3x-ui

Alex-Devera/3x-ui

Fork 0

mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-07 13:44:24 +00:00

Commit graph

Author	SHA1	Message	Date
Sora39831	90665c92f4	fix: harden registration with rate limiting, input validation, and security fixes - Add per-IP rate limiter middleware (5 req/min) on /register endpoint - Validate username (3-64 chars) and password (8-128 chars) with trim - Use sentinel error ErrUsernameAlreadyExists instead of string matching - Prevent TurnstileSecretKey exposure via admin settings API (json:"-") - Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets - Add SetTurnstileSecretKey setter for programmatic configuration - Reuse package-level http.Client in Turnstile verification for connection pooling - Add io.LimitReader to cap Turnstile response body size - Log all Turnstile verification error paths for debugging - Add invalidUsername/invalidPassword i18n keys to all 13 locales	2026-04-03 02:02:25 +08:00

Author

SHA1

Message

Date

Sora39831

90665c92f4

fix: harden registration with rate limiting, input validation, and security fixes

- Add per-IP rate limiter middleware (5 req/min) on /register endpoint
- Validate username (3-64 chars) and password (8-128 chars) with trim
- Use sentinel error ErrUsernameAlreadyExists instead of string matching
- Prevent TurnstileSecretKey exposure via admin settings API (json:"-")
- Skip json:"-" fields in UpdateAllSetting to avoid overwriting secrets
- Add SetTurnstileSecretKey setter for programmatic configuration
- Reuse package-level http.Client in Turnstile verification for connection pooling
- Add io.LimitReader to cap Turnstile response body size
- Log all Turnstile verification error paths for debugging
- Add invalidUsername/invalidPassword i18n keys to all 13 locales

2026-04-03 02:02:25 +08:00

1 commit