Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-05-13 17:46:02 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
3x-ui/web
History
MHSanaei 3ecdae7c92
fix(csrf): expose token endpoint for SPA pages and fetch it from axios 
The legacy panel pages got their CSRF token from a <meta name="csrf-token">
tag rendered by Go. SPA pages built by Vite don't have that, so every
unsafe (POST/PUT/DELETE) request from them was hitting CSRFMiddleware
with no token and getting 403 — visible as the settings page being
stuck on "Loading…" because POST /panel/setting/all failed.

- web/controller/xui.go: GET /panel/csrf-token returns the session
  token. Lives under the xui group so checkLogin still gates it; the
  CSRFMiddleware on the same group is a no-op for GET.
- frontend/src/api/axios-init.js: cache the token at module scope and
  lazy-fetch it when a non-safe request needs one. Seed from the meta
  tag first when present (legacy compat). On a 403 response, drop the
  cache and retry once — handles the case where a server restart
  rotated the token after the SPA loaded.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 13:20:26 +02:00
..
assets Axios v1.16.0 2026-05-08 09:41:56 +02:00
controller fix(csrf): expose token endpoint for SPA pages and fetch it from axios 2026-05-08 13:20:26 +02:00
entity
global
html feat(custom-geo): refresh index UI 2026-05-08 10:09:33 +02:00
job
locale
middleware Implement CSRF protection and security hardening across the application (#4179) 2026-05-07 23:36:11 +02:00
network
service fix(warp): harden API client and frontend, bump to v0a4005 2026-05-08 09:29:42 +02:00
session Implement CSRF protection and security hardening across the application (#4179) 2026-05-07 23:36:11 +02:00
translation feat(custom-geo): refresh index UI 2026-05-08 10:09:33 +02:00
websocket
web.go refactor(websocket): split controller into service + thin controller 2026-05-08 00:00:44 +02:00