fix battery detection on newer macs (#1170)

agent/battery/battery.go

@@ -20,9 +20,8 @@ func HasReadableBattery() bool {
 	}
 	haveCheckedBattery = true
 	bat, err := battery.Get(0)
-	if err == nil && bat != nil {
+	systemHasBattery = err == nil && bat != nil && bat.Design != 0 && bat.Full != 0
-		systemHasBattery = true
+	if !systemHasBattery {
-	} else {
 		slog.Debug("No battery found", "err", err)
 	}
 	return systemHasBattery

agent/client.go

@@ -85,7 +85,7 @@ func getToken() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	return string(tokenBytes), nil
+	return strings.TrimSpace(string(tokenBytes)), nil
 }
 
 // getOptions returns the WebSocket client options, creating them if necessary.

agent/client_test.go

@@ -537,4 +537,25 @@ func TestGetToken(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Equal(t, "", token, "Empty file should return empty string")
 	})
+
+	t.Run("strips whitespace from TOKEN_FILE", func(t *testing.T) {
+		unsetEnvVars()
+
+		tokenWithWhitespace := "  test-token-with-whitespace  \n\t"
+		expectedToken := "test-token-with-whitespace"
+		tokenFile, err := os.CreateTemp("", "token-test-*.txt")
+		require.NoError(t, err)
+		defer os.Remove(tokenFile.Name())
+
+		_, err = tokenFile.WriteString(tokenWithWhitespace)
+		require.NoError(t, err)
+		tokenFile.Close()
+
+		os.Setenv("TOKEN_FILE", tokenFile.Name())
+		defer os.Unsetenv("TOKEN_FILE")
+
+		token, err := getToken()
+		assert.NoError(t, err)
+		assert.Equal(t, expectedToken, token, "Whitespace should be stripped from token file content")
+	})
 }

i18n.yml

@@ -1,3 +1,3 @@
 files:
-  - source: /beszel/site/src/locales/en/en.po
+  - source: /internal/site/src/locales/en/
-    translation: /beszel/site/src/locales/%two_letters_code%/%two_letters_code%.po
+    translation: /internal/site/src/locales/%two_letters_code%/%two_letters_code%.po

internal/hub/hub.go

@@ -69,6 +69,8 @@ func (h *Hub) StartHub() error {
 		if err := config.SyncSystems(e); err != nil {
 			return err
 		}
+		// register middlewares
+		h.registerMiddlewares(e)
 		// register api routes
 		if err := h.registerApiRoutes(e); err != nil {
 			return err
@@ -171,6 +173,37 @@ func (h *Hub) registerCronJobs(_ *core.ServeEvent) error {
 	return nil
 }
 
+// custom middlewares
+func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
+	// authorizes request with user matching the provided email
+	authorizeRequestWithEmail := func(e *core.RequestEvent, email string) (err error) {
+		if e.Auth != nil || email == "" {
+			return e.Next()
+		}
+		isAuthRefresh := e.Request.URL.Path == "/api/collections/users/auth-refresh" && e.Request.Method == http.MethodPost
+		e.Auth, err = e.App.FindFirstRecordByData("users", "email", email)
+		if err != nil || !isAuthRefresh {
+			return e.Next()
+		}
+		// auth refresh endpoint, make sure token is set in header
+		token, _ := e.Auth.NewAuthToken()
+		e.Request.Header.Set("Authorization", token)
+		return e.Next()
+	}
+	// authenticate with trusted header
+	if autoLogin, _ := GetEnv("AUTO_LOGIN"); autoLogin != "" {
+		se.Router.BindFunc(func(e *core.RequestEvent) error {
+			return authorizeRequestWithEmail(e, autoLogin)
+		})
+	}
+	// authenticate with trusted header
+	if trustedHeader, _ := GetEnv("TRUSTED_AUTH_HEADER"); trustedHeader != "" {
+		se.Router.BindFunc(func(e *core.RequestEvent) error {
+			return authorizeRequestWithEmail(e, e.Request.Header.Get(trustedHeader))
+		})
+	}
+}
+
 // custom api routes
 func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
 	// auth protected routes

internal/hub/hub_test.go

@@ -711,3 +711,117 @@ func TestCreateUserEndpointAvailability(t *testing.T) {
 		scenario.Test(t)
 	})
 }
+
+func TestAutoLoginMiddleware(t *testing.T) {
+	var hubs []*beszelTests.TestHub
+
+	defer func() {
+		defer os.Unsetenv("AUTO_LOGIN")
+		for _, hub := range hubs {
+			hub.Cleanup()
+		}
+	}()
+
+	os.Setenv("AUTO_LOGIN", "user@test.com")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		hubs = append(hubs, hub)
+		hub.StartHub()
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "GET /getkey - without auto login should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /getkey - with auto login should fail if no matching user",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /getkey - with auto login should succeed",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.CreateUser(app, "user@test.com", "password123")
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+func TestTrustedHeaderMiddleware(t *testing.T) {
+	var hubs []*beszelTests.TestHub
+
+	defer func() {
+		defer os.Unsetenv("TRUSTED_AUTH_HEADER")
+		for _, hub := range hubs {
+			hub.Cleanup()
+		}
+	}()
+
+	os.Setenv("TRUSTED_AUTH_HEADER", "X-Beszel-Trusted")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		hubs = append(hubs, hub)
+		hub.StartHub()
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "GET /getkey - without trusted header should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /getkey - with trusted header should fail if no matching user",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/getkey",
+			Headers: map[string]string{
+				"X-Beszel-Trusted": "user@test.com",
+			},
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /getkey - with trusted header should succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/getkey",
+			Headers: map[string]string{
+				"X-Beszel-Trusted": "user@test.com",
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.CreateUser(app, "user@test.com", "password123")
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}

internal/site/biome.json

@@ -17,7 +17,10 @@
 	"linter": {
 		"enabled": true,
 		"rules": {
-			"recommended": true
+			"recommended": true,
+			"correctness": {
+				"useUniqueElementIds": "off"
+			}
 		}
 	},
 	"javascript": {

internal/site/src/components/add-system.tsx

@@ -22,7 +22,7 @@ import { memo, useEffect, useRef, useState } from "react"
 import { $router, basePath, Link, navigate } from "./router"
 import { SystemRecord } from "@/types"
 import { SystemStatus } from "@/lib/enums"
-import { AppleIcon, DockerIcon, TuxIcon, WindowsIcon } from "./ui/icons"
+import { AppleIcon, DockerIcon, FreeBsdIcon, TuxIcon, WindowsIcon } from "./ui/icons"
 import { InputCopy } from "./ui/input-copy"
 import { getPagePath } from "@nanostores/router"
 import {
@@ -253,6 +253,12 @@ export const SystemDialog = ({ setOpen, system }: { setOpen: (open: boolean) =>
 											copyWindowsCommand(isUnixSocket ? hostValue : port.current?.value, publicKey, token),
 										icons: [WindowsIcon],
 									},
+									{
+										text: t({ message: "FreeBSD command", context: "Button to copy install command" }),
+										onClick: async () =>
+											copyLinuxCommand(isUnixSocket ? hostValue : port.current?.value, publicKey, token),
+										icons: [FreeBsdIcon],
+									},
 									{
 										text: t`Manual setup instructions`,
 										url: "https://beszel.dev/guide/agent-installation#binary",

internal/site/src/components/routes/settings/tokens-fingerprints.tsx

@@ -9,6 +9,7 @@ import {
 	RotateCwIcon,
 	ServerIcon,
 	Trash2Icon,
+	ExternalLinkIcon,
 } from "lucide-react"
 import { memo, useEffect, useMemo, useState } from "react"
 import {
@@ -28,7 +29,7 @@ import {
 	DropdownMenuSeparator,
 	DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu"
-import { AppleIcon, DockerIcon, TuxIcon, WindowsIcon } from "@/components/ui/icons"
+import { AppleIcon, DockerIcon, FreeBsdIcon, TuxIcon, WindowsIcon } from "@/components/ui/icons"
 import { Separator } from "@/components/ui/separator"
 import { Switch } from "@/components/ui/switch"
 import { Table, TableBody, TableCell, TableHead, TableHeader, TableRow } from "@/components/ui/table"
@@ -150,6 +151,7 @@ const SectionUniversalToken = memo(() => {
 		setIsLoading(false)
 	}
 
+	// biome-ignore lint/correctness/useExhaustiveDependencies: only on mount
 	useEffect(() => {
 		updateToken()
 	}, [])
@@ -221,6 +223,16 @@ const ActionsButtonUniversalToken = memo(({ token, checked }: { token: string; c
 			onClick: () => copyWindowsCommand(port, publicKey, token),
 			icons: [WindowsIcon],
 		},
+		{
+			text: t({ message: "FreeBSD command", context: "Button to copy install command" }),
+			onClick: () => copyLinuxCommand(port, publicKey, token),
+			icons: [FreeBsdIcon],
+		},
+		{
+			text: t`Manual setup instructions`,
+			url: "https://beszel.dev/guide/agent-installation#binary",
+			icons: [ExternalLinkIcon],
+		},
 	]
 	return (
 		<div className="flex items-center gap-2">
@@ -291,8 +303,8 @@ const SectionTable = memo(({ fingerprints = [] }: { fingerprints: FingerprintRec
 					</tr>
 				</TableHeader>
 				<TableBody className="whitespace-pre">
-					{fingerprints.map((fingerprint, i) => (
+					{fingerprints.map((fingerprint) => (
-						<TableRow key={i}>
+						<TableRow key={fingerprint.id}>
 							<TableCell className="font-medium ps-5 py-2 max-w-60 truncate">
 								{fingerprint.expand.system.name}
 							</TableCell>
@@ -317,10 +329,10 @@ async function updateFingerprint(fingerprint: FingerprintRecord, rotateToken = f
 			fingerprint: "",
 			token: rotateToken ? generateToken() : fingerprint.token,
 		})
-	} catch (error: any) {
+	} catch (error: unknown) {
 		toast({
 			title: t`Error`,
-			description: error.message,
+			description: (error as Error).message,
 		})
 	}
 }

internal/site/src/lib/systemsManager.ts

@@ -1,3 +1,4 @@
+/** biome-ignore-all lint/suspicious/noAssignInExpressions: it's fine :) */
 import type { PreinitializedMapStore } from "nanostores"
 import { pb, verifyAuth } from "@/lib/api"
 import {
@@ -16,9 +17,10 @@ const COLLECTION = pb.collection<SystemRecord>("systems")
 const FIELDS_DEFAULT = "id,name,host,port,info,status"
 
 /** Maximum system name length for display purposes */
-const MAX_SYSTEM_NAME_LENGTH = 20
+const MAX_SYSTEM_NAME_LENGTH = 22
 
 let initialized = false
+// biome-ignore lint/suspicious/noConfusingVoidType: typescript rocks
 let unsub: (() => void) | undefined | void
 
 /** Initialize the systems manager and set up listeners */
@@ -104,20 +106,37 @@ async function fetchSystems(): Promise<SystemRecord[]> {
 	}
 }
 
+/** Makes sure the system has valid info object and throws if not */
+function validateSystemInfo(system: SystemRecord) {
+	if (!("cpu" in system.info)) {
+		throw new Error(`${system.name} has no CPU info`)
+	}
+}
+
 /** Add system to both name and ID stores */
 export function add(system: SystemRecord) {
+	try {
+		validateSystemInfo(system)
 		$allSystemsByName.setKey(system.name, system)
 		$allSystemsById.setKey(system.id, system)
+	} catch (error) {
+		console.error(error)
+	}
 }
 
 /** Update system in stores */
 export function update(system: SystemRecord) {
+	try {
+		validateSystemInfo(system)
 		// if name changed, make sure old name is removed from the name store
 		const oldName = $allSystemsById.get()[system.id]?.name
 		if (oldName !== system.name) {
-		$allSystemsByName.setKey(oldName, undefined as any)
+			$allSystemsByName.setKey(oldName, undefined as unknown as SystemRecord)
 		}
 		add(system)
+	} catch (error) {
+		console.error(error)
+	}
 }
 
 /** Remove system from stores */
@@ -132,7 +151,7 @@ export function remove(system: SystemRecord) {
 /** Remove system from specific store */
 function removeFromStore(system: SystemRecord, store: PreinitializedMapStore<Record<string, SystemRecord>>) {
 	const key = store === $allSystemsByName ? system.name : system.id
-	store.setKey(key, undefined as any)
+	store.setKey(key, undefined as unknown as SystemRecord)
 }
 
 /** Action functions for subscription */

internal/site/src/locales/zh-CN/zh-CN.po

@@ -660,11 +660,11 @@ msgstr "内存"
 #: src/components/routes/system.tsx
 #: src/lib/alerts.ts
 msgid "Memory Usage"
-msgstr "内存使用"
+msgstr "内存使用率"
 
 #: src/components/routes/system.tsx
 msgid "Memory usage of docker containers"
-msgstr "Docker 容器的内存使用"
+msgstr "Docker 容器的内存使用率"
 
 #: src/components/add-system.tsx
 #: src/components/alerts-history-columns.tsx
@@ -931,7 +931,7 @@ msgstr "系统使用的 SWAP 空间"
 
 #: src/components/routes/system.tsx
 msgid "Swap Usage"
-msgstr "SWAP 使用"
+msgstr "SWAP 使用率"
 
 #: src/components/alerts-history-columns.tsx
 #: src/components/routes/settings/tokens-fingerprints.tsx
@@ -1024,7 +1024,7 @@ msgstr "令牌"
 #: src/components/routes/settings/layout.tsx
 #: src/components/routes/settings/tokens-fingerprints.tsx
 msgid "Tokens & Fingerprints"
-msgstr "令牌和指纹"
+msgstr "令牌与指纹"
 
 #: src/components/routes/settings/tokens-fingerprints.tsx
 msgid "Tokens allow agents to connect and register. Fingerprints are stable identifiers unique to each system, set on first connection."
@@ -1032,7 +1032,7 @@ msgstr "令牌允许客户端连接和注册。指纹是每个系统唯一的稳
 
 #: src/components/routes/settings/tokens-fingerprints.tsx
 msgid "Tokens and fingerprints are used to authenticate WebSocket connections to the hub."
-msgstr "令牌和指纹用于验证到中心的WebSocket连接。"
+msgstr "令牌与指纹用于验证到中心的 WebSocket 连接。"
 
 #: src/lib/alerts.ts
 msgid "Triggers when 1 minute load average exceeds a threshold"

internal/site/src/main.tsx

@@ -74,6 +74,19 @@ const Layout = () => {
 		document.documentElement.dir = direction
 	}, [direction])
 
+	// biome-ignore lint/correctness/useExhaustiveDependencies: only run on mount
+	useEffect(() => {
+		// refresh auth if not authenticated (required for trusted auth header)
+		if (!authenticated) {
+			pb.collection("users")
+				.authRefresh()
+				.then((res) => {
+					pb.authStore.save(res.token, res.record)
+					$authenticated.set(!!pb.authStore.isValid)
+				})
+		}
+	}, [])
+
 	return (
 		<DirectionProvider dir={direction}>
 			{!authenticated ? (

supplemental/CHANGELOG.md

@@ -1,5 +1,13 @@
 ## 0.12.8
 
+- Add setting for time format (12h / 24h). (#424)
+
+- Add experimental one-time password (OTP) support.
+
+- Add `TRUSTED_AUTH_HEADER` environment variable for authentication forwarding. (#399)
+
+- Add `AUTO_LOGIN` environment variable for automatic login. (#399)
+
 - Add FreeBSD support for agent install script and update command.
 
 ## 0.12.7

supplemental/kubernetes/beszel-hub/charts/templates/service.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: {{ include "beszel.fullname" . }}-web
+  name: {{ include "beszel.fullname" . }}
   labels:
     {{- include "beszel.labels" . | nindent 4 }}
 {{- if .Values.service.annotations }}

supplemental/kubernetes/beszel-hub/charts/values.yaml

@@ -30,14 +30,10 @@ securityContext: {}
 
 service:
   enabled: true
-  type: LoadBalancer
+  annotations: {}
-  loadBalancerIP: "10.0.10.251"
+  type: ClusterIP
+  loadBalancerIP: ""
   port: 8090
-# -- Annotations for the DHCP service
-  annotations:
-    metallb.universe.tf/address-pool: pool
-    metallb.universe.tf/allow-shared-ip: beszel-hub-web
-  # -- Labels for the DHCP service
 
 ingress:
   enabled: false
@@ -96,7 +92,7 @@ persistentVolumeClaim:
   accessModes:
     - ReadWriteOnce
 
-  storageClass: "retain-local-path"
+  storageClass: ""
 
   # -- volume claim size
   size: "500Mi"