From 3f62592e4b98c38d2164c9949ed971ed5d2b21cc Mon Sep 17 00:00:00 2001
From: mhsanaei <ho3ein.sanaei@gmail.com>
Date: Wed, 24 Sep 2025 11:25:35 +0200
Subject: [PATCH] API improve security: returns 404 for unauthenticated API
 requests

---
 web/controller/api.go | 15 ++++++++++++++-
 web/controller/xui.go |  4 ----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/web/controller/api.go b/web/controller/api.go
index dbd3f28d..1a39f8ed 100644
--- a/web/controller/api.go
+++ b/web/controller/api.go
@@ -1,7 +1,10 @@
 package controller
 
 import (
+	"net/http"
+
 	"github.com/mhsanaei/3x-ui/v2/web/service"
+	"github.com/mhsanaei/3x-ui/v2/web/session"
 
 	"github.com/gin-gonic/gin"
 )
@@ -21,11 +24,21 @@ func NewAPIController(g *gin.RouterGroup) *APIController {
 	return a
 }
 
+// checkAPIAuth is a middleware that returns 404 for unauthenticated API requests
+// to hide the existence of API endpoints from unauthorized users
+func (a *APIController) checkAPIAuth(c *gin.Context) {
+	if !session.IsLogin(c) {
+		c.AbortWithStatus(http.StatusNotFound)
+		return
+	}
+	c.Next()
+}
+
 // initRouter sets up the API routes for inbounds, server, and other endpoints.
 func (a *APIController) initRouter(g *gin.RouterGroup) {
 	// Main API group
 	api := g.Group("/panel/api")
-	api.Use(a.checkLogin)
+	api.Use(a.checkAPIAuth)
 
 	// Inbounds API
 	inbounds := api.Group("/inbounds")
diff --git a/web/controller/xui.go b/web/controller/xui.go
index ba415ac9..51502900 100644
--- a/web/controller/xui.go
+++ b/web/controller/xui.go
@@ -8,8 +8,6 @@ import (
 type XUIController struct {
 	BaseController
 
-	inboundController     *InboundController
-	serverController      *ServerController
 	settingController     *SettingController
 	xraySettingController *XraySettingController
 }
@@ -31,8 +29,6 @@ func (a *XUIController) initRouter(g *gin.RouterGroup) {
 	g.GET("/settings", a.settings)
 	g.GET("/xray", a.xraySettings)
 
-	a.inboundController = NewInboundController(g)
-	a.serverController = NewServerController(g)
 	a.settingController = NewSettingController(g)
 	a.xraySettingController = NewXraySettingController(g)
 }