Merge branch 'henrygd:main' into main

Fixing service name in helm chart and making default values unopinionated (#1166 )
strip whitespace from TOKEN_FILE (#984 )
2025-10-19 01:39:34 +08:00 · 2025-09-15 09:25:05 +08:00 · 2025-09-13 12:09:36 -04:00 · 2025-09-12 12:59:53 -04:00 · 2025-09-11 15:37:11 -04:00 · 2025-09-11 15:07:37 -04:00
13 changed files with 254 additions and 29 deletions
--- a/agent/client.go
+++ b/agent/client.go
@@ -85,7 +85,7 @@ func getToken() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	return string(tokenBytes), nil
+	return strings.TrimSpace(string(tokenBytes)), nil
 }

 // getOptions returns the WebSocket client options, creating them if necessary.
--- a/agent/client_test.go
+++ b/agent/client_test.go
@@ -537,4 +537,25 @@ func TestGetToken(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, "", token, "Empty file should return empty string")
 	})
+
+	t.Run("strips whitespace from TOKEN_FILE", func(t *testing.T) {
+		unsetEnvVars()
+
+		tokenWithWhitespace := "  test-token-with-whitespace  \n\t"
+		expectedToken := "test-token-with-whitespace"
+		tokenFile, err := os.CreateTemp("", "token-test-*.txt")
+		require.NoError(t, err)
+		defer os.Remove(tokenFile.Name())
+
+		_, err = tokenFile.WriteString(tokenWithWhitespace)
+		require.NoError(t, err)
+		tokenFile.Close()
+
+		os.Setenv("TOKEN_FILE", tokenFile.Name())
+		defer os.Unsetenv("TOKEN_FILE")
+
+		token, err := getToken()
+		assert.NoError(t, err)
+		assert.Equal(t, expectedToken, token, "Whitespace should be stripped from token file content")
+	})
 }
--- a/i18n.yml
+++ b/i18n.yml
@@ -1,3 +1,3 @@
 files:
-  - source: /beszel/site/src/locales/en/en.po
-    translation: /beszel/site/src/locales/%two_letters_code%/%two_letters_code%.po
+  - source: /internal/site/src/locales/en/
+    translation: /internal/site/src/locales/%two_letters_code%/%two_letters_code%.po
--- a/internal/hub/hub.go
+++ b/internal/hub/hub.go
@@ -69,6 +69,8 @@ func (h *Hub) StartHub() error {
 		if err := config.SyncSystems(e); err != nil {
 			return err
 		}
+		// register middlewares
+		h.registerMiddlewares(e)
 		// register api routes
 		if err := h.registerApiRoutes(e); err != nil {
 			return err
@@ -171,6 +173,37 @@ func (h *Hub) registerCronJobs(_ *core.ServeEvent) error {
 	return nil
 }

+// custom middlewares
+func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
+	// authorizes request with user matching the provided email
+	authorizeRequestWithEmail := func(e *core.RequestEvent, email string) (err error) {
+		if e.Auth != nil || email == "" {
+			return e.Next()
+		}
+		isAuthRefresh := e.Request.URL.Path == "/api/collections/users/auth-refresh" && e.Request.Method == http.MethodPost
+		e.Auth, err = e.App.FindFirstRecordByData("users", "email", email)
+		if err != nil || !isAuthRefresh {
+			return e.Next()
+		}
+		// auth refresh endpoint, make sure token is set in header
+		token, _ := e.Auth.NewAuthToken()
+		e.Request.Header.Set("Authorization", token)
+		return e.Next()
+	}
+	// authenticate with trusted header
+	if autoLogin, _ := GetEnv("AUTO_LOGIN"); autoLogin != "" {
+		se.Router.BindFunc(func(e *core.RequestEvent) error {
+			return authorizeRequestWithEmail(e, autoLogin)
+		})
+	}
+	// authenticate with trusted header
+	if trustedHeader, _ := GetEnv("TRUSTED_AUTH_HEADER"); trustedHeader != "" {
+		se.Router.BindFunc(func(e *core.RequestEvent) error {
+			return authorizeRequestWithEmail(e, e.Request.Header.Get(trustedHeader))
+		})
+	}
+}
+
 // custom api routes
 func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	// auth protected routes
--- a/internal/hub/hub_test.go
+++ b/internal/hub/hub_test.go
@@ -711,3 +711,117 @@ func TestCreateUserEndpointAvailability(t *testing.T) {
 		scenario.Test(t)
 	})
 }
+
+func TestAutoLoginMiddleware(t *testing.T) {
+	var hubs []*beszelTests.TestHub
+
+	defer func() {
+		defer os.Unsetenv("AUTO_LOGIN")
+		for _, hub := range hubs {
+			hub.Cleanup()
+		}
+	}()
+
+	os.Setenv("AUTO_LOGIN", "user@test.com")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		hubs = append(hubs, hub)
+		hub.StartHub()
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "GET /getkey - without auto login should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /getkey - with auto login should fail if no matching user",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /getkey - with auto login should succeed",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.CreateUser(app, "user@test.com", "password123")
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+func TestTrustedHeaderMiddleware(t *testing.T) {
+	var hubs []*beszelTests.TestHub
+
+	defer func() {
+		defer os.Unsetenv("TRUSTED_AUTH_HEADER")
+		for _, hub := range hubs {
+			hub.Cleanup()
+		}
+	}()
+
+	os.Setenv("TRUSTED_AUTH_HEADER", "X-Beszel-Trusted")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		hubs = append(hubs, hub)
+		hub.StartHub()
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "GET /getkey - without trusted header should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /getkey - with trusted header should fail if no matching user",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/getkey",
+			Headers: map[string]string{
+				"X-Beszel-Trusted": "user@test.com",
+			},
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /getkey - with trusted header should succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/getkey",
+			Headers: map[string]string{
+				"X-Beszel-Trusted": "user@test.com",
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.CreateUser(app, "user@test.com", "password123")
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
--- a/internal/site/biome.json
+++ b/internal/site/biome.json
@@ -17,7 +17,10 @@
 	"linter": {
 		"enabled": true,
 		"rules": {
-			"recommended": true
+			"recommended": true,
+			"correctness": {
+				"useUniqueElementIds": "off"
+			}
 		}
 	},
 	"javascript": {
@@ -35,4 +38,4 @@
 			}
 		}
 	}
-}
+}
--- a/internal/site/src/components/add-system.tsx
+++ b/internal/site/src/components/add-system.tsx
@@ -22,7 +22,7 @@ import { memo, useEffect, useRef, useState } from "react"
 import { $router, basePath, Link, navigate } from "./router"
 import { SystemRecord } from "@/types"
 import { SystemStatus } from "@/lib/enums"
-import { AppleIcon, DockerIcon, TuxIcon, WindowsIcon } from "./ui/icons"
+import { AppleIcon, DockerIcon, FreeBsdIcon, TuxIcon, WindowsIcon } from "./ui/icons"
 import { InputCopy } from "./ui/input-copy"
 import { getPagePath } from "@nanostores/router"
 import {
@@ -253,6 +253,12 @@ export const SystemDialog = ({ setOpen, system }: { setOpen: (open: boolean) =>
 											copyWindowsCommand(isUnixSocket ? hostValue : port.current?.value, publicKey, token),
 										icons: [WindowsIcon],
 									},
+									{
+										text: t({ message: "FreeBSD command", context: "Button to copy install command" }),
+										onClick: async () =>
+											copyLinuxCommand(isUnixSocket ? hostValue : port.current?.value, publicKey, token),
+										icons: [FreeBsdIcon],
+									},
 									{
 										text: t`Manual setup instructions`,
 										url: "https://beszel.dev/guide/agent-installation#binary",
--- a/internal/site/src/components/routes/settings/tokens-fingerprints.tsx
+++ b/internal/site/src/components/routes/settings/tokens-fingerprints.tsx
@@ -9,6 +9,7 @@ import {
 	RotateCwIcon,
 	ServerIcon,
 	Trash2Icon,
+	ExternalLinkIcon,
 } from "lucide-react"
 import { memo, useEffect, useMemo, useState } from "react"
 import {
@@ -28,7 +29,7 @@ import {
 	DropdownMenuSeparator,
 	DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu"
-import { AppleIcon, DockerIcon, TuxIcon, WindowsIcon } from "@/components/ui/icons"
+import { AppleIcon, DockerIcon, FreeBsdIcon, TuxIcon, WindowsIcon } from "@/components/ui/icons"
 import { Separator } from "@/components/ui/separator"
 import { Switch } from "@/components/ui/switch"
 import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table"
@@ -150,6 +151,7 @@ const SectionUniversalToken = memo(() => {
 		setIsLoading(false)
 	}

+	// biome-ignore lint/correctness/useExhaustiveDependencies: only on mount
 	useEffect(() => {
 		updateToken()
 	}, [])
@@ -221,6 +223,16 @@ const ActionsButtonUniversalToken = memo(({ token, checked }: { token: string; c
 			onClick: () => copyWindowsCommand(port, publicKey, token),
 			icons: [WindowsIcon],
 		},
+		{
+			text: t({ message: "FreeBSD command", context: "Button to copy install command" }),
+			onClick: () => copyLinuxCommand(port, publicKey, token),
+			icons: [FreeBsdIcon],
+		},
+		{
+			text: t`Manual setup instructions`,
+			url: "https://beszel.dev/guide/agent-installation#binary",
+			icons: [ExternalLinkIcon],
+		},
 	]
 	return (
 		<div className="flex items-center gap-2">
@@ -291,8 +303,8 @@ const SectionTable = memo(({ fingerprints = [] }: { fingerprints: FingerprintRec
 					</tr>
 				</TableHeader>
 				<TableBody className="whitespace-pre">
-					{fingerprints.map((fingerprint, i) => (
-						<TableRow key={i}>
+					{fingerprints.map((fingerprint) => (
+						<TableRow key={fingerprint.id}>
 							<TableCell className="font-medium ps-5 py-2 max-w-60 truncate">
 								{fingerprint.expand.system.name}
 							</TableCell>
@@ -317,10 +329,10 @@ async function updateFingerprint(fingerprint: FingerprintRecord, rotateToken = f
 			fingerprint: "",
 			token: rotateToken ? generateToken() : fingerprint.token,
 		})
-	} catch (error: any) {
+	} catch (error: unknown) {
 		toast({
 			title: t`Error`,
-			description: error.message,
+			description: (error as Error).message,
 		})
 	}
 }
--- a/internal/site/src/lib/systemsManager.ts
+++ b/internal/site/src/lib/systemsManager.ts
@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/suspicious/noAssignInExpressions: it's fine :) */
 import type { PreinitializedMapStore } from "nanostores"
 import { pb, verifyAuth } from "@/lib/api"
 import {
@@ -16,9 +17,10 @@ const COLLECTION = pb.collection<SystemRecord>("systems")
 const FIELDS_DEFAULT = "id,name,host,port,info,status"

 /** Maximum system name length for display purposes */
-const MAX_SYSTEM_NAME_LENGTH = 20
+const MAX_SYSTEM_NAME_LENGTH = 22

 let initialized = false
+// biome-ignore lint/suspicious/noConfusingVoidType: typescript rocks
 let unsub: (() => void) | undefined | void

 /** Initialize the systems manager and set up listeners */
@@ -104,20 +106,37 @@ async function fetchSystems(): Promise<SystemRecord[]> {
 	}
 }

+/** Makes sure the system has valid info object and throws if not */
+function validateSystemInfo(system: SystemRecord) {
+	if (!("cpu" in system.info)) {
+		throw new Error(`${system.name} has no CPU info`)
+	}
+}
+
 /** Add system to both name and ID stores */
 export function add(system: SystemRecord) {
-	$allSystemsByName.setKey(system.name, system)
-	$allSystemsById.setKey(system.id, system)
+	try {
+		validateSystemInfo(system)
+		$allSystemsByName.setKey(system.name, system)
+		$allSystemsById.setKey(system.id, system)
+	} catch (error) {
+		console.error(error)
+	}
 }

 /** Update system in stores */
 export function update(system: SystemRecord) {
-	// if name changed, make sure old name is removed from the name store
-	const oldName = $allSystemsById.get()[system.id]?.name
-	if (oldName !== system.name) {
-		$allSystemsByName.setKey(oldName, undefined as any)
+	try {
+		validateSystemInfo(system)
+		// if name changed, make sure old name is removed from the name store
+		const oldName = $allSystemsById.get()[system.id]?.name
+		if (oldName !== system.name) {
+			$allSystemsByName.setKey(oldName, undefined as unknown as SystemRecord)
+		}
+		add(system)
+	} catch (error) {
+		console.error(error)
 	}
-	add(system)
 }

 /** Remove system from stores */
@@ -132,7 +151,7 @@ export function remove(system: SystemRecord) {
 /** Remove system from specific store */
 function removeFromStore(system: SystemRecord, store: PreinitializedMapStore<Record<string, SystemRecord>>) {
 	const key = store === $allSystemsByName ? system.name : system.id
-	store.setKey(key, undefined as any)
+	store.setKey(key, undefined as unknown as SystemRecord)
 }

 /** Action functions for subscription */
--- a/internal/site/src/main.tsx
+++ b/internal/site/src/main.tsx
@@ -74,6 +74,19 @@ const Layout = () => {
 		document.documentElement.dir = direction
 	}, [direction])

+	// biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+	useEffect(() => {
+		// refresh auth if not authenticated (required for trusted auth header)
+		if (!authenticated) {
+			pb.collection("users")
+				.authRefresh()
+				.then((res) => {
+					pb.authStore.save(res.token, res.record)
+					$authenticated.set(!!pb.authStore.isValid)
+				})
+		}
+	}, [])
+
 	return (
 		<DirectionProvider dir={direction}>
 			{!authenticated ? (
--- a/supplemental/CHANGELOG.md
+++ b/supplemental/CHANGELOG.md
@@ -1,5 +1,13 @@
 ## 0.12.8

+- Add setting for time format (12h / 24h). (#424)
+
+- Add experimental one-time password (OTP) support.
+
+- Add `TRUSTED_AUTH_HEADER` environment variable for authentication forwarding. (#399)
+
+- Add `AUTO_LOGIN` environment variable for automatic login. (#399)
+
 - Add FreeBSD support for agent install script and update command.

 ## 0.12.7
--- a/supplemental/kubernetes/beszel-hub/charts/templates/service.yaml
+++ b/supplemental/kubernetes/beszel-hub/charts/templates/service.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "beszel.fullname" . }}-web
+  name: {{ include "beszel.fullname" . }}
  labels:
    {{- include "beszel.labels" . | nindent 4 }}
 {{- if .Values.service.annotations }}
--- a/supplemental/kubernetes/beszel-hub/charts/values.yaml
+++ b/supplemental/kubernetes/beszel-hub/charts/values.yaml
@@ -30,14 +30,10 @@ securityContext: {}

 service:
  enabled: true
-  type: LoadBalancer
-  loadBalancerIP: "10.0.10.251"
+  annotations: {}
+  type: ClusterIP
+  loadBalancerIP: ""
  port: 8090
-# -- Annotations for the DHCP service
-  annotations:
-    metallb.universe.tf/address-pool: pool
-    metallb.universe.tf/allow-shared-ip: beszel-hub-web
-  # -- Labels for the DHCP service

 ingress:
  enabled: false
@@ -96,7 +92,7 @@ persistentVolumeClaim:
  accessModes:
    - ReadWriteOnce

-  storageClass: "retain-local-path"
+  storageClass: ""

  # -- volume claim size
  size: "500Mi"
Author	SHA1	Message	Date
Fankesyooni	2847041162	Merge branch 'henrygd:main' into main	2025-09-15 09:25:05 +08:00
Ryan W	e149366451	Fixing service name in helm chart and making default values unopinionated (#1166 )	2025-09-13 12:09:36 -04:00
henrygd	8da1ded73e	strip whitespace from `TOKEN_FILE` (#984 )	2025-09-12 12:59:53 -04:00
henrygd	efa37b2312	web: extra check for valid system before adding (#1063 )	2025-09-11 15:37:11 -04:00
henrygd	bcdb4c92b5	add freebsd to list of copyable commands	2025-09-11 15:07:37 -04:00
henrygd	a7d07310b6	Add `AUTO_LOGIN` environment variable for automatic login. (#399 )	2025-09-11 14:01:09 -04:00
hank	8db87e5497	Update Crowdin configuration file	2025-09-11 12:45:43 -04:00
Fankesyooni	2ac7f3363a	Merge branch 'henrygd:main' into main	2025-09-11 18:41:35 +08:00
henrygd	e601a0d564	add TRUSTED_AUTH_HEADER for auth forwarding (#399 )	2025-09-10 21:26:59 -04:00
Fankesyooni	07491108cd	new zh-CN translations (#1160 )	2025-09-10 13:34:17 -04:00
henrygd	42ab17de1f	move i18n.yml to project root	2025-09-10 13:30:42 -04:00
henrygd	2d14174f61	update i18n.yml	2025-09-10 13:28:06 -04:00