Initial
This commit is contained in:
11
README.md
11
README.md
@@ -512,6 +512,7 @@ Payload:
|
||||
| --- | --- | --- | --- |
|
||||
| `GET` | `/api/hosts` | User | List host library. |
|
||||
| `POST` | `/api/hosts` | User | Create host. |
|
||||
| `POST` | `/api/hosts/:id/rdp-session` | User | Create a short-lived browser RDP launch session for a visible Windows host with an assigned visible username/password credential. Returns a same-origin `/rdp/:token` URL. |
|
||||
| `GET` | `/api/hosts/import/vcenter/status` | User | Return legacy effective vCenter status plus visible saved VMware connection records. |
|
||||
| `GET` | `/api/hosts/import/vcenter/connections` | User | List visible saved VMware connections. |
|
||||
| `POST` | `/api/hosts/import/vcenter/connections` | User | Create a VMware connection record using a Credential Vault `credentialId`. Use `targetType: "vcenter"` for vCenter inventory or `targetType: "host"` for standalone ESXi Web Services inventory. |
|
||||
@@ -562,6 +563,15 @@ and `sourceRef` to the vCenter VM id. `osFamily` is normalized to `windows`,
|
||||
infer it from inventory. vCenter imports infer Windows/Linux from VMware Tools
|
||||
guest identity when available; unknown guests are imported as `other`.
|
||||
|
||||
Windows hosts with an assigned visible username/password Credential Vault entry
|
||||
show an RDP icon in the Hosts table. Clicking it calls
|
||||
`POST /api/hosts/:id/rdp-session`, opens a same-origin `/rdp/:token`
|
||||
tab, and renders a browser RDP canvas through `mstsc.js`. The browser receives
|
||||
only a short-lived opaque launch token; POSHManager resolves the host address
|
||||
and decrypts the assigned credential server-side. The RDP gateway uses the
|
||||
default RDP port `3389`; PowerShell remoting `port` metadata remains separate
|
||||
from RDP launch behavior.
|
||||
|
||||
Host Groups let operators aggregate manual, imported, and VMware-sourced hosts
|
||||
without duplicating RunPlans. Manual groups store an explicit list of visible
|
||||
host IDs that an operator can add/remove in the Hosts screen. Dynamic groups
|
||||
@@ -1379,6 +1389,7 @@ on the target platform before broad execution.
|
||||
|
||||
- SQLite access uses prepared statements through `node:sqlite`.
|
||||
- Credential secrets are encrypted with AES-256-GCM and are not returned by API reads.
|
||||
- Browser RDP sessions use `mstsc.js` with short-lived POSHManager launch tokens; host passwords stay in the API process and are never embedded in the Vue app or launch URL. The upstream `mstsc.js` dependency is legacy and currently brings transitive npm audit findings, so expose `/rdp` only through authenticated POSHManager/reverse-proxy paths and restrict network access to trusted operators.
|
||||
- Request logs redact authorization and cookie headers.
|
||||
- Protected routes use JWT auth.
|
||||
- Admin-only APIs are guarded by `requireAdmin`.
|
||||
|
||||
Reference in New Issue
Block a user