3x-ui

Alex-Devera/3x-ui

Fork 0

mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-07 13:44:24 +00:00

Commit graph

Author	SHA1	Message	Date
Sora39831	90665c92f4	fix: harden registration with rate limiting, input validation, and security fixes - Add per-IP rate limiter middleware (5 req/min) on /register endpoint - Validate username (3-64 chars) and password (8-128 chars) with trim - Use sentinel error ErrUsernameAlreadyExists instead of string matching - Prevent TurnstileSecretKey exposure via admin settings API (json:"-") - Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets - Add SetTurnstileSecretKey setter for programmatic configuration - Reuse package-level http.Client in Turnstile verification for connection pooling - Add io.LimitReader to cap Turnstile response body size - Log all Turnstile verification error paths for debugging - Add invalidUsername/invalidPassword i18n keys to all 13 locales	2026-04-03 02:02:25 +08:00
Sora39831	5f83415e95	feat: add user registration with role-based access - Add Role field to User model (admin/user) with uniqueIndex on Username - Add POST /register endpoint with optional Cloudflare Turnstile verification - Add RegisterUser service with bcrypt password hashing and duplicate detection - Set default admin user role to "admin", new registrations get "user" - Add turnstileSecretKey setting and GetTurnstileSecretKey getter - Add i18n keys (userExists, errorRegister) to all 13 translation files	2026-04-02 23:49:30 +08:00

Author

SHA1

Message

Date

Sora39831

90665c92f4

fix: harden registration with rate limiting, input validation, and security fixes

- Add per-IP rate limiter middleware (5 req/min) on /register endpoint
- Validate username (3-64 chars) and password (8-128 chars) with trim
- Use sentinel error ErrUsernameAlreadyExists instead of string matching
- Prevent TurnstileSecretKey exposure via admin settings API (json:"-")
- Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets
- Add SetTurnstileSecretKey setter for programmatic configuration
- Reuse package-level http.Client in Turnstile verification for connection pooling
- Add io.LimitReader to cap Turnstile response body size
- Log all Turnstile verification error paths for debugging
- Add invalidUsername/invalidPassword i18n keys to all 13 locales

2026-04-03 02:02:25 +08:00

Sora39831

5f83415e95

feat: add user registration with role-based access

- Add Role field to User model (admin/user) with uniqueIndex on Username
- Add POST /register endpoint with optional Cloudflare Turnstile verification
- Add RegisterUser service with bcrypt password hashing and duplicate detection
- Set default admin user role to "admin", new registrations get "user"
- Add turnstileSecretKey setting and GetTurnstileSecretKey getter
- Add i18n keys (userExists, errorRegister) to all 13 translation files

2026-04-02 23:49:30 +08:00

2 commits