- Delete web/html/ entirely (page templates, form/, modals/, component/,
common/, settings/) — every route is served from web/dist/ now via
serveDistPage; nothing in the binary referenced these
- Delete web/assets/ entirely (jQuery-era ant-design-vue, axios, moment,
codemirror, qrcode/qs/uri/vue/otpauth, custom CSS, Vazirmatn font);
Vite bundles all of this into web/dist/assets
- Drop the Gin HTML template wiring: remove //go:embed assets +
//go:embed html/*, the assetsFS/htmlFS vars, the wrapAssetsFS adapter,
EmbeddedHTML / EmbeddedAssets exports, getHtmlFiles / getHtmlTemplate,
the i18nWebFunc/funcMap and SetFuncMap call, and the dev/prod
template-engine branch — only StaticFS for /assets/ is needed now
- Remove dead html()/getContext() helpers and unused imports from
web/controller/util.go (no c.HTML(...) callers remain)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
* Implement CSRF protection and security hardening across the application
- Added CSRF token handling in axios requests and HTML templates.
- Introduced CSRF middleware to validate tokens for unsafe HTTP methods.
- Implemented login limiter to prevent brute-force attacks.
- Enhanced security headers in middleware for improved response security.
- Updated login notification to include safe metadata without passwords.
- Added tests for CSRF middleware and login limiter functionality.
* fix
- Refactor SUBController subs and subJsons methods to extract host from X-Forwarded-Host header, falling back to X-Real-IP header and then to the request host if unavailable.
- Update html function to extract host from X-Forwarded-Host header, falling back to X-Real-IP header and then to the request host if unavailable.
- Update DomainValidatorMiddleware to first attempt to extract host from X-Forwarded-Host header, falling back to X-Real-IP header and then to the request host.
Fixes: #2284
Signed-off-by: Ahmad Thoriq Najahi <najahi@zephyrus.id>
* [refactor] api controller
* [fix] access log path
better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log
* [fix] set select options from logs paths in xray settings
* [update] .gitignore
* [lint] all .go files
* [update] use status code for jsonMsg and 401 to unauthorize
* [update] handle response status code via axios
* [fix] set correct value if log paths is set to 'none'
we also use the default value for the paths if its set to none
* [fix] iplimit - only warning access log if f2b is installed
