3x-ui/web/controller/xui.go

package controller

import (
	"net/http"

	"github.com/mhsanaei/3x-ui/v2/web/entity"
	"github.com/mhsanaei/3x-ui/v2/web/middleware"
	"github.com/mhsanaei/3x-ui/v2/web/session"

	"github.com/gin-gonic/gin"
)

// XUIController is the main controller for the X-UI panel, managing sub-controllers.
type XUIController struct {
	BaseController

	settingController     *SettingController
	xraySettingController *XraySettingController
}

// NewXUIController creates a new XUIController and initializes its routes.
func NewXUIController(g *gin.RouterGroup) *XUIController {
	a := &XUIController{}
	a.initRouter(g)
	return a
}

// initRouter sets up the main panel routes and initializes sub-controllers.
func (a *XUIController) initRouter(g *gin.RouterGroup) {
	g = g.Group("/panel")
	g.Use(a.checkLogin)
	g.Use(middleware.CSRFMiddleware())

	g.GET("/", a.index)
	g.GET("/inbounds", a.inbounds)
	g.GET("/settings", a.settings)
	g.GET("/xray", a.xraySettings)

	// SPA pages built by Vite don't have a server-rendered <meta name="csrf-token">,
	// so they fetch the session token via this endpoint at startup and replay it
	// on subsequent unsafe requests through axios.
	g.GET("/csrf-token", a.csrfToken)

	a.settingController = NewSettingController(g)
	a.xraySettingController = NewXraySettingController(g)
}

// index renders the main panel index page.
func (a *XUIController) index(c *gin.Context) {
	html(c, "index.html", "pages.index.title", nil)
}

// inbounds renders the inbounds management page.
func (a *XUIController) inbounds(c *gin.Context) {
	html(c, "inbounds.html", "pages.inbounds.title", nil)
}

// settings renders the settings management page.
func (a *XUIController) settings(c *gin.Context) {
	html(c, "settings.html", "pages.settings.title", nil)
}

// xraySettings renders the Xray settings page.
func (a *XUIController) xraySettings(c *gin.Context) {
	html(c, "xray.html", "pages.xray.title", nil)
}

// csrfToken returns the session CSRF token to authenticated SPA clients.
// The endpoint is GET (a safe method) so it bypasses CSRFMiddleware itself,
// but checkLogin still gates the response — anonymous callers get 401/redirect.
func (a *XUIController) csrfToken(c *gin.Context) {
	token, err := session.EnsureCSRFToken(c)
	if err != nil {
		c.JSON(http.StatusInternalServerError, entity.Msg{Success: false, Msg: err.Error()})
		return
	}
	c.JSON(http.StatusOK, entity.Msg{Success: true, Obj: token})
}
3x-ui 2023-02-09 19:18:06 +00:00			`package controller`

			`import (`
fix(csrf): expose token endpoint for SPA pages and fetch it from axios The legacy panel pages got their CSRF token from a <meta name="csrf-token"> tag rendered by Go. SPA pages built by Vite don't have that, so every unsafe (POST/PUT/DELETE) request from them was hitting CSRFMiddleware with no token and getting 403 — visible as the settings page being stuck on "Loading…" because POST /panel/setting/all failed. - web/controller/xui.go: GET /panel/csrf-token returns the session token. Lives under the xui group so checkLogin still gates it; the CSRFMiddleware on the same group is a no-op for GET. - frontend/src/api/axios-init.js: cache the token at module scope and lazy-fetch it when a non-safe request needs one. Seed from the meta tag first when present (legacy compat). On a 403 response, drop the cache and retry once — handles the case where a server restart rotated the token after the SPA loaded. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-08 11:20:26 +00:00			`"net/http"`

			`"github.com/mhsanaei/3x-ui/v2/web/entity"`
Implement CSRF protection and security hardening across the application (#4179) * Implement CSRF protection and security hardening across the application - Added CSRF token handling in axios requests and HTML templates. - Introduced CSRF middleware to validate tokens for unsafe HTTP methods. - Implemented login limiter to prevent brute-force attacks. - Enhanced security headers in middleware for improved response security. - Updated login notification to include safe metadata without passwords. - Added tests for CSRF middleware and login limiter functionality. * fix 2026-05-07 21:36:11 +00:00			`"github.com/mhsanaei/3x-ui/v2/web/middleware"`
fix(csrf): expose token endpoint for SPA pages and fetch it from axios The legacy panel pages got their CSRF token from a <meta name="csrf-token"> tag rendered by Go. SPA pages built by Vite don't have that, so every unsafe (POST/PUT/DELETE) request from them was hitting CSRFMiddleware with no token and getting 403 — visible as the settings page being stuck on "Loading…" because POST /panel/setting/all failed. - web/controller/xui.go: GET /panel/csrf-token returns the session token. Lives under the xui group so checkLogin still gates it; the CSRFMiddleware on the same group is a no-op for GET. - frontend/src/api/axios-init.js: cache the token at module scope and lazy-fetch it when a non-safe request needs one. Seed from the meta tag first when present (legacy compat). On a 403 response, drop the cache and retry once — handles the case where a server restart rotated the token after the SPA loaded. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-08 11:20:26 +00:00			`"github.com/mhsanaei/3x-ui/v2/web/session"`
Implement CSRF protection and security hardening across the application (#4179) * Implement CSRF protection and security hardening across the application - Added CSRF token handling in axios requests and HTML templates. - Introduced CSRF middleware to validate tokens for unsafe HTTP methods. - Implemented login limiter to prevent brute-force attacks. - Enhanced security headers in middleware for improved response security. - Updated login notification to include safe metadata without passwords. - Added tests for CSRF middleware and login limiter functionality. * fix 2026-05-07 21:36:11 +00:00
3x-ui 2023-02-09 19:18:06 +00:00			`"github.com/gin-gonic/gin"`
			`)`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// XUIController is the main controller for the X-UI panel, managing sub-controllers.`
3x-ui 2023-02-09 19:18:06 +00:00			`type XUIController struct {`
			`BaseController`

separate xray page #1286 2023-12-04 18:20:46 +00:00			`settingController *SettingController`
			`xraySettingController *XraySettingController`
3x-ui 2023-02-09 19:18:06 +00:00			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// NewXUIController creates a new XUIController and initializes its routes.`
3x-ui 2023-02-09 19:18:06 +00:00			`func NewXUIController(g gin.RouterGroup) XUIController {`
			`a := &XUIController{}`
			`a.initRouter(g)`
			`return a`
			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// initRouter sets up the main panel routes and initializes sub-controllers.`
3x-ui 2023-02-09 19:18:06 +00:00			`func (a XUIController) initRouter(g gin.RouterGroup) {`
Change route path '/xui' to '/panel' 2023-05-12 18:06:05 +00:00			`g = g.Group("/panel")`
3x-ui 2023-02-09 19:18:06 +00:00			`g.Use(a.checkLogin)`
Implement CSRF protection and security hardening across the application (#4179) * Implement CSRF protection and security hardening across the application - Added CSRF token handling in axios requests and HTML templates. - Introduced CSRF middleware to validate tokens for unsafe HTTP methods. - Implemented login limiter to prevent brute-force attacks. - Enhanced security headers in middleware for improved response security. - Updated login notification to include safe metadata without passwords. - Added tests for CSRF middleware and login limiter functionality. * fix 2026-05-07 21:36:11 +00:00			`g.Use(middleware.CSRFMiddleware())`
3x-ui 2023-02-09 19:18:06 +00:00
			`g.GET("/", a.index)`
			`g.GET("/inbounds", a.inbounds)`
renamed setting.html to settings.html and update its route name 2023-05-04 16:39:08 +00:00			`g.GET("/settings", a.settings)`
separate xray page #1286 2023-12-04 18:20:46 +00:00			`g.GET("/xray", a.xraySettings)`
3x-ui 2023-02-09 19:18:06 +00:00
fix(csrf): expose token endpoint for SPA pages and fetch it from axios The legacy panel pages got their CSRF token from a <meta name="csrf-token"> tag rendered by Go. SPA pages built by Vite don't have that, so every unsafe (POST/PUT/DELETE) request from them was hitting CSRFMiddleware with no token and getting 403 — visible as the settings page being stuck on "Loading…" because POST /panel/setting/all failed. - web/controller/xui.go: GET /panel/csrf-token returns the session token. Lives under the xui group so checkLogin still gates it; the CSRFMiddleware on the same group is a no-op for GET. - frontend/src/api/axios-init.js: cache the token at module scope and lazy-fetch it when a non-safe request needs one. Seed from the meta tag first when present (legacy compat). On a 403 response, drop the cache and retry once — handles the case where a server restart rotated the token after the SPA loaded. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-08 11:20:26 +00:00			`// SPA pages built by Vite don't have a server-rendered <meta name="csrf-token">,`
			`// so they fetch the session token via this endpoint at startup and replay it`
			`// on subsequent unsafe requests through axios.`
			`g.GET("/csrf-token", a.csrfToken)`

3x-ui 2023-02-09 19:18:06 +00:00			`a.settingController = NewSettingController(g)`
separate xray page #1286 2023-12-04 18:20:46 +00:00			`a.xraySettingController = NewXraySettingController(g)`
3x-ui 2023-02-09 19:18:06 +00:00			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// index renders the main panel index page.`
3x-ui 2023-02-09 19:18:06 +00:00			`func (a XUIController) index(c gin.Context) {`
			`html(c, "index.html", "pages.index.title", nil)`
			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// inbounds renders the inbounds management page.`
3x-ui 2023-02-09 19:18:06 +00:00			`func (a XUIController) inbounds(c gin.Context) {`
			`html(c, "inbounds.html", "pages.inbounds.title", nil)`
			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// settings renders the settings management page.`
renamed setting.html to settings.html and update its route name 2023-05-04 16:39:08 +00:00			`func (a XUIController) settings(c gin.Context) {`
update translation 2023-05-04 17:52:54 +00:00			`html(c, "settings.html", "pages.settings.title", nil)`
3x-ui 2023-02-09 19:18:06 +00:00			`}`
separate xray page #1286 2023-12-04 18:20:46 +00:00
docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// xraySettings renders the Xray settings page.`
separate xray page #1286 2023-12-04 18:20:46 +00:00			`func (a XUIController) xraySettings(c gin.Context) {`
			`html(c, "xray.html", "pages.xray.title", nil)`
			`}`
fix(csrf): expose token endpoint for SPA pages and fetch it from axios The legacy panel pages got their CSRF token from a <meta name="csrf-token"> tag rendered by Go. SPA pages built by Vite don't have that, so every unsafe (POST/PUT/DELETE) request from them was hitting CSRFMiddleware with no token and getting 403 — visible as the settings page being stuck on "Loading…" because POST /panel/setting/all failed. - web/controller/xui.go: GET /panel/csrf-token returns the session token. Lives under the xui group so checkLogin still gates it; the CSRFMiddleware on the same group is a no-op for GET. - frontend/src/api/axios-init.js: cache the token at module scope and lazy-fetch it when a non-safe request needs one. Seed from the meta tag first when present (legacy compat). On a 403 response, drop the cache and retry once — handles the case where a server restart rotated the token after the SPA loaded. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-08 11:20:26 +00:00
			`// csrfToken returns the session CSRF token to authenticated SPA clients.`
			`// The endpoint is GET (a safe method) so it bypasses CSRFMiddleware itself,`
			`// but checkLogin still gates the response — anonymous callers get 401/redirect.`
			`func (a XUIController) csrfToken(c gin.Context) {`
			`token, err := session.EnsureCSRFToken(c)`
			`if err != nil {`
			`c.JSON(http.StatusInternalServerError, entity.Msg{Success: false, Msg: err.Error()})`
			`return`
			`}`
			`c.JSON(http.StatusOK, entity.Msg{Success: true, Obj: token})`
			`}`