fix(agent): isolate container network rate tracking per cache interval

Previously, the agent shared a single PrevReadTime timestamp across all
collection intervals (e.g., 1s and 60s). This caused the 60s collector
to divide its accumulated 60s byte delta by the tiny time elapsed since
the last 1s collection, resulting in astronomically inflated network
rates. The fix introduces per-cache-time read time tracking, ensuring
calculations for each interval use their own independent timing context.

agent/docker.go

@@ -77,6 +77,7 @@ type dockerManager struct {
 	// cacheTimeMs -> DeltaTracker for network bytes sent/received
 	networkSentTrackers map[uint16]*deltatracker.DeltaTracker[string, uint64]
 	networkRecvTrackers map[uint16]*deltatracker.DeltaTracker[string, uint64]
+	lastNetworkReadTime map[uint16]map[string]time.Time // cacheTimeMs -> containerId -> last network read time
 	retrySleep          func(time.Duration)
 }
 
@@ -285,7 +286,7 @@ func (dm *dockerManager) cycleNetworkDeltasForCacheTime(cacheTimeMs uint16) {
 }
 
 // calculateNetworkStats calculates network sent/receive deltas using DeltaTracker
-func (dm *dockerManager) calculateNetworkStats(ctr *container.ApiInfo, apiStats *container.ApiStats, stats *container.Stats, initialized bool, name string, cacheTimeMs uint16) (uint64, uint64) {
+func (dm *dockerManager) calculateNetworkStats(ctr *container.ApiInfo, apiStats *container.ApiStats, name string, cacheTimeMs uint16) (uint64, uint64) {
 	var total_sent, total_recv uint64
 	for _, v := range apiStats.Networks {
 		total_sent += v.TxBytes
@@ -304,10 +305,11 @@ func (dm *dockerManager) calculateNetworkStats(ctr *container.ApiInfo, apiStats
 	sent_delta_raw := sentTracker.Delta(ctr.IdShort)
 	recv_delta_raw := recvTracker.Delta(ctr.IdShort)
 
-	// Calculate bytes per second independently for Tx and Rx if we have previous data
+	// Calculate bytes per second using per-cache-time read time to avoid
+	// interference between different cache intervals (e.g. 1000ms vs 60000ms)
 	var sent_delta, recv_delta uint64
-	if initialized {
+	if prevReadTime, ok := dm.lastNetworkReadTime[cacheTimeMs][ctr.IdShort]; ok {
-		millisecondsElapsed := uint64(time.Since(stats.PrevReadTime).Milliseconds())
+		millisecondsElapsed := uint64(time.Since(prevReadTime).Milliseconds())
 		if millisecondsElapsed > 0 {
 			if sent_delta_raw > 0 {
 				sent_delta = sent_delta_raw * 1000 / millisecondsElapsed
@@ -542,7 +544,13 @@ func (dm *dockerManager) updateContainerStats(ctr *container.ApiInfo, cacheTimeM
 	}
 
 	// Calculate network stats using DeltaTracker
-	sent_delta, recv_delta := dm.calculateNetworkStats(ctr, res, stats, initialized, name, cacheTimeMs)
+	sent_delta, recv_delta := dm.calculateNetworkStats(ctr, res, name, cacheTimeMs)
+
+	// Store per-cache-time network read time for next rate calculation
+	if dm.lastNetworkReadTime[cacheTimeMs] == nil {
+		dm.lastNetworkReadTime[cacheTimeMs] = make(map[string]time.Time)
+	}
+	dm.lastNetworkReadTime[cacheTimeMs][ctr.IdShort] = time.Now()
 
 	// Store current network values for legacy compatibility
 	var total_sent, total_recv uint64
@@ -574,6 +582,9 @@ func (dm *dockerManager) deleteContainerStatsSync(id string) {
 	for ct := range dm.lastCpuReadTime {
 		delete(dm.lastCpuReadTime[ct], id)
 	}
+	for ct := range dm.lastNetworkReadTime {
+		delete(dm.lastNetworkReadTime[ct], id)
+	}
 }
 
 // Creates a new http client for Docker or Podman API
@@ -659,6 +670,7 @@ func newDockerManager() *dockerManager {
 		lastCpuReadTime:     make(map[uint16]map[string]time.Time),
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 		retrySleep:          time.Sleep,
 	}
 

agent/docker_test.go

@@ -408,6 +408,7 @@ func TestCalculateNetworkStats(t *testing.T) {
 	dm := &dockerManager{
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 	}
 
 	cacheTimeMs := uint16(30000)
@@ -423,6 +424,11 @@ func TestCalculateNetworkStats(t *testing.T) {
 	dm.networkSentTrackers[cacheTimeMs] = sentTracker
 	dm.networkRecvTrackers[cacheTimeMs] = recvTracker
 
+	// Set per-cache-time network read time (1 second ago)
+	dm.lastNetworkReadTime[cacheTimeMs] = map[string]time.Time{
+		"container1": time.Now().Add(-time.Second),
+	}
+
 	ctr := &container.ApiInfo{
 		IdShort: "container1",
 	}
@@ -433,12 +439,8 @@ func TestCalculateNetworkStats(t *testing.T) {
 		},
 	}
 
-	stats := &container.Stats{
-		PrevReadTime: time.Now().Add(-time.Second), // 1 second ago
-	}
-
 	// Test with initialized container
-	sent, recv := dm.calculateNetworkStats(ctr, apiStats, stats, true, "test-container", cacheTimeMs)
+	sent, recv := dm.calculateNetworkStats(ctr, apiStats, "test-container", cacheTimeMs)
 
 	// Should return calculated byte rates per second
 	assert.GreaterOrEqual(t, sent, uint64(0))
@@ -446,12 +448,76 @@ func TestCalculateNetworkStats(t *testing.T) {
 
 	// Cycle and test one-direction change (Tx only) is reflected independently
 	dm.cycleNetworkDeltasForCacheTime(cacheTimeMs)
+	dm.lastNetworkReadTime[cacheTimeMs]["container1"] = time.Now().Add(-time.Second)
 	apiStats.Networks["eth0"] = container.NetworkStats{TxBytes: 2500, RxBytes: 1800} // +500 Tx only
-	sent, recv = dm.calculateNetworkStats(ctr, apiStats, stats, true, "test-container", cacheTimeMs)
+	sent, recv = dm.calculateNetworkStats(ctr, apiStats, "test-container", cacheTimeMs)
 	assert.Greater(t, sent, uint64(0))
 	assert.Equal(t, uint64(0), recv)
 }
 
+// TestNetworkStatsCacheTimeIsolation verifies that frequent collections at one cache time
+// (e.g. 1000ms) don't cause inflated rates at another cache time (e.g. 60000ms).
+// This was a bug where PrevReadTime was shared, so the 60000ms tracker would see a
+// large byte delta divided by a tiny elapsed time (set by the 1000ms path).
+func TestNetworkStatsCacheTimeIsolation(t *testing.T) {
+	dm := &dockerManager{
+		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
+	}
+
+	ctr := &container.ApiInfo{IdShort: "container1"}
+	fastCache := uint16(1000)
+	slowCache := uint16(60000)
+
+	// Baseline for both cache times at T=0 with 100 bytes total
+	baseline := &container.ApiStats{
+		Networks: map[string]container.NetworkStats{
+			"eth0": {TxBytes: 100, RxBytes: 100},
+		},
+	}
+	dm.calculateNetworkStats(ctr, baseline, "test", fastCache)
+	dm.calculateNetworkStats(ctr, baseline, "test", slowCache)
+
+	// Record read times and cycle both
+	now := time.Now()
+	dm.lastNetworkReadTime[fastCache] = map[string]time.Time{"container1": now}
+	dm.lastNetworkReadTime[slowCache] = map[string]time.Time{"container1": now}
+	dm.cycleNetworkDeltasForCacheTime(fastCache)
+	dm.cycleNetworkDeltasForCacheTime(slowCache)
+
+	// Simulate many fast (1000ms) collections over ~5 seconds, each adding 10 bytes
+	totalBytes := uint64(100)
+	for i := 0; i < 5; i++ {
+		totalBytes += 10
+		stats := &container.ApiStats{
+			Networks: map[string]container.NetworkStats{
+				"eth0": {TxBytes: totalBytes, RxBytes: totalBytes},
+			},
+		}
+		// Set fast cache read time to 1 second ago
+		dm.lastNetworkReadTime[fastCache]["container1"] = time.Now().Add(-time.Second)
+		sent, _ := dm.calculateNetworkStats(ctr, stats, "test", fastCache)
+		// Fast cache should see ~10 bytes/sec per interval
+		assert.LessOrEqual(t, sent, uint64(100), "fast cache rate should be reasonable")
+		dm.cycleNetworkDeltasForCacheTime(fastCache)
+	}
+
+	// Now do slow cache collection — total delta is 50 bytes over ~5 seconds
+	// Set slow cache read time to 5 seconds ago (the actual elapsed time)
+	dm.lastNetworkReadTime[slowCache]["container1"] = time.Now().Add(-5 * time.Second)
+	finalStats := &container.ApiStats{
+		Networks: map[string]container.NetworkStats{
+			"eth0": {TxBytes: totalBytes, RxBytes: totalBytes},
+		},
+	}
+	sent, _ := dm.calculateNetworkStats(ctr, finalStats, "test", slowCache)
+
+	// Slow cache rate should be ~10 bytes/sec (50 bytes / 5 seconds), NOT 100x inflated
+	assert.LessOrEqual(t, sent, uint64(100), "slow cache rate should NOT be inflated by fast cache collections")
+	assert.GreaterOrEqual(t, sent, uint64(1), "slow cache should still report some traffic")
+}
+
 func TestDockerManagerCreation(t *testing.T) {
 	// Test that dockerManager can be created without panicking
 	dm := &dockerManager{
@@ -460,6 +526,7 @@ func TestDockerManagerCreation(t *testing.T) {
 		lastCpuReadTime:     make(map[uint16]map[string]time.Time),
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 	}
 
 	assert.NotNil(t, dm)
@@ -467,6 +534,7 @@ func TestDockerManagerCreation(t *testing.T) {
 	assert.NotNil(t, dm.lastCpuSystem)
 	assert.NotNil(t, dm.networkSentTrackers)
 	assert.NotNil(t, dm.networkRecvTrackers)
+	assert.NotNil(t, dm.lastNetworkReadTime)
 }
 
 func TestCheckDockerVersion(t *testing.T) {
@@ -651,6 +719,7 @@ func TestDockerStatsWithMockData(t *testing.T) {
 		lastCpuReadTime:     make(map[uint16]map[string]time.Time),
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 		containerStatsMap:   make(map[string]*container.Stats),
 	}
 
@@ -796,23 +865,22 @@ func TestNetworkStatsCalculationWithRealData(t *testing.T) {
 	dm := &dockerManager{
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 	}
 
 	ctr := &container.ApiInfo{IdShort: "test-container"}
 	cacheTimeMs := uint16(30000) // Test with 30 second cache
 
-	// Use exact timing for deterministic results
+	// First call sets baseline (no previous read time, so rates should be 0)
-	exactly1000msAgo := time.Now().Add(-1000 * time.Millisecond)
+	sent1, recv1 := dm.calculateNetworkStats(ctr, apiStats1, "test", cacheTimeMs)
-	stats := &container.Stats{
-		PrevReadTime: exactly1000msAgo,
-	}
-
-	// First call sets baseline
-	sent1, recv1 := dm.calculateNetworkStats(ctr, apiStats1, stats, true, "test", cacheTimeMs)
 	assert.Equal(t, uint64(0), sent1)
 	assert.Equal(t, uint64(0), recv1)
 
-	// Cycle to establish baseline for this cache time
+	// Record read time and cycle to establish baseline for this cache time
+	exactly1000msAgo := time.Now().Add(-1000 * time.Millisecond)
+	dm.lastNetworkReadTime[cacheTimeMs] = map[string]time.Time{
+		"test-container": exactly1000msAgo,
+	}
 	dm.cycleNetworkDeltasForCacheTime(cacheTimeMs)
 
 	// Calculate expected results precisely
@@ -823,7 +891,7 @@ func TestNetworkStatsCalculationWithRealData(t *testing.T) {
 	expectedRecvRate := deltaRecv * 1000 / expectedElapsedMs // Should be exactly 1000000
 
 	// Second call with changed data
-	sent2, recv2 := dm.calculateNetworkStats(ctr, apiStats2, stats, true, "test", cacheTimeMs)
+	sent2, recv2 := dm.calculateNetworkStats(ctr, apiStats2, "test", cacheTimeMs)
 
 	// Should be exactly the expected rates (no tolerance needed)
 	assert.Equal(t, expectedSentRate, sent2)
@@ -831,12 +899,13 @@ func TestNetworkStatsCalculationWithRealData(t *testing.T) {
 
 	// Bad speed cap: set absurd delta over 1ms and expect 0 due to cap
 	dm.cycleNetworkDeltasForCacheTime(cacheTimeMs)
-	stats.PrevReadTime = time.Now().Add(-1 * time.Millisecond)
+	dm.lastNetworkReadTime[cacheTimeMs]["test-container"] = time.Now().Add(-1 * time.Millisecond)
 	apiStats1.Networks["eth0"] = container.NetworkStats{TxBytes: 0, RxBytes: 0}
 	apiStats2.Networks["eth0"] = container.NetworkStats{TxBytes: 10 * 1024 * 1024 * 1024, RxBytes: 0} // 10GB delta
-	_, _ = dm.calculateNetworkStats(ctr, apiStats1, stats, true, "test", cacheTimeMs)                 // baseline
+	_, _ = dm.calculateNetworkStats(ctr, apiStats1, "test", cacheTimeMs)                              // baseline
 	dm.cycleNetworkDeltasForCacheTime(cacheTimeMs)
-	sent3, recv3 := dm.calculateNetworkStats(ctr, apiStats2, stats, true, "test", cacheTimeMs)
+	dm.lastNetworkReadTime[cacheTimeMs]["test-container"] = time.Now().Add(-1 * time.Millisecond)
+	sent3, recv3 := dm.calculateNetworkStats(ctr, apiStats2, "test", cacheTimeMs)
 	assert.Equal(t, uint64(0), sent3)
 	assert.Equal(t, uint64(0), recv3)
 }
@@ -857,6 +926,7 @@ func TestContainerStatsEndToEndWithRealData(t *testing.T) {
 		lastCpuReadTime:     make(map[uint16]map[string]time.Time),
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 		containerStatsMap:   make(map[string]*container.Stats),
 	}
 
@@ -978,6 +1048,7 @@ func TestDockerStatsWorkflow(t *testing.T) {
 		lastCpuSystem:       make(map[uint16]map[string]uint64),
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 		containerStatsMap:   make(map[string]*container.Stats),
 	}
 
@@ -1242,6 +1313,7 @@ func TestUpdateContainerStatsUsesPodmanInspectHealthFallback(t *testing.T) {
 		lastCpuReadTime:     make(map[uint16]map[string]time.Time),
 		networkSentTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
 		networkRecvTrackers: make(map[uint16]*deltatracker.DeltaTracker[string, uint64]),
+		lastNetworkReadTime: make(map[uint16]map[string]time.Time),
 	}
 
 	ctr := &container.ApiInfo{

internal/ghupdate/ghupdate.go

@@ -110,21 +110,13 @@ func (p *updater) update() (updated bool, err error) {
 	}
 
 	var latest *release
-	var useMirror bool
 
-	// Determine the API endpoint based on UseMirror flag
+	apiURL := getApiURL(p.config.UseMirror, p.config.Owner, p.config.Repo)
-	apiURL := fmt.Sprintf("https://api.github.com/repos/%s/%s/releases/latest", p.config.Owner, p.config.Repo)
 	if p.config.UseMirror {
-		useMirror = true
-		apiURL = fmt.Sprintf("https://gh.beszel.dev/repos/%s/%s/releases/latest?api=true", p.config.Owner, p.config.Repo)
 		ColorPrint(ColorYellow, "Using mirror for update.")
 	}
 
-	latest, err = fetchLatestRelease(
+	latest, err = FetchLatestRelease(p.config.Context, p.config.HttpClient, apiURL)
-		p.config.Context,
-		p.config.HttpClient,
-		apiURL,
-	)
 	if err != nil {
 		return false, err
 	}
@@ -150,7 +142,7 @@ func (p *updater) update() (updated bool, err error) {
 
 	// download the release asset
 	assetPath := filepath.Join(releaseDir, asset.Name)
-	if err := downloadFile(p.config.Context, p.config.HttpClient, asset.DownloadUrl, assetPath, useMirror); err != nil {
+	if err := downloadFile(p.config.Context, p.config.HttpClient, asset.DownloadUrl, assetPath, p.config.UseMirror); err != nil {
 		return false, err
 	}
 
@@ -226,11 +218,11 @@ func (p *updater) update() (updated bool, err error) {
 	return true, nil
 }
 
-func fetchLatestRelease(
+func FetchLatestRelease(ctx context.Context, client HttpClient, url string) (*release, error) {
-	ctx context.Context,
+	if url == "" {
-	client HttpClient,
+		url = getApiURL(false, "henrygd", "beszel")
-	url string,
+	}
-) (*release, error) {
+
 	req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
 	if err != nil {
 		return nil, err
@@ -375,3 +367,10 @@ func isGlibc() bool {
 	}
 	return false
 }
+
+func getApiURL(useMirror bool, owner, repo string) string {
+	if useMirror {
+		return fmt.Sprintf("https://gh.beszel.dev/repos/%s/%s/releases/latest?api=true", owner, repo)
+	}
+	return fmt.Sprintf("https://api.github.com/repos/%s/%s/releases/latest", owner, repo)
+}

internal/hub/api.go

@@ -0,0 +1,361 @@
+package hub
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/blang/semver"
+	"github.com/google/uuid"
+	"github.com/henrygd/beszel"
+	"github.com/henrygd/beszel/internal/alerts"
+	"github.com/henrygd/beszel/internal/ghupdate"
+	"github.com/henrygd/beszel/internal/hub/config"
+	"github.com/henrygd/beszel/internal/hub/systems"
+	"github.com/pocketbase/dbx"
+	"github.com/pocketbase/pocketbase/apis"
+	"github.com/pocketbase/pocketbase/core"
+)
+
+// UpdateInfo holds information about the latest update check
+type UpdateInfo struct {
+	lastCheck time.Time
+	Version   string `json:"v"`
+	Url       string `json:"url"`
+}
+
+// registerMiddlewares registers custom middlewares
+func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
+	// authorizes request with user matching the provided email
+	authorizeRequestWithEmail := func(e *core.RequestEvent, email string) (err error) {
+		if e.Auth != nil || email == "" {
+			return e.Next()
+		}
+		isAuthRefresh := e.Request.URL.Path == "/api/collections/users/auth-refresh" && e.Request.Method == http.MethodPost
+		e.Auth, err = e.App.FindFirstRecordByData("users", "email", email)
+		if err != nil || !isAuthRefresh {
+			return e.Next()
+		}
+		// auth refresh endpoint, make sure token is set in header
+		token, _ := e.Auth.NewAuthToken()
+		e.Request.Header.Set("Authorization", token)
+		return e.Next()
+	}
+	// authenticate with trusted header
+	if autoLogin, _ := GetEnv("AUTO_LOGIN"); autoLogin != "" {
+		se.Router.BindFunc(func(e *core.RequestEvent) error {
+			return authorizeRequestWithEmail(e, autoLogin)
+		})
+	}
+	// authenticate with trusted header
+	if trustedHeader, _ := GetEnv("TRUSTED_AUTH_HEADER"); trustedHeader != "" {
+		se.Router.BindFunc(func(e *core.RequestEvent) error {
+			return authorizeRequestWithEmail(e, e.Request.Header.Get(trustedHeader))
+		})
+	}
+}
+
+// registerApiRoutes registers custom API routes
+func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
+	// auth protected routes
+	apiAuth := se.Router.Group("/api/beszel")
+	apiAuth.Bind(apis.RequireAuth())
+	// auth optional routes
+	apiNoAuth := se.Router.Group("/api/beszel")
+
+	// create first user endpoint only needed if no users exist
+	if totalUsers, _ := se.App.CountRecords("users"); totalUsers == 0 {
+		apiNoAuth.POST("/create-user", h.um.CreateFirstUser)
+	}
+	// check if first time setup on login page
+	apiNoAuth.GET("/first-run", func(e *core.RequestEvent) error {
+		total, err := e.App.CountRecords("users")
+		return e.JSON(http.StatusOK, map[string]bool{"firstRun": err == nil && total == 0})
+	})
+	// get public key and version
+	apiAuth.GET("/info", h.getInfo)
+	apiAuth.GET("/getkey", h.getInfo) // deprecated - keep for compatibility w/ integrations
+	// check for updates
+	if optIn, _ := GetEnv("CHECK_UPDATES"); optIn == "true" {
+		var updateInfo UpdateInfo
+		apiAuth.GET("/update", updateInfo.getUpdate)
+	}
+	// send test notification
+	apiAuth.POST("/test-notification", h.SendTestNotification)
+	// heartbeat status and test
+	apiAuth.GET("/heartbeat-status", h.getHeartbeatStatus)
+	apiAuth.POST("/test-heartbeat", h.testHeartbeat)
+	// get config.yml content
+	apiAuth.GET("/config-yaml", config.GetYamlConfig)
+	// handle agent websocket connection
+	apiNoAuth.GET("/agent-connect", h.handleAgentConnect)
+	// get or create universal tokens
+	apiAuth.GET("/universal-token", h.getUniversalToken)
+	// update / delete user alerts
+	apiAuth.POST("/user-alerts", alerts.UpsertUserAlerts)
+	apiAuth.DELETE("/user-alerts", alerts.DeleteUserAlerts)
+	// refresh SMART devices for a system
+	apiAuth.POST("/smart/refresh", h.refreshSmartData)
+	// get systemd service details
+	apiAuth.GET("/systemd/info", h.getSystemdInfo)
+	// /containers routes
+	if enabled, _ := GetEnv("CONTAINER_DETAILS"); enabled != "false" {
+		// get container logs
+		apiAuth.GET("/containers/logs", h.getContainerLogs)
+		// get container info
+		apiAuth.GET("/containers/info", h.getContainerInfo)
+	}
+	return nil
+}
+
+// getInfo returns data needed by authenticated users, such as the public key and current version
+func (h *Hub) getInfo(e *core.RequestEvent) error {
+	type infoResponse struct {
+		Key         string `json:"key"`
+		Version     string `json:"v"`
+		CheckUpdate bool   `json:"cu"`
+	}
+	info := infoResponse{
+		Key:     h.pubKey,
+		Version: beszel.Version,
+	}
+	if optIn, _ := GetEnv("CHECK_UPDATES"); optIn == "true" {
+		info.CheckUpdate = true
+	}
+	return e.JSON(http.StatusOK, info)
+}
+
+// getUpdate checks for the latest release on GitHub and returns update info if a newer version is available
+func (info *UpdateInfo) getUpdate(e *core.RequestEvent) error {
+	if time.Since(info.lastCheck) < 6*time.Hour {
+		return e.JSON(http.StatusOK, info)
+	}
+	info.lastCheck = time.Now()
+	latestRelease, err := ghupdate.FetchLatestRelease(context.Background(), http.DefaultClient, "")
+	if err != nil {
+		return err
+	}
+	currentVersion, err := semver.Parse(strings.TrimPrefix(beszel.Version, "v"))
+	if err != nil {
+		return err
+	}
+	latestVersion, err := semver.Parse(strings.TrimPrefix(latestRelease.Tag, "v"))
+	if err != nil {
+		return err
+	}
+	if latestVersion.GT(currentVersion) {
+		info.Version = strings.TrimPrefix(latestRelease.Tag, "v")
+		info.Url = latestRelease.Url
+	}
+	return e.JSON(http.StatusOK, info)
+}
+
+// GetUniversalToken handles the universal token API endpoint (create, read, delete)
+func (h *Hub) getUniversalToken(e *core.RequestEvent) error {
+	tokenMap := universalTokenMap.GetMap()
+	userID := e.Auth.Id
+	query := e.Request.URL.Query()
+	token := query.Get("token")
+	enable := query.Get("enable")
+	permanent := query.Get("permanent")
+
+	// helper for deleting any existing permanent token record for this user
+	deletePermanent := func() error {
+		rec, err := h.FindFirstRecordByFilter("universal_tokens", "user = {:user}", dbx.Params{"user": userID})
+		if err != nil {
+			return nil // no record
+		}
+		return h.Delete(rec)
+	}
+
+	// helper for upserting a permanent token record for this user
+	upsertPermanent := func(token string) error {
+		rec, err := h.FindFirstRecordByFilter("universal_tokens", "user = {:user}", dbx.Params{"user": userID})
+		if err == nil {
+			rec.Set("token", token)
+			return h.Save(rec)
+		}
+
+		col, err := h.FindCachedCollectionByNameOrId("universal_tokens")
+		if err != nil {
+			return err
+		}
+		newRec := core.NewRecord(col)
+		newRec.Set("user", userID)
+		newRec.Set("token", token)
+		return h.Save(newRec)
+	}
+
+	// Disable universal tokens (both ephemeral and permanent)
+	if enable == "0" {
+		tokenMap.RemovebyValue(userID)
+		_ = deletePermanent()
+		return e.JSON(http.StatusOK, map[string]any{"token": token, "active": false, "permanent": false})
+	}
+
+	// Enable universal token (ephemeral or permanent)
+	if enable == "1" {
+		if token == "" {
+			token = uuid.New().String()
+		}
+
+		if permanent == "1" {
+			// make token permanent (persist across restarts)
+			tokenMap.RemovebyValue(userID)
+			if err := upsertPermanent(token); err != nil {
+				return err
+			}
+			return e.JSON(http.StatusOK, map[string]any{"token": token, "active": true, "permanent": true})
+		}
+
+		// default: ephemeral mode (1 hour)
+		_ = deletePermanent()
+		tokenMap.Set(token, userID, time.Hour)
+		return e.JSON(http.StatusOK, map[string]any{"token": token, "active": true, "permanent": false})
+	}
+
+	// Read current state
+	// Prefer permanent token if it exists.
+	if rec, err := h.FindFirstRecordByFilter("universal_tokens", "user = {:user}", dbx.Params{"user": userID}); err == nil {
+		dbToken := rec.GetString("token")
+		// If no token was provided, or the caller is asking about their permanent token, return it.
+		if token == "" || token == dbToken {
+			return e.JSON(http.StatusOK, map[string]any{"token": dbToken, "active": true, "permanent": true})
+		}
+		// Token doesn't match their permanent token (avoid leaking other info)
+		return e.JSON(http.StatusOK, map[string]any{"token": token, "active": false, "permanent": false})
+	}
+
+	// No permanent token; fall back to ephemeral token map.
+	if token == "" {
+		// return existing token if it exists
+		if token, _, ok := tokenMap.GetByValue(userID); ok {
+			return e.JSON(http.StatusOK, map[string]any{"token": token, "active": true, "permanent": false})
+		}
+		// if no token is provided, generate a new one
+		token = uuid.New().String()
+	}
+
+	// Token is considered active only if it belongs to the current user.
+	activeUser, ok := tokenMap.GetOk(token)
+	active := ok && activeUser == userID
+	response := map[string]any{"token": token, "active": active, "permanent": false}
+	return e.JSON(http.StatusOK, response)
+}
+
+// getHeartbeatStatus returns current heartbeat configuration and whether it's enabled
+func (h *Hub) getHeartbeatStatus(e *core.RequestEvent) error {
+	if e.Auth.GetString("role") != "admin" {
+		return e.ForbiddenError("Requires admin role", nil)
+	}
+	if h.hb == nil {
+		return e.JSON(http.StatusOK, map[string]any{
+			"enabled": false,
+			"msg":     "Set HEARTBEAT_URL to enable outbound heartbeat monitoring",
+		})
+	}
+	cfg := h.hb.GetConfig()
+	return e.JSON(http.StatusOK, map[string]any{
+		"enabled":  true,
+		"url":      cfg.URL,
+		"interval": cfg.Interval,
+		"method":   cfg.Method,
+	})
+}
+
+// testHeartbeat triggers a single heartbeat ping and returns the result
+func (h *Hub) testHeartbeat(e *core.RequestEvent) error {
+	if e.Auth.GetString("role") != "admin" {
+		return e.ForbiddenError("Requires admin role", nil)
+	}
+	if h.hb == nil {
+		return e.JSON(http.StatusOK, map[string]any{
+			"err": "Heartbeat not configured. Set HEARTBEAT_URL environment variable.",
+		})
+	}
+	if err := h.hb.Send(); err != nil {
+		return e.JSON(http.StatusOK, map[string]any{"err": err.Error()})
+	}
+	return e.JSON(http.StatusOK, map[string]any{"err": false})
+}
+
+// containerRequestHandler handles both container logs and info requests
+func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*systems.System, string) (string, error), responseKey string) error {
+	systemID := e.Request.URL.Query().Get("system")
+	containerID := e.Request.URL.Query().Get("container")
+
+	if systemID == "" || containerID == "" {
+		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and container parameters are required"})
+	}
+	if !containerIDPattern.MatchString(containerID) {
+		return e.JSON(http.StatusBadRequest, map[string]string{"error": "invalid container parameter"})
+	}
+
+	system, err := h.sm.GetSystem(systemID)
+	if err != nil {
+		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
+	}
+
+	data, err := fetchFunc(system, containerID)
+	if err != nil {
+		return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
+	}
+
+	return e.JSON(http.StatusOK, map[string]string{responseKey: data})
+}
+
+// getContainerLogs handles GET /api/beszel/containers/logs requests
+func (h *Hub) getContainerLogs(e *core.RequestEvent) error {
+	return h.containerRequestHandler(e, func(system *systems.System, containerID string) (string, error) {
+		return system.FetchContainerLogsFromAgent(containerID)
+	}, "logs")
+}
+
+func (h *Hub) getContainerInfo(e *core.RequestEvent) error {
+	return h.containerRequestHandler(e, func(system *systems.System, containerID string) (string, error) {
+		return system.FetchContainerInfoFromAgent(containerID)
+	}, "info")
+}
+
+// getSystemdInfo handles GET /api/beszel/systemd/info requests
+func (h *Hub) getSystemdInfo(e *core.RequestEvent) error {
+	query := e.Request.URL.Query()
+	systemID := query.Get("system")
+	serviceName := query.Get("service")
+
+	if systemID == "" || serviceName == "" {
+		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and service parameters are required"})
+	}
+	system, err := h.sm.GetSystem(systemID)
+	if err != nil {
+		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
+	}
+	details, err := system.FetchSystemdInfoFromAgent(serviceName)
+	if err != nil {
+		return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
+	}
+	e.Response.Header().Set("Cache-Control", "public, max-age=60")
+	return e.JSON(http.StatusOK, map[string]any{"details": details})
+}
+
+// refreshSmartData handles POST /api/beszel/smart/refresh requests
+// Fetches fresh SMART data from the agent and updates the collection
+func (h *Hub) refreshSmartData(e *core.RequestEvent) error {
+	systemID := e.Request.URL.Query().Get("system")
+	if systemID == "" {
+		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system parameter is required"})
+	}
+
+	system, err := h.sm.GetSystem(systemID)
+	if err != nil {
+		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
+	}
+
+	// Fetch and save SMART devices
+	if err := system.FetchAndSaveSmartDevices(); err != nil {
+		return e.JSON(http.StatusInternalServerError, map[string]string{"error": err.Error()})
+	}
+
+	return e.JSON(http.StatusOK, map[string]string{"status": "ok"})
+}

internal/hub/api_test.go

@@ -0,0 +1,780 @@
+package hub_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+	"testing"
+
+	beszelTests "github.com/henrygd/beszel/internal/tests"
+
+	"github.com/henrygd/beszel/internal/migrations"
+	"github.com/pocketbase/pocketbase/core"
+	pbTests "github.com/pocketbase/pocketbase/tests"
+	"github.com/stretchr/testify/require"
+)
+
+// marshal to json and return an io.Reader (for use in ApiScenario.Body)
+func jsonReader(v any) io.Reader {
+	data, err := json.Marshal(v)
+	if err != nil {
+		panic(err)
+	}
+	return bytes.NewReader(data)
+}
+
+func TestApiRoutesAuthentication(t *testing.T) {
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+
+	hub.StartHub()
+
+	// Create test user and get auth token
+	user, err := beszelTests.CreateUser(hub, "testuser@example.com", "password123")
+	require.NoError(t, err, "Failed to create test user")
+
+	adminUser, err := beszelTests.CreateRecord(hub, "users", map[string]any{
+		"email":    "admin@example.com",
+		"password": "password123",
+		"role":     "admin",
+	})
+	require.NoError(t, err, "Failed to create admin user")
+	adminUserToken, err := adminUser.NewAuthToken()
+
+	// superUser, err := beszelTests.CreateRecord(hub, core.CollectionNameSuperusers, map[string]any{
+	// 	"email":    "superuser@example.com",
+	// 	"password": "password123",
+	// })
+	// require.NoError(t, err, "Failed to create superuser")
+
+	userToken, err := user.NewAuthToken()
+	require.NoError(t, err, "Failed to create auth token")
+
+	// Create test system for user-alerts endpoints
+	system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{
+		"name":  "test-system",
+		"users": []string{user.Id},
+		"host":  "127.0.0.1",
+	})
+	require.NoError(t, err, "Failed to create test system")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		// Auth Protected Routes - Should require authentication
+		{
+			Name:            "POST /test-notification - no auth should fail",
+			Method:          http.MethodPost,
+			URL:             "/api/beszel/test-notification",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"url": "generic://127.0.0.1",
+			}),
+		},
+		{
+			Name:           "POST /test-notification - with auth should succeed",
+			Method:         http.MethodPost,
+			URL:            "/api/beszel/test-notification",
+			TestAppFactory: testAppFactory,
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			Body: jsonReader(map[string]any{
+				"url": "generic://127.0.0.1",
+			}),
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"sending message"},
+		},
+		{
+			Name:            "GET /config-yaml - no auth should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/config-yaml",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /config-yaml - with user auth should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/config-yaml",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"Requires admin"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /config-yaml - with admin auth should succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/config-yaml",
+			Headers: map[string]string{
+				"Authorization": adminUserToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"test-system"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /heartbeat-status - no auth should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/heartbeat-status",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /heartbeat-status - with user auth should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/heartbeat-status",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"Requires admin role"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /heartbeat-status - with admin auth should succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/heartbeat-status",
+			Headers: map[string]string{
+				"Authorization": adminUserToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{`"enabled":false`},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /test-heartbeat - with user auth should fail",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/test-heartbeat",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"Requires admin role"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /test-heartbeat - with admin auth should report disabled state",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/test-heartbeat",
+			Headers: map[string]string{
+				"Authorization": adminUserToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"Heartbeat not configured"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /universal-token - no auth should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/universal-token",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /universal-token - with auth should succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/universal-token",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"active", "token", "permanent"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /universal-token - enable permanent should succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/universal-token?enable=1&permanent=1&token=permanent-token-123",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"permanent\":true", "permanent-token-123"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "POST /user-alerts - no auth should fail",
+			Method:          http.MethodPost,
+			URL:             "/api/beszel/user-alerts",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"value":   80,
+				"min":     10,
+				"systems": []string{system.Id},
+			}),
+		},
+		{
+			Name:   "POST /user-alerts - with auth should succeed",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"value":   80,
+				"min":     10,
+				"systems": []string{system.Id},
+			}),
+		},
+		{
+			Name:            "DELETE /user-alerts - no auth should fail",
+			Method:          http.MethodDelete,
+			URL:             "/api/beszel/user-alerts",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"systems": []string{system.Id},
+			}),
+		},
+		{
+			Name:   "DELETE /user-alerts - with auth should succeed",
+			Method: http.MethodDelete,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"success\":true"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"systems": []string{system.Id},
+			}),
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				// Create an alert to delete
+				beszelTests.CreateRecord(app, "alerts", map[string]any{
+					"name":   "CPU",
+					"system": system.Id,
+					"user":   user.Id,
+					"value":  80,
+					"min":    10,
+				})
+			},
+		},
+		{
+			Name:            "GET /containers/logs - no auth should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/containers/logs?system=test-system&container=test-container",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/logs - with auth but missing system param should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/logs?container=test-container",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"system and container parameters are required"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/logs - with auth but missing container param should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/logs?system=test-system",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"system and container parameters are required"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/logs - with auth but invalid system should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/logs?system=invalid-system&container=0123456789ab",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"system not found"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/logs - traversal container should fail validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/logs?system=" + system.Id + "&container=..%2F..%2Fversion",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"invalid container parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/info - traversal container should fail validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/info?system=" + system.Id + "&container=../../version?x=",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"invalid container parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /containers/info - non-hex container should fail validation",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/containers/info?system=" + system.Id + "&container=container_name",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  400,
+			ExpectedContent: []string{"invalid container parameter"},
+			TestAppFactory:  testAppFactory,
+		},
+
+		// Auth Optional Routes - Should work without authentication
+		{
+			Name:            "GET /getkey - no auth should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /getkey - with auth should also succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/getkey",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /info - should return the same as /getkey",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/info",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /first-run - no auth should succeed",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/first-run",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"firstRun\":false"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /first-run - with auth should also succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/first-run",
+			Headers: map[string]string{
+				"Authorization": userToken,
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"firstRun\":false"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /agent-connect - no auth should succeed (websocket upgrade fails but route is accessible)",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/agent-connect",
+			ExpectedStatus:  400,
+			ExpectedContent: []string{},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /test-notification - invalid auth token should fail",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/test-notification",
+			Body: jsonReader(map[string]any{
+				"url": "generic://127.0.0.1",
+			}),
+			Headers: map[string]string{
+				"Authorization": "invalid-token",
+			},
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "POST /user-alerts - invalid auth token should fail",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/user-alerts",
+			Headers: map[string]string{
+				"Authorization": "invalid-token",
+			},
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+			Body: jsonReader(map[string]any{
+				"name":    "CPU",
+				"value":   80,
+				"min":     10,
+				"systems": []string{system.Id},
+			}),
+		},
+		{
+			Name:           "GET /update - shouldn't exist without CHECK_UPDATES env var",
+			Method:         http.MethodGet,
+			URL:            "/api/beszel/update",
+			ExpectedStatus: 502,
+			TestAppFactory: testAppFactory,
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+func TestFirstUserCreation(t *testing.T) {
+	t.Run("CreateUserEndpoint available when no users exist", func(t *testing.T) {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		defer hub.Cleanup()
+
+		hub.StartHub()
+
+		testAppFactoryExisting := func(t testing.TB) *pbTests.TestApp {
+			return hub.TestApp
+		}
+
+		scenarios := []beszelTests.ApiScenario{
+			{
+				Name:   "POST /create-user - should be available when no users exist",
+				Method: http.MethodPost,
+				URL:    "/api/beszel/create-user",
+				Body: jsonReader(map[string]any{
+					"email":    "firstuser@example.com",
+					"password": "password123",
+				}),
+				ExpectedStatus:  200,
+				ExpectedContent: []string{"User created"},
+				TestAppFactory:  testAppFactoryExisting,
+				BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+					userCount, err := hub.CountRecords("users")
+					require.NoError(t, err)
+					require.Zero(t, userCount, "Should start with no users")
+					superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
+					require.NoError(t, err)
+					require.EqualValues(t, 1, len(superusers), "Should start with one temporary superuser")
+					require.EqualValues(t, migrations.TempAdminEmail, superusers[0].GetString("email"), "Should have created one temporary superuser")
+				},
+				AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+					userCount, err := hub.CountRecords("users")
+					require.NoError(t, err)
+					require.EqualValues(t, 1, userCount, "Should have created one user")
+					superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
+					require.NoError(t, err)
+					require.EqualValues(t, 1, len(superusers), "Should have created one superuser")
+					require.EqualValues(t, "firstuser@example.com", superusers[0].GetString("email"), "Should have created one superuser")
+				},
+			},
+			{
+				Name:   "POST /create-user - should not be available when users exist",
+				Method: http.MethodPost,
+				URL:    "/api/beszel/create-user",
+				Body: jsonReader(map[string]any{
+					"email":    "firstuser@example.com",
+					"password": "password123",
+				}),
+				ExpectedStatus:  404,
+				ExpectedContent: []string{"wasn't found"},
+				TestAppFactory:  testAppFactoryExisting,
+			},
+		}
+
+		for _, scenario := range scenarios {
+			scenario.Test(t)
+		}
+	})
+
+	t.Run("CreateUserEndpoint not available when USER_EMAIL, USER_PASSWORD are set", func(t *testing.T) {
+		t.Setenv("BESZEL_HUB_USER_EMAIL", "me@example.com")
+		t.Setenv("BESZEL_HUB_USER_PASSWORD", "password123")
+
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		defer hub.Cleanup()
+
+		hub.StartHub()
+
+		testAppFactory := func(t testing.TB) *pbTests.TestApp {
+			return hub.TestApp
+		}
+
+		scenario := beszelTests.ApiScenario{
+			Name:            "POST /create-user - should not be available when USER_EMAIL, USER_PASSWORD are set",
+			Method:          http.MethodPost,
+			URL:             "/api/beszel/create-user",
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"wasn't found"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				users, err := hub.FindAllRecords("users")
+				require.NoError(t, err)
+				require.EqualValues(t, 1, len(users), "Should start with one user")
+				require.EqualValues(t, "me@example.com", users[0].GetString("email"), "Should have created one user")
+				superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
+				require.NoError(t, err)
+				require.EqualValues(t, 1, len(superusers), "Should start with one superuser")
+				require.EqualValues(t, "me@example.com", superusers[0].GetString("email"), "Should have created one superuser")
+			},
+			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
+				users, err := hub.FindAllRecords("users")
+				require.NoError(t, err)
+				require.EqualValues(t, 1, len(users), "Should still have one user")
+				require.EqualValues(t, "me@example.com", users[0].GetString("email"), "Should have created one user")
+				superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
+				require.NoError(t, err)
+				require.EqualValues(t, 1, len(superusers), "Should still have one superuser")
+				require.EqualValues(t, "me@example.com", superusers[0].GetString("email"), "Should have created one superuser")
+			},
+		}
+
+		scenario.Test(t)
+	})
+}
+
+func TestCreateUserEndpointAvailability(t *testing.T) {
+	t.Run("CreateUserEndpoint available when no users exist", func(t *testing.T) {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		defer hub.Cleanup()
+
+		// Ensure no users exist
+		userCount, err := hub.CountRecords("users")
+		require.NoError(t, err)
+		require.Zero(t, userCount, "Should start with no users")
+
+		hub.StartHub()
+
+		testAppFactory := func(t testing.TB) *pbTests.TestApp {
+			return hub.TestApp
+		}
+
+		scenario := beszelTests.ApiScenario{
+			Name:   "POST /create-user - should be available when no users exist",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/create-user",
+			Body: jsonReader(map[string]any{
+				"email":    "firstuser@example.com",
+				"password": "password123",
+			}),
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"User created"},
+			TestAppFactory:  testAppFactory,
+		}
+
+		scenario.Test(t)
+
+		// Verify user was created
+		userCount, err = hub.CountRecords("users")
+		require.NoError(t, err)
+		require.EqualValues(t, 1, userCount, "Should have created one user")
+	})
+
+	t.Run("CreateUserEndpoint not available when users exist", func(t *testing.T) {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		defer hub.Cleanup()
+
+		// Create a user first
+		_, err := beszelTests.CreateUser(hub, "existing@example.com", "password")
+		require.NoError(t, err)
+
+		hub.StartHub()
+
+		testAppFactory := func(t testing.TB) *pbTests.TestApp {
+			return hub.TestApp
+		}
+
+		scenario := beszelTests.ApiScenario{
+			Name:   "POST /create-user - should not be available when users exist",
+			Method: http.MethodPost,
+			URL:    "/api/beszel/create-user",
+			Body: jsonReader(map[string]any{
+				"email":    "another@example.com",
+				"password": "password123",
+			}),
+			ExpectedStatus:  404,
+			ExpectedContent: []string{"wasn't found"},
+			TestAppFactory:  testAppFactory,
+		}
+
+		scenario.Test(t)
+	})
+}
+
+func TestAutoLoginMiddleware(t *testing.T) {
+	var hubs []*beszelTests.TestHub
+
+	defer func() {
+		for _, hub := range hubs {
+			hub.Cleanup()
+		}
+	}()
+
+	t.Setenv("AUTO_LOGIN", "user@test.com")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		hubs = append(hubs, hub)
+		hub.StartHub()
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "GET /getkey - without auto login should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /getkey - with auto login should fail if no matching user",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:            "GET /getkey - with auto login should succeed",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.CreateUser(app, "user@test.com", "password123")
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+func TestTrustedHeaderMiddleware(t *testing.T) {
+	var hubs []*beszelTests.TestHub
+
+	defer func() {
+		for _, hub := range hubs {
+			hub.Cleanup()
+		}
+	}()
+
+	t.Setenv("TRUSTED_AUTH_HEADER", "X-Beszel-Trusted")
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		hub, _ := beszelTests.NewTestHub(t.TempDir())
+		hubs = append(hubs, hub)
+		hub.StartHub()
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "GET /getkey - without trusted header should fail",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/getkey",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /getkey - with trusted header should fail if no matching user",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/getkey",
+			Headers: map[string]string{
+				"X-Beszel-Trusted": "user@test.com",
+			},
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		{
+			Name:   "GET /getkey - with trusted header should succeed",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/getkey",
+			Headers: map[string]string{
+				"X-Beszel-Trusted": "user@test.com",
+			},
+			ExpectedStatus:  200,
+			ExpectedContent: []string{"\"key\":", "\"v\":"},
+			TestAppFactory:  testAppFactory,
+			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
+				beszelTests.CreateUser(app, "user@test.com", "password123")
+			},
+		},
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}
+
+func TestUpdateEndpoint(t *testing.T) {
+	t.Setenv("CHECK_UPDATES", "true")
+
+	hub, _ := beszelTests.NewTestHub(t.TempDir())
+	defer hub.Cleanup()
+	hub.StartHub()
+
+	// Create test user and get auth token
+	// user, err := beszelTests.CreateUser(hub, "testuser@example.com", "password123")
+	// require.NoError(t, err, "Failed to create test user")
+	// userToken, err := user.NewAuthToken()
+
+	testAppFactory := func(t testing.TB) *pbTests.TestApp {
+		return hub.TestApp
+	}
+
+	scenarios := []beszelTests.ApiScenario{
+		{
+			Name:            "update endpoint shouldn't work without auth",
+			Method:          http.MethodGet,
+			URL:             "/api/beszel/update",
+			ExpectedStatus:  401,
+			ExpectedContent: []string{"requires valid"},
+			TestAppFactory:  testAppFactory,
+		},
+		// leave this out for now since it actually makes a request to github
+		// {
+		// 	Name:   "GET /update - with valid auth should succeed",
+		// 	Method: http.MethodGet,
+		// 	URL:    "/api/beszel/update",
+		// 	Headers: map[string]string{
+		// 		"Authorization": userToken,
+		// 	},
+		// 	ExpectedStatus:  200,
+		// 	ExpectedContent: []string{`"v":`},
+		// 	TestAppFactory:  testAppFactory,
+		// },
+	}
+
+	for _, scenario := range scenarios {
+		scenario.Test(t)
+	}
+}

internal/hub/hub.go

@@ -6,15 +6,12 @@ import (
 	"encoding/pem"
 	"errors"
 	"fmt"
-	"net/http"
 	"net/url"
 	"os"
 	"path"
 	"regexp"
 	"strings"
-	"time"
 
-	"github.com/henrygd/beszel"
 	"github.com/henrygd/beszel/internal/alerts"
 	"github.com/henrygd/beszel/internal/hub/config"
 	"github.com/henrygd/beszel/internal/hub/heartbeat"
@@ -22,10 +19,7 @@ import (
 	"github.com/henrygd/beszel/internal/records"
 	"github.com/henrygd/beszel/internal/users"
 
-	"github.com/google/uuid"
-	"github.com/pocketbase/dbx"
 	"github.com/pocketbase/pocketbase"
-	"github.com/pocketbase/pocketbase/apis"
 	"github.com/pocketbase/pocketbase/core"
 	"golang.org/x/crypto/ssh"
 )
@@ -160,295 +154,6 @@ func (h *Hub) registerCronJobs(_ *core.ServeEvent) error {
 	return nil
 }
 
-// registerMiddlewares registers custom middlewares
-func (h *Hub) registerMiddlewares(se *core.ServeEvent) {
-	// authorizes request with user matching the provided email
-	authorizeRequestWithEmail := func(e *core.RequestEvent, email string) (err error) {
-		if e.Auth != nil || email == "" {
-			return e.Next()
-		}
-		isAuthRefresh := e.Request.URL.Path == "/api/collections/users/auth-refresh" && e.Request.Method == http.MethodPost
-		e.Auth, err = e.App.FindFirstRecordByData("users", "email", email)
-		if err != nil || !isAuthRefresh {
-			return e.Next()
-		}
-		// auth refresh endpoint, make sure token is set in header
-		token, _ := e.Auth.NewAuthToken()
-		e.Request.Header.Set("Authorization", token)
-		return e.Next()
-	}
-	// authenticate with trusted header
-	if autoLogin, _ := GetEnv("AUTO_LOGIN"); autoLogin != "" {
-		se.Router.BindFunc(func(e *core.RequestEvent) error {
-			return authorizeRequestWithEmail(e, autoLogin)
-		})
-	}
-	// authenticate with trusted header
-	if trustedHeader, _ := GetEnv("TRUSTED_AUTH_HEADER"); trustedHeader != "" {
-		se.Router.BindFunc(func(e *core.RequestEvent) error {
-			return authorizeRequestWithEmail(e, e.Request.Header.Get(trustedHeader))
-		})
-	}
-}
-
-// registerApiRoutes registers custom API routes
-func (h *Hub) registerApiRoutes(se *core.ServeEvent) error {
-	// auth protected routes
-	apiAuth := se.Router.Group("/api/beszel")
-	apiAuth.Bind(apis.RequireAuth())
-	// auth optional routes
-	apiNoAuth := se.Router.Group("/api/beszel")
-
-	// create first user endpoint only needed if no users exist
-	if totalUsers, _ := se.App.CountRecords("users"); totalUsers == 0 {
-		apiNoAuth.POST("/create-user", h.um.CreateFirstUser)
-	}
-	// check if first time setup on login page
-	apiNoAuth.GET("/first-run", func(e *core.RequestEvent) error {
-		total, err := e.App.CountRecords("users")
-		return e.JSON(http.StatusOK, map[string]bool{"firstRun": err == nil && total == 0})
-	})
-	// get public key and version
-	apiAuth.GET("/getkey", func(e *core.RequestEvent) error {
-		return e.JSON(http.StatusOK, map[string]string{"key": h.pubKey, "v": beszel.Version})
-	})
-	// send test notification
-	apiAuth.POST("/test-notification", h.SendTestNotification)
-	// heartbeat status and test
-	apiAuth.GET("/heartbeat-status", h.getHeartbeatStatus)
-	apiAuth.POST("/test-heartbeat", h.testHeartbeat)
-	// get config.yml content
-	apiAuth.GET("/config-yaml", config.GetYamlConfig)
-	// handle agent websocket connection
-	apiNoAuth.GET("/agent-connect", h.handleAgentConnect)
-	// get or create universal tokens
-	apiAuth.GET("/universal-token", h.getUniversalToken)
-	// update / delete user alerts
-	apiAuth.POST("/user-alerts", alerts.UpsertUserAlerts)
-	apiAuth.DELETE("/user-alerts", alerts.DeleteUserAlerts)
-	// refresh SMART devices for a system
-	apiAuth.POST("/smart/refresh", h.refreshSmartData)
-	// get systemd service details
-	apiAuth.GET("/systemd/info", h.getSystemdInfo)
-	// /containers routes
-	if enabled, _ := GetEnv("CONTAINER_DETAILS"); enabled != "false" {
-		// get container logs
-		apiAuth.GET("/containers/logs", h.getContainerLogs)
-		// get container info
-		apiAuth.GET("/containers/info", h.getContainerInfo)
-	}
-	return nil
-}
-
-// GetUniversalToken handles the universal token API endpoint (create, read, delete)
-func (h *Hub) getUniversalToken(e *core.RequestEvent) error {
-	tokenMap := universalTokenMap.GetMap()
-	userID := e.Auth.Id
-	query := e.Request.URL.Query()
-	token := query.Get("token")
-	enable := query.Get("enable")
-	permanent := query.Get("permanent")
-
-	// helper for deleting any existing permanent token record for this user
-	deletePermanent := func() error {
-		rec, err := h.FindFirstRecordByFilter("universal_tokens", "user = {:user}", dbx.Params{"user": userID})
-		if err != nil {
-			return nil // no record
-		}
-		return h.Delete(rec)
-	}
-
-	// helper for upserting a permanent token record for this user
-	upsertPermanent := func(token string) error {
-		rec, err := h.FindFirstRecordByFilter("universal_tokens", "user = {:user}", dbx.Params{"user": userID})
-		if err == nil {
-			rec.Set("token", token)
-			return h.Save(rec)
-		}
-
-		col, err := h.FindCachedCollectionByNameOrId("universal_tokens")
-		if err != nil {
-			return err
-		}
-		newRec := core.NewRecord(col)
-		newRec.Set("user", userID)
-		newRec.Set("token", token)
-		return h.Save(newRec)
-	}
-
-	// Disable universal tokens (both ephemeral and permanent)
-	if enable == "0" {
-		tokenMap.RemovebyValue(userID)
-		_ = deletePermanent()
-		return e.JSON(http.StatusOK, map[string]any{"token": token, "active": false, "permanent": false})
-	}
-
-	// Enable universal token (ephemeral or permanent)
-	if enable == "1" {
-		if token == "" {
-			token = uuid.New().String()
-		}
-
-		if permanent == "1" {
-			// make token permanent (persist across restarts)
-			tokenMap.RemovebyValue(userID)
-			if err := upsertPermanent(token); err != nil {
-				return err
-			}
-			return e.JSON(http.StatusOK, map[string]any{"token": token, "active": true, "permanent": true})
-		}
-
-		// default: ephemeral mode (1 hour)
-		_ = deletePermanent()
-		tokenMap.Set(token, userID, time.Hour)
-		return e.JSON(http.StatusOK, map[string]any{"token": token, "active": true, "permanent": false})
-	}
-
-	// Read current state
-	// Prefer permanent token if it exists.
-	if rec, err := h.FindFirstRecordByFilter("universal_tokens", "user = {:user}", dbx.Params{"user": userID}); err == nil {
-		dbToken := rec.GetString("token")
-		// If no token was provided, or the caller is asking about their permanent token, return it.
-		if token == "" || token == dbToken {
-			return e.JSON(http.StatusOK, map[string]any{"token": dbToken, "active": true, "permanent": true})
-		}
-		// Token doesn't match their permanent token (avoid leaking other info)
-		return e.JSON(http.StatusOK, map[string]any{"token": token, "active": false, "permanent": false})
-	}
-
-	// No permanent token; fall back to ephemeral token map.
-	if token == "" {
-		// return existing token if it exists
-		if token, _, ok := tokenMap.GetByValue(userID); ok {
-			return e.JSON(http.StatusOK, map[string]any{"token": token, "active": true, "permanent": false})
-		}
-		// if no token is provided, generate a new one
-		token = uuid.New().String()
-	}
-
-	// Token is considered active only if it belongs to the current user.
-	activeUser, ok := tokenMap.GetOk(token)
-	active := ok && activeUser == userID
-	response := map[string]any{"token": token, "active": active, "permanent": false}
-	return e.JSON(http.StatusOK, response)
-}
-
-// getHeartbeatStatus returns current heartbeat configuration and whether it's enabled
-func (h *Hub) getHeartbeatStatus(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
-	if h.hb == nil {
-		return e.JSON(http.StatusOK, map[string]any{
-			"enabled": false,
-			"msg":     "Set HEARTBEAT_URL to enable outbound heartbeat monitoring",
-		})
-	}
-	cfg := h.hb.GetConfig()
-	return e.JSON(http.StatusOK, map[string]any{
-		"enabled":  true,
-		"url":      cfg.URL,
-		"interval": cfg.Interval,
-		"method":   cfg.Method,
-	})
-}
-
-// testHeartbeat triggers a single heartbeat ping and returns the result
-func (h *Hub) testHeartbeat(e *core.RequestEvent) error {
-	if e.Auth.GetString("role") != "admin" {
-		return e.ForbiddenError("Requires admin role", nil)
-	}
-	if h.hb == nil {
-		return e.JSON(http.StatusOK, map[string]any{
-			"err": "Heartbeat not configured. Set HEARTBEAT_URL environment variable.",
-		})
-	}
-	if err := h.hb.Send(); err != nil {
-		return e.JSON(http.StatusOK, map[string]any{"err": err.Error()})
-	}
-	return e.JSON(http.StatusOK, map[string]any{"err": false})
-}
-
-// containerRequestHandler handles both container logs and info requests
-func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*systems.System, string) (string, error), responseKey string) error {
-	systemID := e.Request.URL.Query().Get("system")
-	containerID := e.Request.URL.Query().Get("container")
-
-	if systemID == "" || containerID == "" {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and container parameters are required"})
-	}
-	if !containerIDPattern.MatchString(containerID) {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "invalid container parameter"})
-	}
-
-	system, err := h.sm.GetSystem(systemID)
-	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
-	}
-
-	data, err := fetchFunc(system, containerID)
-	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
-	}
-
-	return e.JSON(http.StatusOK, map[string]string{responseKey: data})
-}
-
-// getContainerLogs handles GET /api/beszel/containers/logs requests
-func (h *Hub) getContainerLogs(e *core.RequestEvent) error {
-	return h.containerRequestHandler(e, func(system *systems.System, containerID string) (string, error) {
-		return system.FetchContainerLogsFromAgent(containerID)
-	}, "logs")
-}
-
-func (h *Hub) getContainerInfo(e *core.RequestEvent) error {
-	return h.containerRequestHandler(e, func(system *systems.System, containerID string) (string, error) {
-		return system.FetchContainerInfoFromAgent(containerID)
-	}, "info")
-}
-
-// getSystemdInfo handles GET /api/beszel/systemd/info requests
-func (h *Hub) getSystemdInfo(e *core.RequestEvent) error {
-	query := e.Request.URL.Query()
-	systemID := query.Get("system")
-	serviceName := query.Get("service")
-
-	if systemID == "" || serviceName == "" {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and service parameters are required"})
-	}
-	system, err := h.sm.GetSystem(systemID)
-	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
-	}
-	details, err := system.FetchSystemdInfoFromAgent(serviceName)
-	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
-	}
-	e.Response.Header().Set("Cache-Control", "public, max-age=60")
-	return e.JSON(http.StatusOK, map[string]any{"details": details})
-}
-
-// refreshSmartData handles POST /api/beszel/smart/refresh requests
-// Fetches fresh SMART data from the agent and updates the collection
-func (h *Hub) refreshSmartData(e *core.RequestEvent) error {
-	systemID := e.Request.URL.Query().Get("system")
-	if systemID == "" {
-		return e.JSON(http.StatusBadRequest, map[string]string{"error": "system parameter is required"})
-	}
-
-	system, err := h.sm.GetSystem(systemID)
-	if err != nil {
-		return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
-	}
-
-	// Fetch and save SMART devices
-	if err := system.FetchAndSaveSmartDevices(); err != nil {
-		return e.JSON(http.StatusInternalServerError, map[string]string{"error": err.Error()})
-	}
-
-	return e.JSON(http.StatusOK, map[string]string{"status": "ok"})
-}
-
 // GetSSHKey generates key pair if it doesn't exist and returns signer
 func (h *Hub) GetSSHKey(dataDir string) (ssh.Signer, error) {
 	if h.signer != nil {

internal/hub/hub_test.go

@@ -3,36 +3,20 @@
 package hub_test
 
 import (
-	"bytes"
 	"crypto/ed25519"
-	"encoding/json"
 	"encoding/pem"
-	"io"
-	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 
-	"github.com/henrygd/beszel/internal/migrations"
 	beszelTests "github.com/henrygd/beszel/internal/tests"
 
-	"github.com/pocketbase/pocketbase/core"
-	pbTests "github.com/pocketbase/pocketbase/tests"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/ssh"
 )
 
-// marshal to json and return an io.Reader (for use in ApiScenario.Body)
-func jsonReader(v any) io.Reader {
-	data, err := json.Marshal(v)
-	if err != nil {
-		panic(err)
-	}
-	return bytes.NewReader(data)
-}
-
 func TestMakeLink(t *testing.T) {
 	hub, _ := beszelTests.NewTestHub(t.TempDir())
 
@@ -265,699 +249,6 @@ func TestGetSSHKey(t *testing.T) {
 	})
 }
 
-func TestApiRoutesAuthentication(t *testing.T) {
-	hub, _ := beszelTests.NewTestHub(t.TempDir())
-	defer hub.Cleanup()
-
-	hub.StartHub()
-
-	// Create test user and get auth token
-	user, err := beszelTests.CreateUser(hub, "testuser@example.com", "password123")
-	require.NoError(t, err, "Failed to create test user")
-
-	adminUser, err := beszelTests.CreateRecord(hub, "users", map[string]any{
-		"email":    "admin@example.com",
-		"password": "password123",
-		"role":     "admin",
-	})
-	require.NoError(t, err, "Failed to create admin user")
-	adminUserToken, err := adminUser.NewAuthToken()
-
-	// superUser, err := beszelTests.CreateRecord(hub, core.CollectionNameSuperusers, map[string]any{
-	// 	"email":    "superuser@example.com",
-	// 	"password": "password123",
-	// })
-	// require.NoError(t, err, "Failed to create superuser")
-
-	userToken, err := user.NewAuthToken()
-	require.NoError(t, err, "Failed to create auth token")
-
-	// Create test system for user-alerts endpoints
-	system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{
-		"name":  "test-system",
-		"users": []string{user.Id},
-		"host":  "127.0.0.1",
-	})
-	require.NoError(t, err, "Failed to create test system")
-
-	testAppFactory := func(t testing.TB) *pbTests.TestApp {
-		return hub.TestApp
-	}
-
-	scenarios := []beszelTests.ApiScenario{
-		// Auth Protected Routes - Should require authentication
-		{
-			Name:            "POST /test-notification - no auth should fail",
-			Method:          http.MethodPost,
-			URL:             "/api/beszel/test-notification",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"url": "generic://127.0.0.1",
-			}),
-		},
-		{
-			Name:           "POST /test-notification - with auth should succeed",
-			Method:         http.MethodPost,
-			URL:            "/api/beszel/test-notification",
-			TestAppFactory: testAppFactory,
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			Body: jsonReader(map[string]any{
-				"url": "generic://127.0.0.1",
-			}),
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"sending message"},
-		},
-		{
-			Name:            "GET /config-yaml - no auth should fail",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/config-yaml",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /config-yaml - with user auth should fail",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/config-yaml",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /config-yaml - with admin auth should succeed",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/config-yaml",
-			Headers: map[string]string{
-				"Authorization": adminUserToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"test-system"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:            "GET /heartbeat-status - no auth should fail",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/heartbeat-status",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /heartbeat-status - with user auth should fail",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/heartbeat-status",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin role"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /heartbeat-status - with admin auth should succeed",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/heartbeat-status",
-			Headers: map[string]string{
-				"Authorization": adminUserToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{`"enabled":false`},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "POST /test-heartbeat - with user auth should fail",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/test-heartbeat",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  403,
-			ExpectedContent: []string{"Requires admin role"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "POST /test-heartbeat - with admin auth should report disabled state",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/test-heartbeat",
-			Headers: map[string]string{
-				"Authorization": adminUserToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"Heartbeat not configured"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:            "GET /universal-token - no auth should fail",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/universal-token",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /universal-token - with auth should succeed",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/universal-token",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"active", "token", "permanent"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /universal-token - enable permanent should succeed",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/universal-token?enable=1&permanent=1&token=permanent-token-123",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"permanent\":true", "permanent-token-123"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:            "POST /user-alerts - no auth should fail",
-			Method:          http.MethodPost,
-			URL:             "/api/beszel/user-alerts",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"value":   80,
-				"min":     10,
-				"systems": []string{system.Id},
-			}),
-		},
-		{
-			Name:   "POST /user-alerts - with auth should succeed",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"value":   80,
-				"min":     10,
-				"systems": []string{system.Id},
-			}),
-		},
-		{
-			Name:            "DELETE /user-alerts - no auth should fail",
-			Method:          http.MethodDelete,
-			URL:             "/api/beszel/user-alerts",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"systems": []string{system.Id},
-			}),
-		},
-		{
-			Name:   "DELETE /user-alerts - with auth should succeed",
-			Method: http.MethodDelete,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"success\":true"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"systems": []string{system.Id},
-			}),
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				// Create an alert to delete
-				beszelTests.CreateRecord(app, "alerts", map[string]any{
-					"name":   "CPU",
-					"system": system.Id,
-					"user":   user.Id,
-					"value":  80,
-					"min":    10,
-				})
-			},
-		},
-		{
-			Name:            "GET /containers/logs - no auth should fail",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/containers/logs?system=test-system&container=test-container",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /containers/logs - with auth but missing system param should fail",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/logs?container=test-container",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"system and container parameters are required"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /containers/logs - with auth but missing container param should fail",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/logs?system=test-system",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"system and container parameters are required"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /containers/logs - with auth but invalid system should fail",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/logs?system=invalid-system&container=0123456789ab",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  404,
-			ExpectedContent: []string{"system not found"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /containers/logs - traversal container should fail validation",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/logs?system=" + system.Id + "&container=..%2F..%2Fversion",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"invalid container parameter"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /containers/info - traversal container should fail validation",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/info?system=" + system.Id + "&container=../../version?x=",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"invalid container parameter"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /containers/info - non-hex container should fail validation",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/containers/info?system=" + system.Id + "&container=container_name",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  400,
-			ExpectedContent: []string{"invalid container parameter"},
-			TestAppFactory:  testAppFactory,
-		},
-
-		// Auth Optional Routes - Should work without authentication
-		{
-			Name:            "GET /getkey - no auth should fail",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/getkey",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /getkey - with auth should also succeed",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/getkey",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"key\":", "\"v\":"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:            "GET /first-run - no auth should succeed",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/first-run",
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"firstRun\":false"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /first-run - with auth should also succeed",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/first-run",
-			Headers: map[string]string{
-				"Authorization": userToken,
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"firstRun\":false"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:            "GET /agent-connect - no auth should succeed (websocket upgrade fails but route is accessible)",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/agent-connect",
-			ExpectedStatus:  400,
-			ExpectedContent: []string{},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "POST /test-notification - invalid auth token should fail",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/test-notification",
-			Body: jsonReader(map[string]any{
-				"url": "generic://127.0.0.1",
-			}),
-			Headers: map[string]string{
-				"Authorization": "invalid-token",
-			},
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "POST /user-alerts - invalid auth token should fail",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/user-alerts",
-			Headers: map[string]string{
-				"Authorization": "invalid-token",
-			},
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-			Body: jsonReader(map[string]any{
-				"name":    "CPU",
-				"value":   80,
-				"min":     10,
-				"systems": []string{system.Id},
-			}),
-		},
-	}
-
-	for _, scenario := range scenarios {
-		scenario.Test(t)
-	}
-}
-
-func TestFirstUserCreation(t *testing.T) {
-	t.Run("CreateUserEndpoint available when no users exist", func(t *testing.T) {
-		hub, _ := beszelTests.NewTestHub(t.TempDir())
-		defer hub.Cleanup()
-
-		hub.StartHub()
-
-		testAppFactoryExisting := func(t testing.TB) *pbTests.TestApp {
-			return hub.TestApp
-		}
-
-		scenarios := []beszelTests.ApiScenario{
-			{
-				Name:   "POST /create-user - should be available when no users exist",
-				Method: http.MethodPost,
-				URL:    "/api/beszel/create-user",
-				Body: jsonReader(map[string]any{
-					"email":    "firstuser@example.com",
-					"password": "password123",
-				}),
-				ExpectedStatus:  200,
-				ExpectedContent: []string{"User created"},
-				TestAppFactory:  testAppFactoryExisting,
-				BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-					userCount, err := hub.CountRecords("users")
-					require.NoError(t, err)
-					require.Zero(t, userCount, "Should start with no users")
-					superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
-					require.NoError(t, err)
-					require.EqualValues(t, 1, len(superusers), "Should start with one temporary superuser")
-					require.EqualValues(t, migrations.TempAdminEmail, superusers[0].GetString("email"), "Should have created one temporary superuser")
-				},
-				AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-					userCount, err := hub.CountRecords("users")
-					require.NoError(t, err)
-					require.EqualValues(t, 1, userCount, "Should have created one user")
-					superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
-					require.NoError(t, err)
-					require.EqualValues(t, 1, len(superusers), "Should have created one superuser")
-					require.EqualValues(t, "firstuser@example.com", superusers[0].GetString("email"), "Should have created one superuser")
-				},
-			},
-			{
-				Name:   "POST /create-user - should not be available when users exist",
-				Method: http.MethodPost,
-				URL:    "/api/beszel/create-user",
-				Body: jsonReader(map[string]any{
-					"email":    "firstuser@example.com",
-					"password": "password123",
-				}),
-				ExpectedStatus:  404,
-				ExpectedContent: []string{"wasn't found"},
-				TestAppFactory:  testAppFactoryExisting,
-			},
-		}
-
-		for _, scenario := range scenarios {
-			scenario.Test(t)
-		}
-	})
-
-	t.Run("CreateUserEndpoint not available when USER_EMAIL, USER_PASSWORD are set", func(t *testing.T) {
-		t.Setenv("BESZEL_HUB_USER_EMAIL", "me@example.com")
-		t.Setenv("BESZEL_HUB_USER_PASSWORD", "password123")
-
-		hub, _ := beszelTests.NewTestHub(t.TempDir())
-		defer hub.Cleanup()
-
-		hub.StartHub()
-
-		testAppFactory := func(t testing.TB) *pbTests.TestApp {
-			return hub.TestApp
-		}
-
-		scenario := beszelTests.ApiScenario{
-			Name:            "POST /create-user - should not be available when USER_EMAIL, USER_PASSWORD are set",
-			Method:          http.MethodPost,
-			URL:             "/api/beszel/create-user",
-			ExpectedStatus:  404,
-			ExpectedContent: []string{"wasn't found"},
-			TestAppFactory:  testAppFactory,
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				users, err := hub.FindAllRecords("users")
-				require.NoError(t, err)
-				require.EqualValues(t, 1, len(users), "Should start with one user")
-				require.EqualValues(t, "me@example.com", users[0].GetString("email"), "Should have created one user")
-				superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
-				require.NoError(t, err)
-				require.EqualValues(t, 1, len(superusers), "Should start with one superuser")
-				require.EqualValues(t, "me@example.com", superusers[0].GetString("email"), "Should have created one superuser")
-			},
-			AfterTestFunc: func(t testing.TB, app *pbTests.TestApp, res *http.Response) {
-				users, err := hub.FindAllRecords("users")
-				require.NoError(t, err)
-				require.EqualValues(t, 1, len(users), "Should still have one user")
-				require.EqualValues(t, "me@example.com", users[0].GetString("email"), "Should have created one user")
-				superusers, err := hub.FindAllRecords(core.CollectionNameSuperusers)
-				require.NoError(t, err)
-				require.EqualValues(t, 1, len(superusers), "Should still have one superuser")
-				require.EqualValues(t, "me@example.com", superusers[0].GetString("email"), "Should have created one superuser")
-			},
-		}
-
-		scenario.Test(t)
-	})
-}
-
-func TestCreateUserEndpointAvailability(t *testing.T) {
-	t.Run("CreateUserEndpoint available when no users exist", func(t *testing.T) {
-		hub, _ := beszelTests.NewTestHub(t.TempDir())
-		defer hub.Cleanup()
-
-		// Ensure no users exist
-		userCount, err := hub.CountRecords("users")
-		require.NoError(t, err)
-		require.Zero(t, userCount, "Should start with no users")
-
-		hub.StartHub()
-
-		testAppFactory := func(t testing.TB) *pbTests.TestApp {
-			return hub.TestApp
-		}
-
-		scenario := beszelTests.ApiScenario{
-			Name:   "POST /create-user - should be available when no users exist",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/create-user",
-			Body: jsonReader(map[string]any{
-				"email":    "firstuser@example.com",
-				"password": "password123",
-			}),
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"User created"},
-			TestAppFactory:  testAppFactory,
-		}
-
-		scenario.Test(t)
-
-		// Verify user was created
-		userCount, err = hub.CountRecords("users")
-		require.NoError(t, err)
-		require.EqualValues(t, 1, userCount, "Should have created one user")
-	})
-
-	t.Run("CreateUserEndpoint not available when users exist", func(t *testing.T) {
-		hub, _ := beszelTests.NewTestHub(t.TempDir())
-		defer hub.Cleanup()
-
-		// Create a user first
-		_, err := beszelTests.CreateUser(hub, "existing@example.com", "password")
-		require.NoError(t, err)
-
-		hub.StartHub()
-
-		testAppFactory := func(t testing.TB) *pbTests.TestApp {
-			return hub.TestApp
-		}
-
-		scenario := beszelTests.ApiScenario{
-			Name:   "POST /create-user - should not be available when users exist",
-			Method: http.MethodPost,
-			URL:    "/api/beszel/create-user",
-			Body: jsonReader(map[string]any{
-				"email":    "another@example.com",
-				"password": "password123",
-			}),
-			ExpectedStatus:  404,
-			ExpectedContent: []string{"wasn't found"},
-			TestAppFactory:  testAppFactory,
-		}
-
-		scenario.Test(t)
-	})
-}
-
-func TestAutoLoginMiddleware(t *testing.T) {
-	var hubs []*beszelTests.TestHub
-
-	defer func() {
-		for _, hub := range hubs {
-			hub.Cleanup()
-		}
-	}()
-
-	t.Setenv("AUTO_LOGIN", "user@test.com")
-
-	testAppFactory := func(t testing.TB) *pbTests.TestApp {
-		hub, _ := beszelTests.NewTestHub(t.TempDir())
-		hubs = append(hubs, hub)
-		hub.StartHub()
-		return hub.TestApp
-	}
-
-	scenarios := []beszelTests.ApiScenario{
-		{
-			Name:            "GET /getkey - without auto login should fail",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/getkey",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:            "GET /getkey - with auto login should fail if no matching user",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/getkey",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:            "GET /getkey - with auto login should succeed",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/getkey",
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"key\":", "\"v\":"},
-			TestAppFactory:  testAppFactory,
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.CreateUser(app, "user@test.com", "password123")
-			},
-		},
-	}
-
-	for _, scenario := range scenarios {
-		scenario.Test(t)
-	}
-}
-
-func TestTrustedHeaderMiddleware(t *testing.T) {
-	var hubs []*beszelTests.TestHub
-
-	defer func() {
-		for _, hub := range hubs {
-			hub.Cleanup()
-		}
-	}()
-
-	t.Setenv("TRUSTED_AUTH_HEADER", "X-Beszel-Trusted")
-
-	testAppFactory := func(t testing.TB) *pbTests.TestApp {
-		hub, _ := beszelTests.NewTestHub(t.TempDir())
-		hubs = append(hubs, hub)
-		hub.StartHub()
-		return hub.TestApp
-	}
-
-	scenarios := []beszelTests.ApiScenario{
-		{
-			Name:            "GET /getkey - without trusted header should fail",
-			Method:          http.MethodGet,
-			URL:             "/api/beszel/getkey",
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /getkey - with trusted header should fail if no matching user",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/getkey",
-			Headers: map[string]string{
-				"X-Beszel-Trusted": "user@test.com",
-			},
-			ExpectedStatus:  401,
-			ExpectedContent: []string{"requires valid"},
-			TestAppFactory:  testAppFactory,
-		},
-		{
-			Name:   "GET /getkey - with trusted header should succeed",
-			Method: http.MethodGet,
-			URL:    "/api/beszel/getkey",
-			Headers: map[string]string{
-				"X-Beszel-Trusted": "user@test.com",
-			},
-			ExpectedStatus:  200,
-			ExpectedContent: []string{"\"key\":", "\"v\":"},
-			TestAppFactory:  testAppFactory,
-			BeforeTestFunc: func(t testing.TB, app *pbTests.TestApp, e *core.ServeEvent) {
-				beszelTests.CreateUser(app, "user@test.com", "password123")
-			},
-		},
-	}
-
-	for _, scenario := range scenarios {
-		scenario.Test(t)
-	}
-}
-
 func TestAppUrl(t *testing.T) {
 	t.Run("no APP_URL does't change app url", func(t *testing.T) {
 		hub, _ := beszelTests.NewTestHub(t.TempDir())

internal/hub/ws/ws.go

@@ -111,6 +111,9 @@ func (ws *WsConn) Close(msg []byte) {
 
 // Ping sends a ping frame to keep the connection alive.
 func (ws *WsConn) Ping() error {
+	if ws.conn == nil {
+		return gws.ErrConnClosed
+	}
 	ws.conn.SetDeadline(time.Now().Add(deadline))
 	return ws.conn.WritePing(nil)
 }

internal/site/index.html

@@ -7,6 +7,19 @@
 		<meta name="viewport" content="width=device-width, initial-scale=1.0,maximum-scale=1.0, user-scalable=no, viewport-fit=cover" />
 		<meta name="robots" content="noindex, nofollow" />
 		<title>Beszel</title>
+		<style>
+			.dark { background: hsl(220 5.5% 9%); color-scheme: dark; }
+		</style>
+		<script>
+			(function() {
+				try {
+					var theme = localStorage.getItem('ui-theme');
+					var isDark = theme === 'dark' ||
+						(theme !== 'light' && window.matchMedia('(prefers-color-scheme: dark)').matches);
+					document.documentElement.classList.add(isDark ? 'dark' : 'light');
+				} catch (e) {}
+			})();
+		</script>
 		<script>
 			globalThis.BESZEL = {
 				BASE_PATH: "%BASE_URL%",

internal/site/src/components/footer-repo-link.tsx

@@ -1,7 +1,11 @@
+import { useStore } from "@nanostores/react"
 import { GithubIcon } from "lucide-react"
+import { $newVersion } from "@/lib/stores"
 import { Separator } from "./ui/separator"
+import { Trans } from "@lingui/react/macro"
 
 export function FooterRepoLink() {
+	const newVersion = useStore($newVersion)
 	return (
 		<div className="flex gap-1.5 justify-end items-center pe-3 sm:pe-6 mt-3.5 mb-4 text-xs opacity-80">
 			<a
@@ -21,6 +25,19 @@ export function FooterRepoLink() {
 			>
 				Beszel {globalThis.BESZEL.HUB_VERSION}
 			</a>
+			{newVersion?.v && (
+				<>
+					<Separator orientation="vertical" className="h-2.5 bg-muted-foreground opacity-70" />
+					<a
+						href={newVersion.url}
+						target="_blank"
+						className="text-yellow-500 hover:text-yellow-400 duration-75"
+						rel="noopener"
+					>
+						<Trans context="New version available">{newVersion.v} available</Trans>
+					</a>
+				</>
+			)}
 		</div>
 	)
 }

internal/site/src/components/routes/settings/quiet-hours.tsx

@@ -134,10 +134,10 @@ export function QuietHours() {
 			const startMinutes = startDate.getUTCHours() * 60 + startDate.getUTCMinutes()
 			const endMinutes = endDate.getUTCHours() * 60 + endDate.getUTCMinutes()
 
-			// Convert UTC to local time offset
+			// Convert UTC to local time using the stored date's offset, not the current date's offset
-			const offset = now.getTimezoneOffset()
+			// This avoids DST mismatch when records were saved in a different DST period
-			const localStartMinutes = (startMinutes - offset + 1440) % 1440
+			const localStartMinutes = (startMinutes - startDate.getTimezoneOffset() + 1440) % 1440
-			const localEndMinutes = (endMinutes - offset + 1440) % 1440
+			const localEndMinutes = (endMinutes - endDate.getTimezoneOffset() + 1440) % 1440
 
 			// Handle cases where window spans midnight
 			if (localStartMinutes <= localEndMinutes) {
@@ -347,12 +347,13 @@ function QuietHoursDialog({
 
 			if (windowType === "daily") {
 				// For daily windows, convert local time to UTC
-				// Create a date with the time in local timezone, then convert to UTC
+				// Use today's date so the current DST offset is applied (not a fixed historical date)
-				const startDate = new Date(`2000-01-01T${startTime}:00`)
+				const today = new Date().toISOString().split("T")[0]
+				const startDate = new Date(`${today}T${startTime}:00`)
 				startValue = startDate.toISOString()
 
 				if (endTime) {
-					const endDate = new Date(`2000-01-01T${endTime}:00`)
+					const endDate = new Date(`${today}T${endTime}:00`)
 					endValue = endDate.toISOString()
 				}
 			} else {

internal/site/src/lib/stores.ts

@@ -1,5 +1,5 @@
 import { atom, computed, listenKeys, map, type ReadableAtom } from "nanostores"
-import type { AlertMap, ChartTimes, SystemRecord, UserSettings } from "@/types"
+import type { AlertMap, ChartTimes, SystemRecord, UpdateInfo, UserSettings } from "@/types"
 import { pb } from "./api"
 import { Unit } from "./enums"
 
@@ -28,6 +28,9 @@ export const $alerts = map<AlertMap>({})
 /** SSH public key */
 export const $publicKey = atom("")
 
+/** New version info if an update is available, otherwise undefined */
+export const $newVersion = atom<UpdateInfo | undefined>()
+
 /** Chart time period */
 export const $chartTime = atom<ChartTimes>("1h")
 

internal/site/src/main.tsx

@@ -12,17 +12,19 @@ import Settings from "@/components/routes/settings/layout.tsx"
 import { ThemeProvider } from "@/components/theme-provider.tsx"
 import { Toaster } from "@/components/ui/toaster.tsx"
 import { alertManager } from "@/lib/alerts"
-import { pb, updateUserSettings } from "@/lib/api.ts"
+import { isAdmin, pb, updateUserSettings } from "@/lib/api.ts"
 import { dynamicActivate, getLocale } from "@/lib/i18n"
 import {
 	$authenticated,
 	$copyContent,
 	$direction,
+	$newVersion,
 	$publicKey,
 	$userSettings,
 	defaultLayoutWidth,
 } from "@/lib/stores.ts"
 import * as systemsManager from "@/lib/systemsManager.ts"
+import type { BeszelInfo, UpdateInfo } from "./types"
 
 const LoginPage = lazy(() => import("@/components/login/login.tsx"))
 const Home = lazy(() => import("@/components/routes/home.tsx"))
@@ -39,9 +41,13 @@ const App = memo(() => {
 		pb.authStore.onChange(() => {
 			$authenticated.set(pb.authStore.isValid)
 		})
-		// get version / public key
+		// get general info for authenticated users, such as public key and version
-		pb.send("/api/beszel/getkey", {}).then((data) => {
+		pb.send<BeszelInfo>("/api/beszel/info", {}).then((data) => {
 			$publicKey.set(data.key)
+			// check for updates if enabled
+			if (data.cu && isAdmin()) {
+				pb.send<UpdateInfo>("/api/beszel/update", {}).then($newVersion.set)
+			}
 		})
 		// get user settings
 		updateUserSettings()

internal/site/src/types.d.ts

@@ -525,4 +525,15 @@ export interface SystemdServiceDetails {
 	WantedBy: any[];
 	Wants: string[];
 	WantsMountsFor: any[];
-}
+}
+
+export interface BeszelInfo {
+	key: string // public key
+	v: string // version
+	cu: boolean // check updates
+}
+
+export interface UpdateInfo {
+	v: string // new version
+	url: string // url to new version
+}