Add /clash/:subid endpoint that returns complete Clash YAML config.
User provides full template (DNS, routing, proxy-groups, rules) in
settings, panel generates proxies from inbound/client data and injects
via proxies: [] placeholder replacement.
- New SubClashService reads template, generates vmess/vless/trojan/ss
proxy entries with transport (ws/grpc/h2/tcp/httpupgrade), TLS, and
Reality support
- Settings: subClashEnable, subClashPath, subClashURI, subClashTemplate
- UI: Clash settings tab, QR code on subpage, Desktop dropdown with
clash-verge:// deep link preferring Clash URL
- Version bump to v1.5.2-beta
- add inbound deviceLimit model/frontend fields and translations
- add CheckDeviceLimitJob with observation window and xray API ban/unban
- prevent job re-entrancy and restore users when limit is disabled
- reduce lock scope via snapshots to avoid blocking log parsing
- install.sh: default username/password to admin on fresh install
- user.go: UpdateFirstUser resets Role to admin, preventing lockout
- user.html: show remaining traffic and last online time
- i18n: remove 11 translation files, keep only en_US and zh_CN
- LanguageManager: trim supportedLanguages to 2 entries, remove simularLangs
Add a simplified dashboard page for non-admin users showing username,
traffic usage, expiry time, and logout button. Implement role-based
routing so user-role accounts are redirected to their own dashboard
instead of the admin panel. Add getUserInfo API endpoint and i18n
translations across all 13 supported locales.
- Add per-IP rate limiter middleware (5 req/min) on /register endpoint
- Validate username (3-64 chars) and password (8-128 chars) with trim
- Use sentinel error ErrUsernameAlreadyExists instead of string matching
- Prevent TurnstileSecretKey exposure via admin settings API (json:"-")
- Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets
- Add SetTurnstileSecretKey setter for programmatic configuration
- Reuse package-level http.Client in Turnstile verification for connection pooling
- Add io.LimitReader to cap Turnstile response body size
- Log all Turnstile verification error paths for debugging
- Add invalidUsername/invalidPassword i18n keys to all 13 locales
- Add Role field to User model (admin/user) with uniqueIndex on Username
- Add POST /register endpoint with optional Cloudflare Turnstile verification
- Add RegisterUser service with bcrypt password hashing and duplicate detection
- Set default admin user role to "admin", new registrations get "user"
- Add turnstileSecretKey setting and GetTurnstileSecretKey getter
- Add i18n keys (userExists, errorRegister) to all 13 translation files
Add a register tab on the login page with username, password, confirm
password fields and Cloudflare Turnstile widget. The site key is
configurable via x-ui.json and exposed through a public endpoint.
Introduces TUN protocol to inbound.js, including a new TunSettings class. Updates inbound form to support TUN protocol and adds a dedicated form template for TUN settings. Translation files are updated with TUN-related strings for all supported languages.
* feat: add support for trusted X-Forwarded-For and testseed parameters in VLESS settings
* chore: update Xray Core version to 25.12.8 in release workflow
* chore: update Xray Core version to 25.12.8 in Docker initialization script
* chore: bump version to 2.8.6 and add watcher for security changes in inbound modal
* refactor: remove default and random seed buttons from outbound form
* refactor: update VLESS form to rename 'Test Seed' to 'Vision Seed' and change button functionality for seed generation
* refactor: enhance TLS settings form layout with improved button styling and spacing
* feat: integrate WebSocket support for real-time updates on inbounds and Xray service status
* chore: downgrade version to 2.8.5
* refactor: translate comments to English
* fix: ensure testseed is initialized correctly for VLESS protocol and improve client handling in inbound modal
* refactor: simplify VLESS divider condition by removing unnecessary flow checks
* fix: add fallback date formatting for cases when IntlUtil is not available
* refactor: simplify WebSocket message handling by removing batching and ensuring individual message delivery
* refactor: disable WebSocket notifications in inbound and index HTML files
* refactor: enhance VLESS testseed initialization and button functionality in inbound modal
* fix:
* refactor: ensure proper WebSocket URL construction by normalizing basePath
* fix:
* fix:
* fix:
* refactor: update testseed methods for improved reactivity and binding in VLESS form
* logger info to debug
---------
Co-authored-by: lolka1333 <test123@gmail.com>
* feat: persist client last online and expose API
* feat(ui): show client last online in table and info modal
* i18n: add “Last Online” across locales
* chore: format timestamps as HH:mm:ss
* feat(db): add allTime field to Inbound and ClientTraffic models
* feat(inbound): increment all_time for inbounds and clients on traffic updates
calculate correct all_time traffic on migrate command
* feat(ui): show all-time traffic column for inbounds and its clients
* i18n: add pages.inbounds.allTimeTraffic label across locales
* Add All Time Traffic Usage in inbounds page top banner
* feat(backend): add created_at/updated_at to clients and maintain on create/update
backfill existing clients and set updated_at on mutations
* feat(frontend): carry created_at/updated_at in client models and round-trip via JSON
* feat(frontend): display Created and Updated columns in client table with proper date formatting
* i18n: add pages.inbounds.createdAt/updatedAt across all locales
* Update inbound.go
Remove duplicate code
* chore: revert "fix: reduced login title font-size for mobile (#3105)"
* chore: short login title translation for russian
* chore: change login title translation for ukrainian
* chore: implement 2fa auth
from #2786
* chore: format code
* chore: replace two factor token input with qr-code
* chore: requesting confirmation of setting/removing two-factor authentication
otpauth library was taken from cdnjs
* chore: revert changes in `ClipboardManager`
don't need it.
* chore: removing twoFactor prop in settings page
* chore: remove `twoFactorQr` object in `mounted` function
* Add a new button to but : Reset All Clients
* handel translation for `Reset All Clients` button
* refactoring
* add a new button to telegram bot >> `Sorted Traffic Usage Report`
* - refactoring
* add ip limit conifg on new client adding time
* translation: add Arabic support into language manager
* translation: add Arabic language support
* translation: add Arabic language support in README files
