3x-ui/web/controller/base.go

// Package controller provides HTTP request handlers and controllers for the 3x-ui web management panel.
// It handles routing, authentication, and API endpoints for managing Xray inbounds, settings, and more.
package controller

import (
	"net/http"
	"strings"

	"github.com/mhsanaei/3x-ui/v3/logger"
	"github.com/mhsanaei/3x-ui/v3/util/crypto"
	"github.com/mhsanaei/3x-ui/v3/web/locale"
	"github.com/mhsanaei/3x-ui/v3/web/session"

	"github.com/gin-gonic/gin"
)

// BaseController provides common functionality for all controllers, including authentication checks.
type BaseController struct{}

// checkLogin is a middleware that verifies user authentication and handles unauthorized access.
func (a *BaseController) checkLogin(c *gin.Context) {
	user := session.GetLoginUser(c)
	if user == nil {
		if isAjax(c) {
			pureJsonMsg(c, http.StatusUnauthorized, false, I18nWeb(c, "pages.login.loginAgain"))
		} else {
			c.Header("Cache-Control", "no-store")
			c.Redirect(http.StatusTemporaryRedirect, c.GetString("base_path"))
		}
		c.Abort()
		return
	}
	if isDefaultAdminCredential(user.Username, user.Password) && !credentialChangeRouteAllowed(c) {
		if isAjax(c) {
			pureJsonMsg(c, http.StatusForbidden, false, "Change the default admin credentials before continuing.")
		} else {
			c.Header("Cache-Control", "no-store")
			c.Redirect(http.StatusTemporaryRedirect, c.GetString("base_path")+"panel/settings")
		}
		c.Abort()
	} else {
		c.Next()
	}
}

func isDefaultAdminCredential(username string, hashedPassword string) bool {
	return username == "admin" && crypto.CheckPasswordHash(hashedPassword, "admin")
}

func credentialChangeRouteAllowed(c *gin.Context) bool {
	basePath := c.GetString("base_path")
	path := c.Request.URL.Path
	allowedPrefixes := []string{
		basePath + "panel/settings",
		basePath + "panel/setting/",
		basePath + "panel/csrf-token",
	}
	for _, prefix := range allowedPrefixes {
		if strings.HasPrefix(path, prefix) {
			return true
		}
	}
	return false
}

// I18nWeb retrieves an internationalized message for the web interface based on the current locale.
func I18nWeb(c *gin.Context, name string, params ...string) string {
	anyfunc, funcExists := c.Get("I18n")
	if !funcExists {
		logger.Warning("I18n function not exists in gin context!")
		return ""
	}
	i18nFunc, _ := anyfunc.(func(i18nType locale.I18nType, key string, keyParams ...string) string)
	msg := i18nFunc(locale.Web, name, params...)
	return msg
}
docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// Package controller provides HTTP request handlers and controllers for the 3x-ui web management panel.`
			`// It handles routing, authentication, and API endpoints for managing Xray inbounds, settings, and more.`
3x-ui 2023-02-09 19:18:06 +00:00			`package controller`

			`import (`
			`"net/http"`
feat(auth): block panel with default admin/admin credentials and guide credential change checkLogin middleware now detects default admin/admin credentials and redirects every panel route to /panel/settings until they are changed. The settings page auto-opens the Authentication tab, shows a non-dismissible error banner, and lists 'Default credentials' first in the security checklist. Login response includes mustChangeCredentials so the login page can redirect directly. Logout is now POST-only. Password must be at least 10 characters and cannot be admin/admin. 2026-05-11 19:09:48 +00:00			`"strings"`
Some fixes and improvements (#1997) * [refactor] api controller * [fix] access log path better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log * [fix] set select options from logs paths in xray settings * [update] .gitignore * [lint] all .go files * [update] use status code for jsonMsg and 401 to unauthorize * [update] handle response status code via axios * [fix] set correct value if log paths is set to 'none' we also use the default value for the paths if its set to none * [fix] iplimit - only warning access log if f2b is installed 2024-03-10 21:31:24 +00:00
v3 2026-05-10 00:13:42 +00:00			`"github.com/mhsanaei/3x-ui/v3/logger"`
feat(auth): block panel with default admin/admin credentials and guide credential change checkLogin middleware now detects default admin/admin credentials and redirects every panel route to /panel/settings until they are changed. The settings page auto-opens the Authentication tab, shows a non-dismissible error banner, and lists 'Default credentials' first in the security checklist. Login response includes mustChangeCredentials so the login page can redirect directly. Logout is now POST-only. Password must be at least 10 characters and cannot be admin/admin. 2026-05-11 19:09:48 +00:00			`"github.com/mhsanaei/3x-ui/v3/util/crypto"`
v3 2026-05-10 00:13:42 +00:00			`"github.com/mhsanaei/3x-ui/v3/web/locale"`
			`"github.com/mhsanaei/3x-ui/v3/web/session"`
[feature] add sniffing DestOverride options #298 Co-Authored-By: Alireza Ahmadi <alireza7@gmail.com> 2023-04-29 15:17:44 +00:00
			`"github.com/gin-gonic/gin"`
3x-ui 2023-02-09 19:18:06 +00:00			`)`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// BaseController provides common functionality for all controllers, including authentication checks.`
Some fixes and improvements (#1997) * [refactor] api controller * [fix] access log path better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log * [fix] set select options from logs paths in xray settings * [update] .gitignore * [lint] all .go files * [update] use status code for jsonMsg and 401 to unauthorize * [update] handle response status code via axios * [fix] set correct value if log paths is set to 'none' we also use the default value for the paths if its set to none * [fix] iplimit - only warning access log if f2b is installed 2024-03-10 21:31:24 +00:00			`type BaseController struct{}`
3x-ui 2023-02-09 19:18:06 +00:00
docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// checkLogin is a middleware that verifies user authentication and handles unauthorized access.`
3x-ui 2023-02-09 19:18:06 +00:00			`func (a BaseController) checkLogin(c gin.Context) {`
feat(auth): block panel with default admin/admin credentials and guide credential change checkLogin middleware now detects default admin/admin credentials and redirects every panel route to /panel/settings until they are changed. The settings page auto-opens the Authentication tab, shows a non-dismissible error banner, and lists 'Default credentials' first in the security checklist. Login response includes mustChangeCredentials so the login page can redirect directly. Logout is now POST-only. Password must be at least 10 characters and cannot be admin/admin. 2026-05-11 19:09:48 +00:00			`user := session.GetLoginUser(c)`
			`if user == nil {`
3x-ui 2023-02-09 19:18:06 +00:00			`if isAjax(c) {`
Some fixes and improvements (#1997) * [refactor] api controller * [fix] access log path better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log * [fix] set select options from logs paths in xray settings * [update] .gitignore * [lint] all .go files * [update] use status code for jsonMsg and 401 to unauthorize * [update] handle response status code via axios * [fix] set correct value if log paths is set to 'none' we also use the default value for the paths if its set to none * [fix] iplimit - only warning access log if f2b is installed 2024-03-10 21:31:24 +00:00			`pureJsonMsg(c, http.StatusUnauthorized, false, I18nWeb(c, "pages.login.loginAgain"))`
3x-ui 2023-02-09 19:18:06 +00:00			`} else {`
fix(panel): make webBasePath work end-to-end in dev and prod - Vite dev server reads webBasePath from x-ui.db via node:sqlite and injects __X_UI_BASE_PATH__ on every HTML serve, mirroring dist.go. Single broad proxy regex catches backend routes whether the URL is prefixed or not, and the bypass serves login.html for the bare basePath URL so post-logout navigation lands on Vite's own page instead of the production dist HTML's hashed asset URLs. - axios.defaults.baseURL is set from __X_UI_BASE_PATH__ at startup so HttpUtil calls reach the backend's basePath group instead of 404ing on every prefixed install. fetch() for the public CSRF endpoint prepends the prefix manually since it doesn't honor axios defaults. - Logout/redirect responses set Cache-Control: no-store and the index handler's logged-in redirect uses an absolute base_path+panel/ URL, preventing browsers from replaying a stale cached 307 that bounced the user back to /panel/ after logout. - ClearSession also issues a Path=/ deletion cookie when basePath is not "/", so a legacy cookie from an earlier basePath setting can't keep IsLogin returning true after logout. - getPanelUpdateInfo no longer returns a translated error message on GitHub fetch failures, so HttpUtil's auto-popup stays quiet on offline / blocked environments. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-09 19:47:37 +00:00			`c.Header("Cache-Control", "no-store")`
3x-ui 2023-02-09 19:18:06 +00:00			`c.Redirect(http.StatusTemporaryRedirect, c.GetString("base_path"))`
			`}`
			`c.Abort()`
feat(auth): block panel with default admin/admin credentials and guide credential change checkLogin middleware now detects default admin/admin credentials and redirects every panel route to /panel/settings until they are changed. The settings page auto-opens the Authentication tab, shows a non-dismissible error banner, and lists 'Default credentials' first in the security checklist. Login response includes mustChangeCredentials so the login page can redirect directly. Logout is now POST-only. Password must be at least 10 characters and cannot be admin/admin. 2026-05-11 19:09:48 +00:00			`return`
			`}`
			`if isDefaultAdminCredential(user.Username, user.Password) && !credentialChangeRouteAllowed(c) {`
			`if isAjax(c) {`
			`pureJsonMsg(c, http.StatusForbidden, false, "Change the default admin credentials before continuing.")`
			`} else {`
			`c.Header("Cache-Control", "no-store")`
			`c.Redirect(http.StatusTemporaryRedirect, c.GetString("base_path")+"panel/settings")`
			`}`
			`c.Abort()`
3x-ui 2023-02-09 19:18:06 +00:00			`} else {`
			`c.Next()`
			`}`
			`}`

feat(auth): block panel with default admin/admin credentials and guide credential change checkLogin middleware now detects default admin/admin credentials and redirects every panel route to /panel/settings until they are changed. The settings page auto-opens the Authentication tab, shows a non-dismissible error banner, and lists 'Default credentials' first in the security checklist. Login response includes mustChangeCredentials so the login page can redirect directly. Logout is now POST-only. Password must be at least 10 characters and cannot be admin/admin. 2026-05-11 19:09:48 +00:00			`func isDefaultAdminCredential(username string, hashedPassword string) bool {`
			`return username == "admin" && crypto.CheckPasswordHash(hashedPassword, "admin")`
			`}`

			`func credentialChangeRouteAllowed(c *gin.Context) bool {`
			`basePath := c.GetString("base_path")`
			`path := c.Request.URL.Path`
			`allowedPrefixes := []string{`
			`basePath + "panel/settings",`
			`basePath + "panel/setting/",`
			`basePath + "panel/csrf-token",`
			`}`
			`for _, prefix := range allowedPrefixes {`
			`if strings.HasPrefix(path, prefix) {`
			`return true`
			`}`
			`}`
			`return false`
			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// I18nWeb retrieves an internationalized message for the web interface based on the current locale.`
rename I18n to I18nWeb 2023-05-20 22:59:27 +00:00			`func I18nWeb(c *gin.Context, name string, params ...string) string {`
update I18n function for controller 2023-05-20 15:19:39 +00:00			`anyfunc, funcExists := c.Get("I18n")`
			`if !funcExists {`
			`logger.Warning("I18n function not exists in gin context!")`
			`return ""`
			`}`
			`i18nFunc, _ := anyfunc.(func(i18nType locale.I18nType, key string, keyParams ...string) string)`
			`msg := i18nFunc(locale.Web, name, params...)`
			`return msg`
3x-ui 2023-02-09 19:18:06 +00:00			`}`