Recovery mechanism: Check if recovery mode is enabled
recoveryFile := filepath.Join(r.config.DataPath, ".auth_recovery")
if _, err := os.Stat(recoveryFile); err == nil {
// Recovery mode is enabled - allow local access only
ip := strings.Split(req.RemoteAddr, ":")[0]
log.Debug().
Str("recovery_file", recoveryFile).
Str("remote_ip", ip).
Str("path", req.URL.Path).
Bool("file_exists", err == nil).
Msg("Checking auth recovery mode")
if ip == "127.0.0.1" || ip == "::1" || ip == "localhost" {
log.Warn().
Str("recovery_file", recoveryFile).
Msg("AUTH RECOVERY MODE: Allowing local access without authentication")
// Allow access but add a warning header
w.Header().Set("X-Auth-Recovery", "true")
// Recovery mode bypasses auth for localhost
needsAuth = false
}
}
if needsAuth {
// Normal authentication check
// Normalize path to handle double slashes (e.g., //download -> /download)
// This prevents auth bypass failures when URLs have trailing slashes
normalizedPath := path.Clean(req.URL.Path)
// Skip auth for certain public endpoints and static assets
publicPaths := []string{
"/api/health",
"/api/security/status",
"/api/version",
"/api/login", // Add login endpoint as public
"/api/oidc/login",
config.DefaultOIDCCallbackPath,
"/install-docker-agent.sh", // Docker agent bootstrap script must be public
"/download/pulse-docker-agent", // Agent binary download should not require auth
"/api/agent/version", // Agent update checks need to work before auth
}
// Also allow static assets without auth (JS, CSS, etc)
// These MUST be accessible for the login page to work
isStaticAsset := strings.HasPrefix(req.URL.Path, "/assets/") ||
strings.HasPrefix(req.URL.Path, "/@vite/") ||
strings.HasPrefix(req.URL.Path, "/@solid-refresh") ||
strings.HasPrefix(req.URL.Path, "/src/") ||
strings.HasPrefix(req.URL.Path, "/node_modules/") ||
req.URL.Path == "/" ||
req.URL.Path == "/index.html" ||
req.URL.Path == "/favicon.ico" ||
req.URL.Path == "/logo.svg" ||
strings.HasSuffix(req.URL.Path, ".js") ||
strings.HasSuffix(req.URL.Path, ".css") ||
strings.HasSuffix(req.URL.Path, ".map") ||
strings.HasSuffix(req.URL.Path, ".ts") ||
strings.HasSuffix(req.URL.Path, ".tsx") ||
strings.HasSuffix(req.URL.Path, ".mjs") ||
strings.HasSuffix(req.URL.Path, ".jsx")
isPublic := isStaticAsset
for _, path := range publicPaths {
if normalizedPath == path {
isPublic = true
break
}
}
// Special case: setup-script should be public (uses setup codes for auth)
if normalizedPath == "/api/setup-script" {
// The script itself prompts for a setup code
isPublic = true
}
// Auto-register endpoint needs to be public (validates tokens internally)
// BUT the tokens must be generated by authenticated users via setup-script-url
if normalizedPath == "/api/auto-register" {
isPublic = true
}
// Special case: quick-setup should be accessible to check if already configured
// The handler itself will verify if setup should be skipped
if normalizedPath == "/api/security/quick-setup" && req.Method == http.MethodPost {
isPublic = true
}
// Check auth for protected routes (only if auth is needed)
if needsAuth && !isPublic && !CheckAuth(r.config, w, req) {
// Never send WWW-Authenticate - use custom login page
// For API requests, return JSON
if strings.HasPrefix(req.URL.Path, "/api/") || strings.Contains(req.Header.Get("Accept"), "application/json") {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte(`{"error":"Authentication required"}`))
} else {
http.Error(w, "Authentication required", http.StatusUnauthorized)
}
log.Warn().
Str("ip", req.RemoteAddr).
Str("path", req.URL.Path).
Msg("Unauthorized access attempt")
return
}
}
// Check CSRF for state-changing requests
// CSRF is only needed when using session-based auth
// Only skip CSRF for initial setup when no auth is configured
skipCSRF := false
if (req.URL.Path == "/api/security/quick-setup" || req.URL.Path == "/api/security/apply-restart") &&
r.config.AuthUser == "" && r.config.AuthPass == "" {
// Only skip CSRF for initial setup and restart when no auth exists
skipCSRF = true
}
// Skip CSRF for setup-script-url endpoint (generates temporary tokens, not a state change)
if req.URL.Path == "/api/setup-script-url" {
skipCSRF = true
}
if strings.HasPrefix(req.URL.Path, "/api/") && !skipCSRF && !CheckCSRF(w, req) {
http.Error(w, "CSRF token validation failed", http.StatusForbidden)
LogAuditEvent("csrf_failure", "", GetClientIP(req), req.URL.Path, false, "Invalid CSRF token")
return
}
// Rate limiting is now handled by UniversalRateLimitMiddleware
// No need for duplicate rate limiting logic here
// Log request
start := time.Now()
// Fix for issue #334: Custom routing to prevent ServeMux's "./" redirect
// When accessing without trailing slash, ServeMux redirects to "./" which is wrong
// We handle routing manually to avoid this issue
// Check if this is an API or WebSocket route
if strings.HasPrefix(req.URL.Path, "/api/") ||
strings.HasPrefix(req.URL.Path, "/ws") ||
strings.HasPrefix(req.URL.Path, "/socket.io/") ||
strings.HasPrefix(req.URL.Path, "/download/") ||
req.URL.Path == "/simple-stats" ||
req.URL.Path == "/install-docker-agent.sh" {
// Use the mux for API and special routes
r.mux.ServeHTTP(w, req)
} else {
// Serve frontend for all other paths (including root)
handler := serveFrontendHandler()
handler(w, req)
}
log.Debug().
Str("method", req.Method).
Str("path", req.URL.Path).
Dur("duration", time.Since(start)).
Msg("Request handled")
}), allowEmbedding, allowedEmbedOrigins).ServeHTTP(w, req)
}
// handleHealth handles health check requests
func (r *Router) handleHealth(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet && req.Method != http.MethodHead {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
response := HealthResponse{
Status: "healthy",
Timestamp: time.Now().Unix(),
Uptime: time.Since(r.monitor.GetStartTime()).Seconds(),
}
if err := utils.WriteJSONResponse(w, response); err != nil {
log.Error().Err(err).Msg("Failed to write health response")
}
}
// handleChangePassword handles password change requests
func (r *Router) handleChangePassword(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodPost {
writeErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed",
"Only POST method is allowed", nil)
return
}
// Check if using proxy auth and if so, verify admin status
if r.config.ProxyAuthSecret != "" {
if valid, username, isAdmin := CheckProxyAuth(r.config, req); valid {
if !isAdmin {
// User is authenticated but not an admin
log.Warn().
Str("ip", req.RemoteAddr).
Str("path", req.URL.Path).
Str("method", req.Method).
Str("username", username).
Msg("Non-admin user attempted to change password")
// Return forbidden error
writeErrorResponse(w, http.StatusForbidden, "forbidden",
"Admin privileges required", nil)
return
}
}
}
// Parse request
var changeReq struct {
CurrentPassword string `json:"currentPassword"`
NewPassword string `json:"newPassword"`
}
if err := json.NewDecoder(req.Body).Decode(&changeReq); err != nil {
writeErrorResponse(w, http.StatusBadRequest, "invalid_request",
"Invalid request body", nil)
return
}
// Validate new password complexity
if err := auth.ValidatePasswordComplexity(changeReq.NewPassword); err != nil {
writeErrorResponse(w, http.StatusBadRequest, "invalid_password",
err.Error(), nil)
return
}
// Verify current password matches
// When behind a proxy with Basic Auth, the proxy may overwrite the Authorization header
// So we verify the current password from the JSON body instead
// First, validate that currentPassword was provided
if changeReq.CurrentPassword == "" {
writeErrorResponse(w, http.StatusUnauthorized, "unauthorized",
"Current password required", nil)
return
}
// Check if we should use Basic Auth header or JSON body for verification
// If there's an Authorization header AND it's not from a proxy, use it
authHeader := req.Header.Get("Authorization")
useAuthHeader := false
username := r.config.AuthUser // Default to configured username
if authHeader != "" {
const basicPrefix = "Basic "
if strings.HasPrefix(authHeader, basicPrefix) {
decoded, err := base64.StdEncoding.DecodeString(authHeader[len(basicPrefix):])
if err == nil {
parts := strings.SplitN(string(decoded), ":", 2)
if len(parts) == 2 {
// Check if this looks like Pulse credentials (matching username)
if parts[0] == r.config.AuthUser {
// This is likely from Pulse's own auth, not a proxy
username = parts[0]
useAuthHeader = true
// Verify the password from the header matches
if !auth.CheckPasswordHash(parts[1], r.config.AuthPass) {
log.Warn().
Str("ip", req.RemoteAddr).
Str("username", username).
Msg("Failed password change attempt - incorrect current password in auth header")
writeErrorResponse(w, http.StatusUnauthorized, "unauthorized",
"Current password is incorrect", nil)
return
}
}
// If username doesn't match, this is likely proxy auth - ignore it
}
}
}
}
// If we didn't use the auth header, or need to double-check, verify from JSON body
if !useAuthHeader || changeReq.CurrentPassword != "" {
// Verify current password from JSON body
if !auth.CheckPasswordHash(changeReq.CurrentPassword, r.config.AuthPass) {
log.Warn().
Str("ip", req.RemoteAddr).
Str("username", username).
Msg("Failed password change attempt - incorrect current password")
writeErrorResponse(w, http.StatusUnauthorized, "unauthorized",
"Current password is incorrect", nil)
return
}
}
// Hash the new password before storing
hashedPassword, err := auth.HashPassword(changeReq.NewPassword)
if err != nil {
log.Error().Err(err).Msg("Failed to hash new password")
writeErrorResponse(w, http.StatusInternalServerError, "hash_error",
"Failed to process new password", nil)
return
}
// Check if we're running in Docker
isDocker := os.Getenv("PULSE_DOCKER") == "true"
if isDocker {
// For Docker, update the .env file in the data directory
envPath := filepath.Join(r.config.ConfigPath, ".env")
// Read existing .env file to preserve other settings
envContent := ""
existingContent, err := os.ReadFile(envPath)
if err == nil {
// Parse existing content and update password
scanner := bufio.NewScanner(strings.NewReader(string(existingContent)))
for scanner.Scan() {
line := scanner.Text()
// Skip empty lines and comments
if line == "" || strings.HasPrefix(line, "#") {
envContent += line + "\n"
continue
}
// Update password line, keep others
if strings.HasPrefix(line, "PULSE_AUTH_PASS=") {
envContent += fmt.Sprintf("PULSE_AUTH_PASS='%s'\n", hashedPassword)
} else {
envContent += line + "\n"
}
}
} else {
// Create new .env file if it doesn't exist
envContent = fmt.Sprintf(`# Auto-generated by Pulse password change
# Generated on %s
PULSE_AUTH_USER='%s'
PULSE_AUTH_PASS='%s'
`, time.Now().Format(time.RFC3339), r.config.AuthUser, hashedPassword)
// Include API token if configured
if r.config.APIToken != "" {
envContent += fmt.Sprintf("API_TOKEN='%s'\n", r.config.APIToken)
}
}
// Write the updated .env file
if err := os.WriteFile(envPath, []byte(envContent), 0600); err != nil {
log.Error().Err(err).Str("path", envPath).Msg("Failed to write .env file")
writeErrorResponse(w, http.StatusInternalServerError, "config_error",
"Failed to save new password", nil)
return
}
// Update the running config
r.config.AuthPass = hashedPassword
log.Info().Msg("Password changed successfully in Docker environment")
// Invalidate all sessions
InvalidateUserSessions(r.config.AuthUser)
// Audit log
LogAuditEvent("password_change", r.config.AuthUser, GetClientIP(req), req.URL.Path, true, "Password changed (Docker)")
// Return success with Docker-specific message
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"success": true,
"message": "Password changed successfully. Please restart your Docker container to apply changes.",
})
} else {
// For non-Docker (systemd/manual), save to .env file
envPath := filepath.Join(r.config.ConfigPath, ".env")
if r.config.ConfigPath == "" {
envPath = "/etc/pulse/.env"
}
// Read existing .env file to preserve other settings
envContent := ""
existingContent, err := os.ReadFile(envPath)
if err == nil {
// Parse and update existing content
scanner := bufio.NewScanner(strings.NewReader(string(existingContent)))
for scanner.Scan() {
line := scanner.Text()
if line == "" || strings.HasPrefix(line, "#") {
envContent += line + "\n"
continue
}
// Update password line, keep others
if strings.HasPrefix(line, "PULSE_AUTH_PASS=") {
envContent += fmt.Sprintf("PULSE_AUTH_PASS='%s'\n", hashedPassword)
} else {
envContent += line + "\n"
}
}
} else {
// Create new .env if doesn't exist
envContent = fmt.Sprintf(`# Auto-generated by Pulse password change
# Generated on %s
PULSE_AUTH_USER='%s'
PULSE_AUTH_PASS='%s'
`, time.Now().Format(time.RFC3339), r.config.AuthUser, hashedPassword)
if r.config.APIToken != "" {
envContent += fmt.Sprintf("API_TOKEN='%s'\n", r.config.APIToken)
}
}
// Try to write the .env file
if err := os.WriteFile(envPath, []byte(envContent), 0600); err != nil {
log.Error().Err(err).Str("path", envPath).Msg("Failed to write .env file")
writeErrorResponse(w, http.StatusInternalServerError, "config_error",
"Failed to save new password. You may need to update the password manually.", nil)
return
}
// Update the running config
r.config.AuthPass = hashedPassword
log.Info().Msg("Password changed successfully")
// Invalidate all sessions
InvalidateUserSessions(r.config.AuthUser)
// Audit log
LogAuditEvent("password_change", r.config.AuthUser, GetClientIP(req), req.URL.Path, true, "Password changed")
// Detect service name for restart instructions
serviceName := detectServiceName()
// Return success with manual restart instructions
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"success": true,
"message": fmt.Sprintf("Password changed. Restart the service to apply: sudo systemctl restart %s", serviceName),
"requiresRestart": true,
"serviceName": serviceName,
})
}
}
// handleLogout handles logout requests
func (r *Router) handleLogout(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodPost {
writeErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed",
"Only POST method is allowed", nil)
return
}
// Get session token from cookie
var sessionToken string
if cookie, err := req.Cookie("pulse_session"); err == nil {
sessionToken = cookie.Value
}
// Delete the session if it exists
if sessionToken != "" {
GetSessionStore().DeleteSession(sessionToken)
// Also delete CSRF token if exists
GetCSRFStore().DeleteCSRFToken(sessionToken)
}
// Get appropriate cookie settings based on proxy detection (consistent with login)
isSecure, sameSitePolicy := getCookieSettings(req)
// Clear the session cookie
http.SetCookie(w, &http.Cookie{
Name: "pulse_session",
Value: "",
Path: "/",
MaxAge: -1,
HttpOnly: true,
Secure: isSecure,
SameSite: sameSitePolicy,
})
// Audit log logout (use admin as username since we have single user for now)
LogAuditEvent("logout", "admin", GetClientIP(req), req.URL.Path, true, "User logged out")
log.Info().
Str("user", "admin").
Str("ip", GetClientIP(req)).
Msg("User logged out")
// Return success
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"success": true,
"message": "Successfully logged out",
})
}
func (r *Router) establishSession(w http.ResponseWriter, req *http.Request, username string) error {
token := generateSessionToken()
if token == "" {
return fmt.Errorf("failed to generate session token")
}
userAgent := req.Header.Get("User-Agent")
clientIP := GetClientIP(req)
GetSessionStore().CreateSession(token, 24*time.Hour, userAgent, clientIP)
if username != "" {
TrackUserSession(username, token)
}
csrfToken := generateCSRFToken(token)
isSecure, sameSitePolicy := getCookieSettings(req)
http.SetCookie(w, &http.Cookie{
Name: "pulse_session",
Value: token,
Path: "/",
HttpOnly: true,
Secure: isSecure,
SameSite: sameSitePolicy,
MaxAge: 86400,
})
http.SetCookie(w, &http.Cookie{
Name: "pulse_csrf",
Value: csrfToken,
Path: "/",
Secure: isSecure,
SameSite: sameSitePolicy,
MaxAge: 86400,
})
return nil
}
// handleLogin handles login requests and provides detailed feedback about lockouts
func (r *Router) handleLogin(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodPost {
writeErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed",
"Only POST method is allowed", nil)
return
}
// Parse request
var loginReq struct {
Username string `json:"username"`
Password string `json:"password"`
}
if err := json.NewDecoder(req.Body).Decode(&loginReq); err != nil {
writeErrorResponse(w, http.StatusBadRequest, "invalid_request",
"Invalid request body", nil)
return
}
clientIP := GetClientIP(req)
// Check if account is locked out before attempting login
_, userLockedUntil, userLocked := GetLockoutInfo(loginReq.Username)
_, ipLockedUntil, ipLocked := GetLockoutInfo(clientIP)
if userLocked || ipLocked {
lockedUntil := userLockedUntil
if ipLocked && ipLockedUntil.After(lockedUntil) {
lockedUntil = ipLockedUntil
}
remainingMinutes := int(time.Until(lockedUntil).Minutes())
if remainingMinutes < 1 {
remainingMinutes = 1
}
LogAuditEvent("login", loginReq.Username, clientIP, req.URL.Path, false, "Account locked")
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusForbidden)
json.NewEncoder(w).Encode(map[string]interface{}{
"error": "account_locked",
"message": fmt.Sprintf("Too many failed attempts. Account is locked for %d more minutes.", remainingMinutes),
"lockedUntil": lockedUntil.Format(time.RFC3339),
"remainingMinutes": remainingMinutes,
})
return
}
// Check rate limiting
if !authLimiter.Allow(clientIP) {
LogAuditEvent("login", loginReq.Username, clientIP, req.URL.Path, false, "Rate limited")
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusTooManyRequests)
json.NewEncoder(w).Encode(map[string]interface{}{
"error": "rate_limit",
"message": "Too many requests. Please wait before trying again.",
})
return
}
// Verify credentials
if loginReq.Username == r.config.AuthUser && auth.CheckPasswordHash(loginReq.Password, r.config.AuthPass) {
// Clear failed login attempts
ClearFailedLogins(loginReq.Username)
ClearFailedLogins(clientIP)
// Create session
token := generateSessionToken()
if token == "" {
writeErrorResponse(w, http.StatusInternalServerError, "session_error",
"Failed to create session", nil)
return
}
// Store session persistently
userAgent := req.Header.Get("User-Agent")
GetSessionStore().CreateSession(token, 24*time.Hour, userAgent, clientIP)
// Track session for user
TrackUserSession(loginReq.Username, token)
// Generate CSRF token
csrfToken := generateCSRFToken(token)
// Get appropriate cookie settings based on proxy detection
isSecure, sameSitePolicy := getCookieSettings(req)
// Set session cookie
http.SetCookie(w, &http.Cookie{
Name: "pulse_session",
Value: token,
Path: "/",
HttpOnly: true,
Secure: isSecure,
SameSite: sameSitePolicy,
MaxAge: 86400, // 24 hours
})
// Set CSRF cookie (not HttpOnly so JS can read it)
http.SetCookie(w, &http.Cookie{
Name: "pulse_csrf",
Value: csrfToken,
Path: "/",
Secure: isSecure,
SameSite: sameSitePolicy,
MaxAge: 86400, // 24 hours
})
// Audit log successful login
LogAuditEvent("login", loginReq.Username, clientIP, req.URL.Path, true, "Successful login")
// Return success
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"success": true,
"message": "Successfully logged in",
})
} else {
// Failed login
RecordFailedLogin(loginReq.Username)
RecordFailedLogin(clientIP)
LogAuditEvent("login", loginReq.Username, clientIP, req.URL.Path, false, "Invalid credentials")
// Get updated attempt counts
newUserAttempts, _, _ := GetLockoutInfo(loginReq.Username)
newIPAttempts, _, _ := GetLockoutInfo(clientIP)
// Use the higher count for warning
attempts := newUserAttempts
if newIPAttempts > attempts {
attempts = newIPAttempts
}
// Prepare response with attempt information
remaining := maxFailedAttempts - attempts
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusUnauthorized)
if remaining > 0 {
json.NewEncoder(w).Encode(map[string]interface{}{
"error": "invalid_credentials",
"message": fmt.Sprintf("Invalid username or password. You have %d attempts remaining.", remaining),
"attempts": attempts,
"remaining": remaining,
"maxAttempts": maxFailedAttempts,
})
} else {
json.NewEncoder(w).Encode(map[string]interface{}{
"error": "invalid_credentials",
"message": "Invalid username or password. Account is now locked for 15 minutes.",
"locked": true,
"lockoutDuration": "15 minutes",
})
}
}
}
// handleResetLockout allows administrators to manually reset account lockouts
func (r *Router) handleResetLockout(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodPost {
writeErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed",
"Only POST method is allowed", nil)
return
}
// Parse request
var resetReq struct {
Identifier string `json:"identifier"` // Can be username or IP
}
if err := json.NewDecoder(req.Body).Decode(&resetReq); err != nil {
writeErrorResponse(w, http.StatusBadRequest, "invalid_request",
"Invalid request body", nil)
return
}
if resetReq.Identifier == "" {
writeErrorResponse(w, http.StatusBadRequest, "missing_identifier",
"Identifier (username or IP) is required", nil)
return
}
// Reset the lockout
ResetLockout(resetReq.Identifier)
// Also clear failed login attempts
ClearFailedLogins(resetReq.Identifier)
// Audit log the reset
LogAuditEvent("lockout_reset", "admin", GetClientIP(req), req.URL.Path, true,
fmt.Sprintf("Lockout reset for: %s", resetReq.Identifier))
log.Info().
Str("identifier", resetReq.Identifier).
Str("reset_by", "admin").
Str("ip", GetClientIP(req)).
Msg("Account lockout manually reset")
// Return success
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"success": true,
"message": fmt.Sprintf("Lockout reset for %s", resetReq.Identifier),
})
}
// handleState handles state requests
func (r *Router) handleState(w http.ResponseWriter, req *http.Request) {
log.Debug().Msg("[DEBUG] handleState: START")
if req.Method != http.MethodGet {
writeErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed",
"Only GET method is allowed", nil)
return
}
log.Debug().Msg("[DEBUG] handleState: Before auth check")
// Use standard auth check (supports both basic auth and API tokens) unless auth is disabled
if !r.config.DisableAuth && !CheckAuth(r.config, w, req) {
writeErrorResponse(w, http.StatusUnauthorized, "unauthorized",
"Authentication required", nil)
return
}
log.Debug().Msg("[DEBUG] handleState: Before GetState")
state := r.monitor.GetState()
log.Debug().Msg("[DEBUG] handleState: After GetState, before ToFrontend")
frontendState := state.ToFrontend()
log.Debug().Msg("[DEBUG] handleState: Before WriteJSONResponse")
if err := utils.WriteJSONResponse(w, frontendState); err != nil {
log.Error().Err(err).Msg("Failed to encode state response")
writeErrorResponse(w, http.StatusInternalServerError, "encoding_error",
"Failed to encode state data", nil)
}
log.Debug().Msg("[DEBUG] handleState: END")
}
// handleVersion handles version requests
func (r *Router) handleVersion(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet && req.Method != http.MethodHead {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
versionInfo, err := updates.GetCurrentVersion()
if err != nil {
// Fallback to VERSION file
versionBytes, _ := os.ReadFile("VERSION")
response := VersionResponse{
Version: strings.TrimSpace(string(versionBytes)),
BuildTime: "development",
GoVersion: runtime.Version(),
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
return
}
// Convert to typed response
response := VersionResponse{
Version: versionInfo.Version,
BuildTime: versionInfo.Build,
GoVersion: runtime.Version(),
}
// Add cached update info if available
if cachedUpdate := r.updateManager.GetCachedUpdateInfo(); cachedUpdate != nil {
response.UpdateAvailable = cachedUpdate.Available
response.LatestVersion = cachedUpdate.LatestVersion
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
}
// handleAgentVersion returns the current Docker agent version for update checks
func (r *Router) handleAgentVersion(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet && req.Method != http.MethodHead {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Current agent version - matches the version baked into the Docker agent binary
version := strings.TrimSpace(dockeragent.Version)
if version == "" {
version = "dev"
}
response := AgentVersionResponse{
Version: version,
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
}
// handleStorage handles storage detail requests
func (r *Router) handleStorage(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
writeErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed",
"Only GET method is allowed", nil)
return
}
// Extract storage ID from path
path := strings.TrimPrefix(req.URL.Path, "/api/storage/")
if path == "" {
writeErrorResponse(w, http.StatusBadRequest, "missing_storage_id",
"Storage ID is required", nil)
return
}
// Get current state
state := r.monitor.GetState()
// Find the storage by ID
var storageDetail *models.Storage
for _, storage := range state.Storage {
if storage.ID == path {
storageDetail = &storage
break
}
}
if storageDetail == nil {
writeErrorResponse(w, http.StatusNotFound, "storage_not_found",
fmt.Sprintf("Storage with ID '%s' not found", path), nil)
return
}
// Return storage details
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(map[string]interface{}{
"data": storageDetail,
"timestamp": time.Now().Unix(),
}); err != nil {
log.Error().Err(err).Str("storage_id", path).Msg("Failed to encode storage details")
writeErrorResponse(w, http.StatusInternalServerError, "encoding_error",
"Failed to encode response", nil)
}
}
// handleCharts handles chart data requests
func (r *Router) handleCharts(w http.ResponseWriter, req *http.Request) {
log.Debug().Str("method", req.Method).Str("url", req.URL.String()).Msg("Charts endpoint hit")
if req.Method != http.MethodGet && req.Method != http.MethodHead {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Get time range from query parameters
query := req.URL.Query()
timeRange := query.Get("range")
if timeRange == "" {
timeRange = "1h"
}
// Convert time range to duration
var duration time.Duration
switch timeRange {
case "5m":
duration = 5 * time.Minute
case "15m":
duration = 15 * time.Minute
case "30m":
duration = 30 * time.Minute
case "1h":
duration = time.Hour
case "4h":
duration = 4 * time.Hour
case "12h":
duration = 12 * time.Hour
case "24h":
duration = 24 * time.Hour
case "7d":
duration = 7 * 24 * time.Hour
default:
duration = time.Hour
}
// Get current state from monitor
state := r.monitor.GetState()
// Create chart data structure that matches frontend expectations
chartData := make(map[string]VMChartData)
nodeData := make(map[string]NodeChartData)
currentTime := time.Now().Unix() * 1000 // JavaScript timestamp format
oldestTimestamp := currentTime
// Process VMs - get historical data
for _, vm := range state.VMs {
if chartData[vm.ID] == nil {
chartData[vm.ID] = make(VMChartData)
}
// Get historical metrics
metrics := r.monitor.GetGuestMetrics(vm.ID, duration)
// Convert metric points to API format
for metricType, points := range metrics {
chartData[vm.ID][metricType] = make([]MetricPoint, len(points))
for i, point := range points {
ts := point.Timestamp.Unix() * 1000
if ts < oldestTimestamp {
oldestTimestamp = ts
}
chartData[vm.ID][metricType][i] = MetricPoint{
Timestamp: ts,
Value: point.Value,
}
}
}
// If no historical data, add current value
if len(chartData[vm.ID]["cpu"]) == 0 {
chartData[vm.ID]["cpu"] = []MetricPoint{
{Timestamp: currentTime, Value: vm.CPU * 100},
}
chartData[vm.ID]["memory"] = []MetricPoint{
{Timestamp: currentTime, Value: vm.Memory.Usage},
}
chartData[vm.ID]["disk"] = []MetricPoint{
{Timestamp: currentTime, Value: vm.Disk.Usage},
}
chartData[vm.ID]["diskread"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(vm.DiskRead)},
}
chartData[vm.ID]["diskwrite"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(vm.DiskWrite)},
}
chartData[vm.ID]["netin"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(vm.NetworkIn)},
}
chartData[vm.ID]["netout"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(vm.NetworkOut)},
}
}
}
// Process Containers - get historical data
for _, ct := range state.Containers {
if chartData[ct.ID] == nil {
chartData[ct.ID] = make(VMChartData)
}
// Get historical metrics
metrics := r.monitor.GetGuestMetrics(ct.ID, duration)
// Convert metric points to API format
for metricType, points := range metrics {
chartData[ct.ID][metricType] = make([]MetricPoint, len(points))
for i, point := range points {
ts := point.Timestamp.Unix() * 1000
if ts < oldestTimestamp {
oldestTimestamp = ts
}
chartData[ct.ID][metricType][i] = MetricPoint{
Timestamp: ts,
Value: point.Value,
}
}
}
// If no historical data, add current value
if len(chartData[ct.ID]["cpu"]) == 0 {
chartData[ct.ID]["cpu"] = []MetricPoint{
{Timestamp: currentTime, Value: ct.CPU * 100},
}
chartData[ct.ID]["memory"] = []MetricPoint{
{Timestamp: currentTime, Value: ct.Memory.Usage},
}
chartData[ct.ID]["disk"] = []MetricPoint{
{Timestamp: currentTime, Value: ct.Disk.Usage},
}
chartData[ct.ID]["diskread"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(ct.DiskRead)},
}
chartData[ct.ID]["diskwrite"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(ct.DiskWrite)},
}
chartData[ct.ID]["netin"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(ct.NetworkIn)},
}
chartData[ct.ID]["netout"] = []MetricPoint{
{Timestamp: currentTime, Value: float64(ct.NetworkOut)},
}
}
}
// Process Storage - get historical data
storageData := make(map[string]StorageChartData)
for _, storage := range state.Storage {
if storageData[storage.ID] == nil {
storageData[storage.ID] = make(StorageChartData)
}
// Get historical metrics
metrics := r.monitor.GetStorageMetrics(storage.ID, duration)
// Convert usage metrics to chart format
if usagePoints, ok := metrics["usage"]; ok && len(usagePoints) > 0 {
// Convert MetricPoint slice to chart format
storageData[storage.ID]["disk"] = make([]MetricPoint, len(usagePoints))
for i, point := range usagePoints {
ts := point.Timestamp.Unix() * 1000
if ts < oldestTimestamp {
oldestTimestamp = ts
}
storageData[storage.ID]["disk"][i] = MetricPoint{
Timestamp: ts,
Value: point.Value,
}
}
} else {
// Add current value if no historical data
usagePercent := float64(0)
if storage.Total > 0 {
usagePercent = (float64(storage.Used) / float64(storage.Total)) * 100
}
storageData[storage.ID]["disk"] = []MetricPoint{
{Timestamp: currentTime, Value: usagePercent},
}
}
}
// Process Nodes - get historical data
for _, node := range state.Nodes {
if nodeData[node.ID] == nil {
nodeData[node.ID] = make(NodeChartData)
}
// Get historical metrics for each type
for _, metricType := range []string{"cpu", "memory", "disk"} {
points := r.monitor.GetNodeMetrics(node.ID, metricType, duration)
nodeData[node.ID][metricType] = make([]MetricPoint, len(points))
for i, point := range points {
ts := point.Timestamp.Unix() * 1000
if ts < oldestTimestamp {
oldestTimestamp = ts
}
nodeData[node.ID][metricType][i] = MetricPoint{
Timestamp: ts,
Value: point.Value,
}
}
// If no historical data, add current value
if len(nodeData[node.ID][metricType]) == 0 {
var value float64
switch metricType {
case "cpu":
value = node.CPU * 100
case "memory":
value = node.Memory.Usage
case "disk":
value = node.Disk.Usage
}
nodeData[node.ID][metricType] = []MetricPoint{
{Timestamp: currentTime, Value: value},
}
}
}
}
response := ChartResponse{
ChartData: chartData,
NodeData: nodeData,
StorageData: storageData,
Timestamp: currentTime,
Stats: ChartStats{
OldestDataTimestamp: oldestTimestamp,
},
}
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(response); err != nil {
log.Error().Err(err).Msg("Failed to encode chart data response")
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
log.Debug().
Int("guests", len(chartData)).
Int("nodes", len(nodeData)).
Int("storage", len(storageData)).
Str("range", timeRange).
Msg("Chart data response sent")
}
// handleStorageCharts handles storage chart data requests
func (r *Router) handleStorageCharts(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet && req.Method != http.MethodHead {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Parse query parameters
query := req.URL.Query()
rangeMinutes := 60 // default 1 hour
if rangeStr := query.Get("range"); rangeStr != "" {
if _, err := fmt.Sscanf(rangeStr, "%d", &rangeMinutes); err != nil {
log.Warn().Err(err).Str("range", rangeStr).Msg("Invalid range parameter; using default")
}
}
duration := time.Duration(rangeMinutes) * time.Minute
state := r.monitor.GetState()
// Build storage chart data
storageData := make(StorageChartsResponse)
for _, storage := range state.Storage {
metrics := r.monitor.GetStorageMetrics(storage.ID, duration)
storageData[storage.ID] = StorageMetrics{
Usage: metrics["usage"],
Used: metrics["used"],
Total: metrics["total"],
Avail: metrics["avail"],
}
}
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(storageData); err != nil {
log.Error().Err(err).Msg("Failed to encode storage chart data")
http.Error(w, "Internal server error", http.StatusInternalServerError)
}
}
// handleConfig handles configuration requests
func (r *Router) handleConfig(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Return public configuration
config := map[string]interface{}{
"csrfProtection": false, // Not implemented yet
"autoUpdateEnabled": r.config.AutoUpdateEnabled,
"updateChannel": r.config.UpdateChannel,
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(config)
}
// handleBackups handles backup requests
func (r *Router) handleBackups(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Get current state
state := r.monitor.GetState()
// Return backup data structure
backups := map[string]interface{}{
"backupTasks": state.PVEBackups.BackupTasks,
"storageBackups": state.PVEBackups.StorageBackups,
"guestSnapshots": state.PVEBackups.GuestSnapshots,
"pbsBackups": state.PBSBackups,
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(backups)
}
// handleBackupsPVE handles PVE backup requests
func (r *Router) handleBackupsPVE(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Get state and extract PVE backups
state := r.monitor.GetState()
// Return PVE backup data in expected format
backups := state.PVEBackups.StorageBackups
if backups == nil {
backups = []models.StorageBackup{}
}
pveBackups := map[string]interface{}{
"backups": backups,
}
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(pveBackups); err != nil {
log.Error().Err(err).Msg("Failed to encode PVE backups response")
// Return empty array as fallback
w.Write([]byte(`{"backups":[]}`))
}
}
// handleBackupsPBS handles PBS backup requests
func (r *Router) handleBackupsPBS(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Get state and extract PBS backups
state := r.monitor.GetState()
// Return PBS backup data in expected format
instances := state.PBSInstances
if instances == nil {
instances = []models.PBSInstance{}
}
pbsData := map[string]interface{}{
"instances": instances,
}
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(pbsData); err != nil {
log.Error().Err(err).Msg("Failed to encode PBS response")
// Return empty array as fallback
w.Write([]byte(`{"instances":[]}`))
}
}
// handleSnapshots handles snapshot requests
func (r *Router) handleSnapshots(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Get state and extract guest snapshots
state := r.monitor.GetState()
// Return snapshot data
snaps := state.PVEBackups.GuestSnapshots
if snaps == nil {
snaps = []models.GuestSnapshot{}
}
snapshots := map[string]interface{}{
"snapshots": snaps,
}
w.Header().Set("Content-Type", "application/json")
if err := json.NewEncoder(w).Encode(snapshots); err != nil {
log.Error().Err(err).Msg("Failed to encode snapshots response")
// Return empty array as fallback
w.Write([]byte(`{"snapshots":[]}`))
}
}
// handleWebSocket handles WebSocket connections
func (r *Router) handleWebSocket(w http.ResponseWriter, req *http.Request) {
r.wsHub.HandleWebSocket(w, req)
}
// handleSimpleStats serves a simple stats page
func (r *Router) handleSimpleStats(w http.ResponseWriter, req *http.Request) {
html := `<!DOCTYPE html>
<html>
<head>
<title>Simple Pulse Stats</title>
<style>
body {
font-family: Arial, sans-serif;
margin: 20px;
background: #f5f5f5;
}
table {
width: 100%;
border-collapse: collapse;
background: white;
box-shadow: 0 2px 4px rgba(0,0,0,0.1);
}
th, td {
padding: 12px;
text-align: left;
border-bottom: 1px solid #ddd;
}
th {
background: #333;
color: white;
font-weight: bold;
position: sticky;
top: 0;
}
tr:hover {
background: #f5f5f5;
}
.status {
padding: 4px 8px;
border-radius: 4px;
color: white;
font-size: 12px;
}
.running { background: #28a745; }
.stopped { background: #dc3545; }
#status {
margin-bottom: 20px;
padding: 10px;
background: #e9ecef;
border-radius: 4px;
display: flex;
justify-content: space-between;
align-items: center;
}
.update-indicator {
display: inline-block;
width: 10px;
height: 10px;
background: #28a745;
border-radius: 50%;
animation: pulse 0.5s ease-out;
}
@keyframes pulse {
0% { transform: scale(1); opacity: 1; }
50% { transform: scale(1.5); opacity: 0.7; }
100% { transform: scale(1); opacity: 1; }
}
.update-timer {
font-family: monospace;
font-size: 14px;
color: #666;
}
.metric {
font-family: monospace;
text-align: right;
}
</style>
</head>
<body>
<h1>Simple Pulse Stats</h1>
<div id="status">
<div>
<span id="status-text">Connecting...</span>
<span class="update-indicator" id="update-indicator" style="display:none"></span>
</div>
<div class="update-timer" id="update-timer"></div>
</div>
<h2>Containers</h2>
<table id="containers">
<thead>
<tr>
<th>Name</th>
<th>Status</th>
<th>CPU %</th>
<th>Memory</th>
<th>Disk Read</th>
<th>Disk Write</th>
<th>Net In</th>
<th>Net Out</th>
</tr>
</thead>
<tbody></tbody>
</table>
<script>
let ws;
let lastUpdateTime = null;
let updateCount = 0;
let updateInterval = null;
function formatBytes(bytes) {
if (!bytes || bytes < 0) return '0 B/s';
const units = ['B/s', 'KB/s', 'MB/s', 'GB/s'];
let i = 0;
let value = bytes;
while (value >= 1024 && i < units.length - 1) {
value /= 1024;
i++;
}
return value.toFixed(1) + ' ' + units[i];
}
function formatMemory(used, total) {
const usedGB = (used / 1024 / 1024 / 1024).toFixed(1);
const totalGB = (total / 1024 / 1024 / 1024).toFixed(1);
const percent = ((used / total) * 100).toFixed(0);
return usedGB + '/' + totalGB + ' GB (' + percent + '%)';
}
function updateTable(containers) {
const tbody = document.querySelector('#containers tbody');
tbody.innerHTML = '';
containers.sort((a, b) => a.name.localeCompare(b.name));
containers.forEach(ct => {
const row = document.createElement('tr');
row.innerHTML =
'<td><strong>' + ct.name + '</strong></td>' +
'<td><span class="status ' + ct.status + '">' + ct.status + '</span></td>' +
'<td class="metric">' + (ct.cpu ? ct.cpu.toFixed(1) : '0.0') + '%</td>' +
'<td class="metric">' + formatMemory(ct.mem || 0, ct.maxmem || 1) + '</td>' +
'<td class="metric">' + formatBytes(ct.diskread) + '</td>' +
'<td class="metric">' + formatBytes(ct.diskwrite) + '</td>' +
'<td class="metric">' + formatBytes(ct.netin) + '</td>' +
'<td class="metric">' + formatBytes(ct.netout) + '</td>';
tbody.appendChild(row);
});
}
function updateTimer() {
if (lastUpdateTime) {
const secondsSince = Math.floor((Date.now() - lastUpdateTime) / 1000);
document.getElementById('update-timer').textContent = 'Next update in: ' + (2 - (secondsSince % 2)) + 's';
}
}
function connect() {
const statusText = document.getElementById('status-text');
const indicator = document.getElementById('update-indicator');
statusText.textContent = 'Connecting to WebSocket...';
ws = new WebSocket('ws://' + window.location.host + '/ws');
ws.onopen = function() {
statusText.textContent = 'Connected! Updates every 2 seconds';
console.log('WebSocket connected');
// Start the countdown timer
if (updateInterval) clearInterval(updateInterval);
updateInterval = setInterval(updateTimer, 100);
};
ws.onmessage = function(event) {
try {
const msg = JSON.parse(event.data);
if (msg.type === 'initialState' || msg.type === 'rawData') {
if (msg.data && msg.data.containers) {
updateCount++;
lastUpdateTime = Date.now();
// Show update indicator with animation
indicator.style.display = 'inline-block';
indicator.style.animation = 'none';
setTimeout(() => {
indicator.style.animation = 'pulse 0.5s ease-out';
}, 10);
statusText.textContent = 'Update #' + updateCount + ' at ' + new Date().toLocaleTimeString();
updateTable(msg.data.containers);
}
}
} catch (err) {
console.error('Parse error:', err);
}
};
ws.onclose = function(event) {
statusText.textContent = 'Disconnected: ' + event.code + ' ' + event.reason + '. Reconnecting in 3s...';
indicator.style.display = 'none';
if (updateInterval) clearInterval(updateInterval);
setTimeout(connect, 3000);
};
ws.onerror = function(error) {
statusText.textContent = 'Connection error. Retrying...';
console.error('WebSocket error:', error);
};
}
// Start connection
connect();
</script>
</body>
</html>`
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.Write([]byte(html))
}
// handleSocketIO handles socket.io requests
func (r *Router) handleSocketIO(w http.ResponseWriter, req *http.Request) {
// For socket.io.js, redirect to CDN
if strings.Contains(req.URL.Path, "socket.io.js") {
http.Redirect(w, req, "https://cdn.socket.io/4.8.1/socket.io.min.js", http.StatusFound)
return
}
// For other socket.io endpoints, use our WebSocket
// This provides basic compatibility
if strings.Contains(req.URL.RawQuery, "transport=websocket") {
r.wsHub.HandleWebSocket(w, req)
return
}
// For polling transport, return proper socket.io response
// Socket.io v4 expects specific format
if strings.Contains(req.URL.RawQuery, "transport=polling") {
if strings.Contains(req.URL.RawQuery, "sid=") {
// Already connected, return empty poll
w.Header().Set("Content-Type", "text/plain; charset=UTF-8")
w.WriteHeader(http.StatusOK)
w.Write([]byte("6"))
} else {
// Initial handshake
w.Header().Set("Content-Type", "text/plain; charset=UTF-8")
w.WriteHeader(http.StatusOK)
// Send open packet with session ID and config
sessionID := fmt.Sprintf("%d", time.Now().UnixNano())
response := fmt.Sprintf(`0{"sid":"%s","upgrades":["websocket"],"pingInterval":25000,"pingTimeout":60000}`, sessionID)
w.Write([]byte(response))
}
return
}
// Default: redirect to WebSocket
http.Redirect(w, req, "/ws", http.StatusFound)
}
// forwardUpdateProgress forwards update progress to WebSocket clients
func (r *Router) forwardUpdateProgress() {
progressChan := r.updateManager.GetProgressChannel()
for status := range progressChan {
// Create update event for WebSocket
message := websocket.Message{
Type: "update:progress",
Data: status,
Timestamp: time.Now().Format(time.RFC3339),
}
// Broadcast to all connected clients
r.wsHub.BroadcastMessage(message)
// Log progress
log.Debug().
Str("status", status.Status).
Int("progress", status.Progress).
Str("message", status.Message).
Msg("Update progress")
}
}
// backgroundUpdateChecker periodically checks for updates and caches the result
func (r *Router) backgroundUpdateChecker() {
// Delay initial check to allow WebSocket clients to receive welcome messages first
time.Sleep(1 * time.Second)
ctx := context.Background()
if _, err := r.updateManager.CheckForUpdates(ctx); err != nil {
log.Debug().Err(err).Msg("Initial update check failed")
} else {
log.Info().Msg("Initial update check completed")
}
// Then check every hour
ticker := time.NewTicker(1 * time.Hour)
defer ticker.Stop()
for range ticker.C {
if _, err := r.updateManager.CheckForUpdates(ctx); err != nil {
log.Debug().Err(err).Msg("Periodic update check failed")
} else {
log.Debug().Msg("Periodic update check completed")
}
}
}
// handleDownloadInstallScript serves the Docker agent installation script
func (r *Router) handleDownloadInstallScript(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Prevent caching - always serve the latest version
w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
w.Header().Set("Pragma", "no-cache")
w.Header().Set("Expires", "0")
scriptPath := "/opt/pulse/scripts/install-docker-agent.sh"
http.ServeFile(w, req, scriptPath)
}
// handleDownloadAgent serves the Docker agent binary
func (r *Router) handleDownloadAgent(w http.ResponseWriter, req *http.Request) {
if req.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Prevent caching - always serve the latest version
w.Header().Set("Cache-Control", "no-cache, no-store, must-revalidate")
w.Header().Set("Pragma", "no-cache")
w.Header().Set("Expires", "0")
archParam := strings.TrimSpace(req.URL.Query().Get("arch"))
searchPaths := make([]string, 0, 4)
if normalized := normalizeDockerAgentArch(archParam); normalized != "" {
searchPaths = append(searchPaths,
filepath.Join("/opt/pulse/bin", "pulse-docker-agent-"+normalized),
filepath.Join("/opt/pulse", "pulse-docker-agent-"+normalized),
)
}
// Default locations (host architecture)
searchPaths = append(searchPaths,
filepath.Join("/opt/pulse/bin", "pulse-docker-agent"),
"/opt/pulse/pulse-docker-agent",
)
for _, candidate := range searchPaths {
if candidate == "" {
continue
}
if info, err := os.Stat(candidate); err == nil && !info.IsDir() {
http.ServeFile(w, req, candidate)
return
}
}
http.Error(w, "Agent binary not found", http.StatusNotFound)
}
func normalizeDockerAgentArch(arch string) string {
if arch == "" {
return ""
}
arch = strings.ToLower(strings.TrimSpace(arch))
switch arch {
case "linux-amd64", "amd64", "x86_64", "x86-64":
return "linux-amd64"
case "linux-arm64", "arm64", "aarch64":
return "linux-arm64"
case "linux-armv7", "armv7", "armv7l", "armhf":
return "linux-armv7"
default:
return ""
}
}