- New API endpoint /panel/api/inbounds/userSubscriptions for non-admin users
- Redesigned /panel/user with Clash link card (copy button) and Quick Import dropdown (Android/iOS/Desktop with icons)
- Added i18n keys for en_US and zh_CN
- Bumped version to v1.7.2.5
- Add splitTemplate() to split at proxies:/proxy-groups: markers (like mihomo-gen)
- Store clash_template.yaml and servers.yaml as files alongside x-ui.json
- Add Clash/Servers editors in Xray advanced config page
- Support multi-server proxy generation (each server × each client)
- Remove inline template editor from Clash settings panel
- Bump version to v1.7.2.1
Add /clash/:subid endpoint that returns complete Clash YAML config.
User provides full template (DNS, routing, proxy-groups, rules) in
settings, panel generates proxies from inbound/client data and injects
via proxies: [] placeholder replacement.
- New SubClashService reads template, generates vmess/vless/trojan/ss
proxy entries with transport (ws/grpc/h2/tcp/httpupgrade), TLS, and
Reality support
- Settings: subClashEnable, subClashPath, subClashURI, subClashTemplate
- UI: Clash settings tab, QR code on subpage, Desktop dropdown with
clash-verge:// deep link preferring Clash URL
- Version bump to v1.5.2-beta
- add inbound deviceLimit model/frontend fields and translations
- add CheckDeviceLimitJob with observation window and xray API ban/unban
- prevent job re-entrancy and restore users when limit is disabled
- reduce lock scope via snapshots to avoid blocking log parsing
- install.sh: default username/password to admin on fresh install
- user.go: UpdateFirstUser resets Role to admin, preventing lockout
- user.html: show remaining traffic and last online time
- i18n: remove 11 translation files, keep only en_US and zh_CN
- LanguageManager: trim supportedLanguages to 2 entries, remove simularLangs
Add a simplified dashboard page for non-admin users showing username,
traffic usage, expiry time, and logout button. Implement role-based
routing so user-role accounts are redirected to their own dashboard
instead of the admin panel. Add getUserInfo API endpoint and i18n
translations across all 13 supported locales.
- Add per-IP rate limiter middleware (5 req/min) on /register endpoint
- Validate username (3-64 chars) and password (8-128 chars) with trim
- Use sentinel error ErrUsernameAlreadyExists instead of string matching
- Prevent TurnstileSecretKey exposure via admin settings API (json:"-")
- Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets
- Add SetTurnstileSecretKey setter for programmatic configuration
- Reuse package-level http.Client in Turnstile verification for connection pooling
- Add io.LimitReader to cap Turnstile response body size
- Log all Turnstile verification error paths for debugging
- Add invalidUsername/invalidPassword i18n keys to all 13 locales
- Add Role field to User model (admin/user) with uniqueIndex on Username
- Add POST /register endpoint with optional Cloudflare Turnstile verification
- Add RegisterUser service with bcrypt password hashing and duplicate detection
- Set default admin user role to "admin", new registrations get "user"
- Add turnstileSecretKey setting and GetTurnstileSecretKey getter
- Add i18n keys (userExists, errorRegister) to all 13 translation files
Add a register tab on the login page with username, password, confirm
password fields and Cloudflare Turnstile widget. The site key is
configurable via x-ui.json and exposed through a public endpoint.
Introduces TUN protocol to inbound.js, including a new TunSettings class. Updates inbound form to support TUN protocol and adds a dedicated form template for TUN settings. Translation files are updated with TUN-related strings for all supported languages.
* feat: add support for trusted X-Forwarded-For and testseed parameters in VLESS settings
* chore: update Xray Core version to 25.12.8 in release workflow
* chore: update Xray Core version to 25.12.8 in Docker initialization script
* chore: bump version to 2.8.6 and add watcher for security changes in inbound modal
* refactor: remove default and random seed buttons from outbound form
* refactor: update VLESS form to rename 'Test Seed' to 'Vision Seed' and change button functionality for seed generation
* refactor: enhance TLS settings form layout with improved button styling and spacing
* feat: integrate WebSocket support for real-time updates on inbounds and Xray service status
* chore: downgrade version to 2.8.5
* refactor: translate comments to English
* fix: ensure testseed is initialized correctly for VLESS protocol and improve client handling in inbound modal
* refactor: simplify VLESS divider condition by removing unnecessary flow checks
* fix: add fallback date formatting for cases when IntlUtil is not available
* refactor: simplify WebSocket message handling by removing batching and ensuring individual message delivery
* refactor: disable WebSocket notifications in inbound and index HTML files
* refactor: enhance VLESS testseed initialization and button functionality in inbound modal
* fix:
* refactor: ensure proper WebSocket URL construction by normalizing basePath
* fix:
* fix:
* fix:
* refactor: update testseed methods for improved reactivity and binding in VLESS form
* logger info to debug
---------
Co-authored-by: lolka1333 <test123@gmail.com>
* feat: persist client last online and expose API
* feat(ui): show client last online in table and info modal
* i18n: add “Last Online” across locales
* chore: format timestamps as HH:mm:ss
* feat(db): add allTime field to Inbound and ClientTraffic models
* feat(inbound): increment all_time for inbounds and clients on traffic updates
calculate correct all_time traffic on migrate command
* feat(ui): show all-time traffic column for inbounds and its clients
* i18n: add pages.inbounds.allTimeTraffic label across locales
* Add All Time Traffic Usage in inbounds page top banner
* feat(backend): add created_at/updated_at to clients and maintain on create/update
backfill existing clients and set updated_at on mutations
* feat(frontend): carry created_at/updated_at in client models and round-trip via JSON
* feat(frontend): display Created and Updated columns in client table with proper date formatting
* i18n: add pages.inbounds.createdAt/updatedAt across all locales
* Update inbound.go
Remove duplicate code
* chore: implement 2fa auth
from #2786
* chore: format code
* chore: replace two factor token input with qr-code
* chore: requesting confirmation of setting/removing two-factor authentication
otpauth library was taken from cdnjs
* chore: revert changes in `ClipboardManager`
don't need it.
* chore: removing twoFactor prop in settings page
* chore: remove `twoFactorQr` object in `mounted` function
* Add a new button to but : Reset All Clients
* handel translation for `Reset All Clients` button
* refactoring
* add a new button to telegram bot >> `Sorted Traffic Usage Report`
* - refactoring
* add ip limit conifg on new client adding time
* refactor: use vue inline styles in entire application
* refactor: setting row in dashboard page
* refactor: use blob for download file in text modal
* refactor: move all html templates in `web/html` folder
* refactor: `DeviceUtils` -> `MediaQueryMixin`
The transition to mixins has been made, as they can update themselves.
* chore: pretty right buttons in `outbounds` tab in xray settings
* refactor: add translations for system status
* refactor: adjust gutter spacing in setting list item
* refactor: use native `a-input-password` for password field
* chore: return old system status
with new translations
* chore: add missing translation
* Add feature to add clients to inbound:
- Implement buttons for adding new clients
- Handle client addition process (submission remains to be completed)
- Support for multiple languages
* update the go.mod
* feat: complete submission process for adding a client to inbounds
* - Add client variables: client_method, client_sh_password, client_tr_password
- Exclude specific inbound protocols (HTTP, WireGuard, Socks, DOKODEMO) from addclient inline button
* - customize the add client message and json for each protocol
* - handle password input rather than id for shadow and trojan protocols
* - remove add_client_as_enable button in bot
* restructrure the add client bot feature
* update all files in web/translation/
* Refactoring
* - add traffic button to add client bot feature
* - fix a mistake in the email prompt message
* - add expire data button to add client telegram process.
* Refactroring
* remove refresh button in add client
* - delete message after cancel
* - uptimize the process of adding client by deleting main message on
getting text inputs.
* chore: pretty 'Inbounds' page
* chore: return styles for aCustomStatistic
styles was intended to properly display a-statistic in the app, but for some unknown reason it was removed
* fix: switch style in dark mode
---------
* chore: pretty theme menu in sidebar
* refactor: renaming component templates
* refactor: create custom `a-statistic` component
* fix: display button text only on large screens
* chore: remove loading background in overview page
* fix: show `Version` text when xray version is unknown
