3x-ui/web/service/user.go

package service

import (
	"errors"

	"github.com/mhsanaei/3x-ui/v2/database"
	"github.com/mhsanaei/3x-ui/v2/database/model"
	"github.com/mhsanaei/3x-ui/v2/logger"
	"github.com/mhsanaei/3x-ui/v2/util/crypto"
    ldaputil "github.com/mhsanaei/3x-ui/v2/util/ldap"
	"github.com/xlzd/gotp"
	"gorm.io/gorm"
)

// UserService provides business logic for user management and authentication.
// It handles user creation, login, password management, and 2FA operations.
type UserService struct {
	settingService SettingService
}

// GetFirstUser retrieves the first user from the database.
// This is typically used for initial setup or when there's only one admin user.
func (s *UserService) GetFirstUser() (*model.User, error) {
	db := database.GetDB()

	user := &model.User{}
	err := db.Model(model.User{}).
		First(user).
		Error
	if err != nil {
		return nil, err
	}
	return user, nil
}

func (s *UserService) CheckUser(username string, password string, twoFactorCode string) *model.User {
	db := database.GetDB()

	user := &model.User{}

	err := db.Model(model.User{}).
		Where("username = ?", username).
		First(user).
		Error
	if err == gorm.ErrRecordNotFound {
		return nil
	} else if err != nil {
		logger.Warning("check user err:", err)
		return nil
	}

    // If LDAP enabled and local password check fails, attempt LDAP auth
    if !crypto.CheckPasswordHash(user.Password, password) {
        ldapEnabled, _ := s.settingService.GetLdapEnable()
        if !ldapEnabled {
            return nil
        }

        host, _ := s.settingService.GetLdapHost()
        port, _ := s.settingService.GetLdapPort()
        useTLS, _ := s.settingService.GetLdapUseTLS()
        bindDN, _ := s.settingService.GetLdapBindDN()
        ldapPass, _ := s.settingService.GetLdapPassword()
        baseDN, _ := s.settingService.GetLdapBaseDN()
        userFilter, _ := s.settingService.GetLdapUserFilter()
        userAttr, _ := s.settingService.GetLdapUserAttr()

        cfg := ldaputil.Config{
            Host: host,
            Port: port,
            UseTLS: useTLS,
            BindDN: bindDN,
            Password: ldapPass,
            BaseDN: baseDN,
            UserFilter: userFilter,
            UserAttr: userAttr,
        }
        ok, err := ldaputil.AuthenticateUser(cfg, username, password)
        if err != nil || !ok {
            return nil
        }
        // On successful LDAP auth, continue 2FA checks below
    }

	twoFactorEnable, err := s.settingService.GetTwoFactorEnable()
	if err != nil {
		logger.Warning("check two factor err:", err)
		return nil
	}

	if twoFactorEnable {
		twoFactorToken, err := s.settingService.GetTwoFactorToken()

		if err != nil {
			logger.Warning("check two factor token err:", err)
			return nil
		}

		if gotp.NewDefaultTOTP(twoFactorToken).Now() != twoFactorCode {
			return nil
		}
	}

	return user
}

func (s *UserService) UpdateUser(id int, username string, password string) error {
	db := database.GetDB()
	hashedPassword, err := crypto.HashPasswordAsBcrypt(password)

	if err != nil {
		return err
	}

	twoFactorEnable, err := s.settingService.GetTwoFactorEnable()
	if err != nil {
		return err
	}

	if twoFactorEnable {
		s.settingService.SetTwoFactorEnable(false)
		s.settingService.SetTwoFactorToken("")
	}

	return db.Model(model.User{}).
		Where("id = ?", id).
		Updates(map[string]any{"username": username, "password": hashedPassword}).
		Error
}

func (s *UserService) UpdateFirstUser(username string, password string) error {
	if username == "" {
		return errors.New("username can not be empty")
	} else if password == "" {
		return errors.New("password can not be empty")
	}
	hashedPassword, er := crypto.HashPasswordAsBcrypt(password)

	if er != nil {
		return er
	}

	db := database.GetDB()
	user := &model.User{}
	err := db.Model(model.User{}).First(user).Error
	if database.IsNotFound(err) {
		user.Username = username
		user.Password = hashedPassword
		return db.Model(model.User{}).Create(user).Error
	} else if err != nil {
		return err
	}
	user.Username = username
	user.Password = hashedPassword
	return db.Save(user).Error
}
3x-ui 2023-02-09 19:18:06 +00:00			`package service`

			`import (`
			`"errors"`
Some fixes and improvements (#1997) * [refactor] api controller * [fix] access log path better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log * [fix] set select options from logs paths in xray settings * [update] .gitignore * [lint] all .go files * [update] use status code for jsonMsg and 401 to unauthorize * [update] handle response status code via axios * [fix] set correct value if log paths is set to 'none' we also use the default value for the paths if its set to none * [fix] iplimit - only warning access log if f2b is installed 2024-03-10 21:31:24 +00:00
go package correction v2 2025-09-19 08:05:43 +00:00			`"github.com/mhsanaei/3x-ui/v2/database"`
			`"github.com/mhsanaei/3x-ui/v2/database/model"`
			`"github.com/mhsanaei/3x-ui/v2/logger"`
			`"github.com/mhsanaei/3x-ui/v2/util/crypto"`
feat: add ldap component (#3568) * add ldap component * fix: fix russian comments, tls cert verify default true * feat: remove replaces go mod for local dev 2025-09-28 19:00:16 +00:00			`ldaputil "github.com/mhsanaei/3x-ui/v2/util/ldap"`
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`"github.com/xlzd/gotp"`
3x-ui 2023-02-09 19:18:06 +00:00			`"gorm.io/gorm"`
			`)`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// UserService provides business logic for user management and authentication.`
			`// It handles user creation, login, password management, and 2FA operations.`
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`type UserService struct {`
			`settingService SettingService`
			`}`
3x-ui 2023-02-09 19:18:06 +00:00
docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// GetFirstUser retrieves the first user from the database.`
			`// This is typically used for initial setup or when there's only one admin user.`
3x-ui 2023-02-09 19:18:06 +00:00			`func (s UserService) GetFirstUser() (model.User, error) {`
			`db := database.GetDB()`

			`user := &model.User{}`
			`err := db.Model(model.User{}).`
			`First(user).`
			`Error`
			`if err != nil {`
			`return nil, err`
			`}`
			`return user, nil`
			`}`

chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`func (s UserService) CheckUser(username string, password string, twoFactorCode string) model.User {`
3x-ui 2023-02-09 19:18:06 +00:00			`db := database.GetDB()`

			`user := &model.User{}`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00
3x-ui 2023-02-09 19:18:06 +00:00			`err := db.Model(model.User{}).`
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`Where("username = ?", username).`
3x-ui 2023-02-09 19:18:06 +00:00			`First(user).`
			`Error`
			`if err == gorm.ErrRecordNotFound {`
			`return nil`
			`} else if err != nil {`
			`logger.Warning("check user err:", err)`
			`return nil`
			`}`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00
feat: add ldap component (#3568) * add ldap component * fix: fix russian comments, tls cert verify default true * feat: remove replaces go mod for local dev 2025-09-28 19:00:16 +00:00			`// If LDAP enabled and local password check fails, attempt LDAP auth`
			`if !crypto.CheckPasswordHash(user.Password, password) {`
			`ldapEnabled, _ := s.settingService.GetLdapEnable()`
			`if !ldapEnabled {`
			`return nil`
			`}`

			`host, _ := s.settingService.GetLdapHost()`
			`port, _ := s.settingService.GetLdapPort()`
			`useTLS, _ := s.settingService.GetLdapUseTLS()`
			`bindDN, _ := s.settingService.GetLdapBindDN()`
			`ldapPass, _ := s.settingService.GetLdapPassword()`
			`baseDN, _ := s.settingService.GetLdapBaseDN()`
			`userFilter, _ := s.settingService.GetLdapUserFilter()`
			`userAttr, _ := s.settingService.GetLdapUserAttr()`

			`cfg := ldaputil.Config{`
			`Host: host,`
			`Port: port,`
			`UseTLS: useTLS,`
			`BindDN: bindDN,`
			`Password: ldapPass,`
			`BaseDN: baseDN,`
			`UserFilter: userFilter,`
			`UserAttr: userAttr,`
			`}`
			`ok, err := ldaputil.AuthenticateUser(cfg, username, password)`
			`if err != nil \|\| !ok {`
			`return nil`
			`}`
			`// On successful LDAP auth, continue 2FA checks below`
			`}`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`twoFactorEnable, err := s.settingService.GetTwoFactorEnable()`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00			`if err != nil {`
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`logger.Warning("check two factor err:", err)`
			`return nil`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00			`}`

chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`if twoFactorEnable {`
			`twoFactorToken, err := s.settingService.GetTwoFactorToken()`
3x-ui 2023-02-09 19:18:06 +00:00
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`if err != nil {`
			`logger.Warning("check two factor token err:", err)`
			`return nil`
			`}`
secret token thanks to @HarlyquinForest 2023-04-21 15:30:14 +00:00
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`if gotp.NewDefaultTOTP(twoFactorToken).Now() != twoFactorCode {`
			`return nil`
			`}`
secret token thanks to @HarlyquinForest 2023-04-21 15:30:14 +00:00			`}`
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00
secret token thanks to @HarlyquinForest 2023-04-21 15:30:14 +00:00			`return user`
			`}`

chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`func (s *UserService) UpdateUser(id int, username string, password string) error {`
bug fix - remove secret 2024-03-12 17:15:44 +00:00			`db := database.GetDB()`
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`hashedPassword, err := crypto.HashPasswordAsBcrypt(password)`
bug fix - remove secret 2024-03-12 17:15:44 +00:00
			`if err != nil {`
chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`return err`
bug fix - remove secret 2024-03-12 17:15:44 +00:00			`}`

chore: reset two-factor authentication after changing admin credentials (#3029) * chore: add `resetTwoFactor` argument for main.go fixes #3025 * chore: reset two-factor authentication after changing admin credentials * chore: reset two-factor authentication after changing admin credentials --------- Co-authored-by: somebodywashere <68244480+somebodywashere@users.noreply.github.com> Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com> 2025-07-02 09:25:25 +00:00			`twoFactorEnable, err := s.settingService.GetTwoFactorEnable()`
			`if err != nil {`
			`return err`
			`}`

			`if twoFactorEnable {`
			`s.settingService.SetTwoFactorEnable(false)`
			`s.settingService.SetTwoFactorToken("")`
			`}`

chore: implement 2fa auth (#2968) * chore: implement 2fa auth from #2786 * chore: format code * chore: replace two factor token input with qr-code * chore: requesting confirmation of setting/removing two-factor authentication otpauth library was taken from cdnjs * chore: revert changes in `ClipboardManager` don't need it. * chore: removing twoFactor prop in settings page * chore: remove `twoFactorQr` object in `mounted` function 2025-05-08 14:20:58 +00:00			`return db.Model(model.User{}).`
			`Where("id = ?", id).`
			`Updates(map[string]any{"username": username, "password": hashedPassword}).`
			`Error`
bug fix - remove secret 2024-03-12 17:15:44 +00:00			`}`

3x-ui 2023-02-09 19:18:06 +00:00			`func (s *UserService) UpdateFirstUser(username string, password string) error {`
			`if username == "" {`
			`return errors.New("username can not be empty")`
			`} else if password == "" {`
			`return errors.New("password can not be empty")`
			`}`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00			`hashedPassword, er := crypto.HashPasswordAsBcrypt(password)`

			`if er != nil {`
			`return er`
			`}`

3x-ui 2023-02-09 19:18:06 +00:00			`db := database.GetDB()`
			`user := &model.User{}`
			`err := db.Model(model.User{}).First(user).Error`
			`if database.IsNotFound(err) {`
			`user.Username = username`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00			`user.Password = hashedPassword`
3x-ui 2023-02-09 19:18:06 +00:00			`return db.Model(model.User{}).Create(user).Error`
			`} else if err != nil {`
			`return err`
			`}`
			`user.Username = username`
feat: hashing user passwords solves problems #2944, #2783 2025-05-03 09:27:53 +00:00			`user.Password = hashedPassword`
3x-ui 2023-02-09 19:18:06 +00:00			`return db.Save(user).Error`
			`}`