Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2025-10-13 11:39:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

API improve security: returns 404 for unauthenticated API requests

Browse source
This commit is contained in:
mhsanaei 2025-09-24 11:25:35 +02:00
parent 02bff4db6c
commit 3f62592e4b
No known key found for this signature in database
GPG key ID: D875CD086CF668A0
2 changed files with 14 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
web/controller/api.go
View file

@ -1,7 +1,10 @@
package controller
import (
"net/http"
"github.com/mhsanaei/3x-ui/v2/web/service"
"github.com/mhsanaei/3x-ui/v2/web/session"
"github.com/gin-gonic/gin"
)
@ -21,11 +24,21 @@ func NewAPIController(g *gin.RouterGroup) *APIController {
return a
}
// checkAPIAuth is a middleware that returns 404 for unauthenticated API requests
// to hide the existence of API endpoints from unauthorized users
func (a *APIController) checkAPIAuth(c *gin.Context) {
if !session.IsLogin(c) {
c.AbortWithStatus(http.StatusNotFound)
return
}
c.Next()
}
// initRouter sets up the API routes for inbounds, server, and other endpoints.
func (a *APIController) initRouter(g *gin.RouterGroup) {
// Main API group
api := g.Group("/panel/api")
api.Use(a.checkLogin)
api.Use(a.checkAPIAuth)
// Inbounds API
inbounds := api.Group("/inbounds")

4
web/controller/xui.go
View file

@ -8,8 +8,6 @@ import (
type XUIController struct {
BaseController
inboundController *InboundController
serverController *ServerController
settingController *SettingController
xraySettingController *XraySettingController
}
@ -31,8 +29,6 @@ func (a *XUIController) initRouter(g *gin.RouterGroup) {
g.GET("/settings", a.settings)
g.GET("/xray", a.xraySettings)
a.inboundController = NewInboundController(g)
a.serverController = NewServerController(g)
a.settingController = NewSettingController(g)
a.xraySettingController = NewXraySettingController(g)
}