Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-05 20:54:14 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
3x-ui/web/service
History
MHSanaei 1045378e23
fix(xray): emit only protocol-relevant fields per client entry 
The Xray config synthesizer was writing every identifier field (id,
password, flow, auth, security/method, reverse) on every client entry
regardless of the inbound's protocol. Xray ignores unknown fields, so
the config worked, but it diverged from the spec and leaked secrets
across protocols when one client was attached to multiple inbounds —
a VLESS inbound's generated config carried the same client's Trojan
password and Hysteria auth alongside its uuid.

Switch on inbound.Protocol when building each entry:
- VLESS / PortFallback: id, flow, reverse
- VMess: id, security
- Trojan: password, flow
- Shadowsocks: password, method
- Hysteria / Hysteria2: auth
email is emitted for every protocol.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 12:50:10 +02:00
..
api_token.go feat(api-tokens): manage multiple named tokens; add tab/section anchor URLs 2026-05-13 16:34:31 +02:00
client.go refactor(clients): finish migrating to ClientService + tidy IP routes 2026-05-17 11:25:24 +02:00
config.json feat(inbounds): align tunnel, tun, and hysteria UI with Xray docs 2026-05-13 22:44:08 +02:00
custom_geo.go fix(security): SSRF-guard node and remote HTTP clients 2026-05-13 13:33:53 +02:00
custom_geo_test.go v3 2026-05-10 02:13:42 +02:00
fallback.go feat(inbounds): add Port-with-Fallback inbound type 2026-05-17 07:44:01 +02:00
inbound.go refactor(clients): finish migrating to ClientService + tidy IP routes 2026-05-17 11:25:24 +02:00
metric_history.go feat(panel): xray metrics dashboard with observatory probe history 2026-05-12 02:17:45 +02:00
node.go fix(security): SSRF-guard node and remote HTTP clients 2026-05-13 13:33:53 +02:00
nord.go feat(xray/nord): searchable server list + colored load tag, surface API errors 2026-05-11 10:06:01 +02:00
outbound.go fix(outbound): probe UDP-based outbounds over UDP instead of TCP 2026-05-15 12:29:53 +02:00
panel.go Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) 2026-05-13 12:52:52 +02:00
panel_other.go feat: add panel update functionality via web GUI (#4117) 2026-04-28 18:46:55 +02:00
panel_test.go feat: add panel update functionality via web GUI (#4117) 2026-04-28 18:46:55 +02:00
panel_unix.go feat: add panel update functionality via web GUI (#4117) 2026-04-28 18:46:55 +02:00
port_conflict.go fix(inbounds): scope port check to node and preserve caller tag 2026-05-11 12:51:45 +02:00
port_conflict_test.go fix(inbounds): scope port check to node and preserve caller tag 2026-05-11 12:51:45 +02:00
server.go Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) 2026-05-13 12:52:52 +02:00
server_vlessenc_test.go Feat: clarify VLESS encryption auth selection (#4271) 2026-05-12 11:39:28 +02:00
setting.go Add possibility to remove client email from sub (#4297) 2026-05-13 19:04:17 +02:00
setting_security_test.go feat(api-tokens): manage multiple named tokens; add tab/section anchor URLs 2026-05-13 16:34:31 +02:00
tgbot.go refactor(service): move all client mutation methods to ClientService 2026-05-17 10:48:28 +02:00
tgbot_test.go Implement CSRF protection and security hardening across the application (#4179) 2026-05-07 23:36:11 +02:00
traffic_writer.go Fix: traffic writer restart freeze (#4265) 2026-05-12 11:36:05 +02:00
traffic_writer_test.go Fix: traffic writer restart freeze (#4265) 2026-05-12 11:36:05 +02:00
url_safety.go Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) 2026-05-13 12:52:52 +02:00
user.go fix(auth): invalidate sessions when 2FA is enabled, fix dev 401 loop 2026-05-13 14:08:16 +02:00
warp.go fix(warp): set license against Cloudflare API and surface errors inline 2026-05-13 21:13:16 +02:00
websocket.go v3 2026-05-10 02:13:42 +02:00
xray.go fix(xray): emit only protocol-relevant fields per client entry 2026-05-17 12:50:10 +02:00
xray_metrics.go Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275) 2026-05-13 12:52:52 +02:00
xray_setting.go v3 2026-05-10 02:13:42 +02:00
xray_setting_test.go xray-setting: pin api routing rule to index 0 on save (#4124) 2026-04-28 17:49:39 +02:00