Harden setup token flow and enforce encrypted persistence

2026-02-18 00:17:39 +01:00 · 2025-10-25 16:00:37 +00:00
parent cb37d0de01
commit 5a2d808aa1
9 changed files with 325 additions and 44 deletions
--- a/docs/API.md
+++ b/docs/API.md
@@ -758,8 +758,9 @@ Response:
 {
  "url": "http://pulse.local:7655/api/setup-script?type=pve&host=...",
  "command": "curl -sSL \"http://pulse.local:7655/api/setup-script?...\" | bash",
-  "setupCode": "A7K9P2",  // 6-character one-time code
-  "expires": 1755123456    // Unix timestamp when code expires (5 minutes)
+  "setupToken": "4c7f3e8c1c5f4b0da580c4477f4b1c2d",
+  "tokenHint": "4c7…c2d",
+  "expires": 1755123456    // Unix timestamp when token expires (5 minutes)
 }
 ```

@@ -774,8 +775,8 @@ The script will:
 1. Create a monitoring user (pulse-monitor@pam or pulse-monitor@pbs)
 2. Generate an API token for that user
 3. Set appropriate permissions
-4. Prompt for the setup code
-5. Auto-register with Pulse if a valid code is provided
+4. Prompt for the setup token (or read `PULSE_SETUP_TOKEN` if set)
+5. Auto-register with Pulse if a valid token is provided

 ### Auto-Register Node
 Register a node automatically (used by setup scripts). Requires either a valid setup code or API token.