From b08fc0c96369b582038e7f05f864af96a07d1319 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Tue, 2 Jun 2026 23:47:03 +0200
Subject: [PATCH] fix(clients): keep reverse tag clearable and preserve flow on
 attach

Two multi-inbound client bugs from issue #4834:

- Clearing a client's reverse tag never persisted: SyncInbound keeps a non-empty sticky guard on reverse (shared with node-sync/rename), so the cleared value never reached the canonical clients.reverse column the edit form reads. Update now writes that column authoritatively from the submitted client, matching how it already writes email/updated_at directly.

- Attaching a new inbound reset xtls-rprx-vision: Attach seeded its wire client from the canonical clients.flow column, which a non-flow inbound can zero during the preceding update. It now derives the flow from EffectiveFlow (the per-inbound flow_override), so flow-capable targets keep the flow and others stay empty.

Adds service tests for both paths and a guard test confirming node-snapshot sync still preserves a stored reverse tag.
---
 web/service/client.go                     | 17 +++++
 web/service/client_flow_isolation_test.go | 76 +++++++++++++++++++++++
 2 files changed, 93 insertions(+)

diff --git a/web/service/client.go b/web/service/client.go
index a3040e89..de5fde65 100644
--- a/web/service/client.go
+++ b/web/service/client.go
@@ -730,6 +730,18 @@ func (s *ClientService) Update(inboundSvc *InboundService, id int, updated model
 		}
 	}
 
+	reverseStr := ""
+	if updated.Reverse != nil && strings.TrimSpace(updated.Reverse.Tag) != "" {
+		if b, mErr := json.Marshal(updated.Reverse); mErr == nil {
+			reverseStr = string(b)
+		}
+	}
+	if err := database.GetDB().Model(&model.ClientRecord{}).
+		Where("id = ?", id).
+		Update("reverse", reverseStr).Error; err != nil {
+		return needRestart, err
+	}
+
 	if err := database.GetDB().Model(&model.ClientRecord{}).
 		Where("id = ?", id).
 		UpdateColumn("updated_at", time.Now().UnixMilli()).Error; err != nil {
@@ -805,6 +817,11 @@ func (s *ClientService) Attach(inboundSvc *InboundService, id int, inboundIds []
 	}
 
 	clientWire := existing.ToClient()
+	flow, ffErr := s.EffectiveFlow(nil, id)
+	if ffErr != nil {
+		return false, ffErr
+	}
+	clientWire.Flow = flow
 	clientWire.UpdatedAt = time.Now().UnixMilli()
 
 	needRestart := false
diff --git a/web/service/client_flow_isolation_test.go b/web/service/client_flow_isolation_test.go
index 95820f3f..5e47c634 100644
--- a/web/service/client_flow_isolation_test.go
+++ b/web/service/client_flow_isolation_test.go
@@ -179,3 +179,79 @@ func TestEffectiveFlow_ClearedFlowStaysCleared(t *testing.T) {
 		t.Errorf("EffectiveFlow = %q, want empty (cleared flow must stay cleared)", got)
 	}
 }
+
+func TestAttach_PreservesVisionFlowWhenCanonicalColumnZeroed(t *testing.T) {
+	dbDir := t.TempDir()
+	t.Setenv("XUI_DB_FOLDER", dbDir)
+	if err := database.InitDB(filepath.Join(dbDir, "x-ui.db")); err != nil {
+		t.Fatalf("InitDB: %v", err)
+	}
+	t.Cleanup(func() { _ = database.CloseDB() })
+
+	db := database.GetDB()
+
+	const email = "vision@example.com"
+	const uid = "ce8d33df-3a64-4f10-8f9b-91c3a8e0c111"
+	const sub = "subvision000001"
+	const vision = "xtls-rprx-vision"
+	const realityStream = `{"network":"tcp","security":"reality"}`
+
+	svc := ClientService{}
+	source := model.Client{Email: email, ID: uid, SubID: sub, Enable: true, Flow: vision}
+
+	reality1 := &model.Inbound{
+		Tag: "vless-reality-1", Enable: true, Port: 42001, Protocol: model.VLESS,
+		StreamSettings: realityStream,
+		Settings:       clientsSettings(t, []model.Client{source}),
+	}
+	if err := db.Create(reality1).Error; err != nil {
+		t.Fatalf("create reality1: %v", err)
+	}
+	reality2 := &model.Inbound{
+		Tag: "vless-reality-2", Enable: true, Port: 42002, Protocol: model.VLESS,
+		StreamSettings: realityStream, Settings: `{"clients":[]}`,
+	}
+	if err := db.Create(reality2).Error; err != nil {
+		t.Fatalf("create reality2: %v", err)
+	}
+	wsTls := &model.Inbound{
+		Tag: "vless-ws", Enable: true, Port: 42003, Protocol: model.VLESS,
+		StreamSettings: `{"network":"ws","security":"tls"}`, Settings: `{"clients":[]}`,
+	}
+	if err := db.Create(wsTls).Error; err != nil {
+		t.Fatalf("create ws: %v", err)
+	}
+
+	if err := svc.SyncInbound(nil, reality1.Id, []model.Client{clientWithInboundFlow(source, reality1)}); err != nil {
+		t.Fatalf("SyncInbound(reality1): %v", err)
+	}
+
+	rec, err := svc.GetRecordByEmail(nil, email)
+	if err != nil {
+		t.Fatalf("GetRecordByEmail: %v", err)
+	}
+	if err := db.Model(&model.ClientRecord{}).Where("id = ?", rec.Id).Update("flow", "").Error; err != nil {
+		t.Fatalf("zero canonical flow: %v", err)
+	}
+
+	inboundSvc := &InboundService{}
+	if _, err := svc.Attach(inboundSvc, rec.Id, []int{reality2.Id, wsTls.Id}); err != nil {
+		t.Fatalf("Attach: %v", err)
+	}
+
+	reality2List, err := svc.ListForInbound(nil, reality2.Id)
+	if err != nil {
+		t.Fatalf("ListForInbound(reality2): %v", err)
+	}
+	if len(reality2List) != 1 || reality2List[0].Flow != vision {
+		t.Errorf("attached flow-capable inbound must inherit Vision via EffectiveFlow (#4834), got %#v", reality2List)
+	}
+
+	wsList, err := svc.ListForInbound(nil, wsTls.Id)
+	if err != nil {
+		t.Fatalf("ListForInbound(ws): %v", err)
+	}
+	if len(wsList) != 1 || wsList[0].Flow != "" {
+		t.Errorf("attached non-flow inbound must not receive Vision flow, got %#v", wsList)
+	}
+}