- Prevent DBPassword from leaking to frontend (json:"-")
- Make migration direction explicit via --direction flag, set dbType only after success
- Use driver-appropriate DROP INDEX IF EXISTS for SQLite vs MariaDB
- Build DSN with mysql.Config.FormatDSN() to prevent injection with special chars
- Close DB before re-initialization in InitDB
- Add migration tests (5 tests using SQLite in-memory DBs)
- Parse JSON once in GetDBConfigFromJSON instead of 7 times
- Use Go binary for dbType in shell script instead of fragile grep
- Add rollback on failure in db_switch_to_sqlite
- Validate DB settings in CheckValid
- Add per-IP rate limiter middleware (5 req/min) on /register endpoint
- Validate username (3-64 chars) and password (8-128 chars) with trim
- Use sentinel error ErrUsernameAlreadyExists instead of string matching
- Prevent TurnstileSecretKey exposure via admin settings API (json:"-")
- Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets
- Add SetTurnstileSecretKey setter for programmatic configuration
- Reuse package-level http.Client in Turnstile verification for connection pooling
- Add io.LimitReader to cap Turnstile response body size
- Log all Turnstile verification error paths for debugging
- Add invalidUsername/invalidPassword i18n keys to all 13 locales
- Add Role field to User model (admin/user) with uniqueIndex on Username
- Add POST /register endpoint with optional Cloudflare Turnstile verification
- Add RegisterUser service with bcrypt password hashing and duplicate detection
- Set default admin user role to "admin", new registrations get "user"
- Add turnstileSecretKey setting and GetTurnstileSecretKey getter
- Add i18n keys (userExists, errorRegister) to all 13 translation files
Add a register tab on the login page with username, password, confirm
password fields and Cloudflare Turnstile widget. The site key is
configurable via x-ui.json and exposed through a public endpoint.
* chore: implement 2fa auth
from #2786
* chore: format code
* chore: replace two factor token input with qr-code
* chore: requesting confirmation of setting/removing two-factor authentication
otpauth library was taken from cdnjs
* chore: revert changes in `ClipboardManager`
don't need it.
* chore: removing twoFactor prop in settings page
* chore: remove `twoFactorQr` object in `mounted` function
* Revert "json post base path bug fixed (#2647)"
This reverts commit 04cf250a54.
* Revert "Group Management of Subscription Clients"
* Revert "fix getSubGroupClients for enable/disable and edit clients."
* Revert "Enhance database initialization in db.go (#2645)"
This reverts commit 66fe84181b.
* Revert "Add checkpoint handling in CloseDB function (#2646)"
This reverts commit 4dd40f6f19.
* Revert "Improved database model migration and added indexing (#2655)"
This reverts commit b922d986d6.
* add group user with the same subscription id to all inbounds
* code format compare
* add await for reset client traffic
* en language changed
* added client traffic syncer job
* handle exist email duplicate in sub group
* multi reset and delete request for clients group
* add client traffic syncer setting option
* vi translate file updated
* auto open qr-modal bug fixed
* [refactor] api controller
* [fix] access log path
better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log
* [fix] set select options from logs paths in xray settings
* [update] .gitignore
* [lint] all .go files
* [update] use status code for jsonMsg and 401 to unauthorize
* [update] handle response status code via axios
* [fix] set correct value if log paths is set to 'none'
we also use the default value for the paths if its set to none
* [fix] iplimit - only warning access log if f2b is installed
