mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-06 05:04:22 +00:00
4e7687e2fe
- Switch /logout from GET to POST with CSRFMiddleware so it matches the
SPA's existing HttpUtil.post('/logout') call (previously 404'd silently)
and blocks GET-based logout via image tags or link prefetchers. Handler
now returns JSON; the SPA already navigates client-side.
- Return 401 (instead of 404) from /panel/api/* when the caller is a
browser XHR (X-Requested-With: XMLHttpRequest) so the axios interceptor
redirects to the login page on logout-in-another-tab, cookie expiry,
and server restart. Anonymous callers still get 404 to keep endpoints
hidden from casual scanners.
- One-shot the 401 redirect in axios-init.js and hang the rejected
promise so queued polls don't stack reloads or surface error toasts
while the browser is navigating away.
- Add the CSP nonce to the runtime-injected <script> in dist.go so the
panel loads under the existing script-src 'nonce-...' policy.
- Update api-docs endpoints.js: GET /logout doc entry was missing.
|
||
|---|---|---|
| .. | ||
| api.go | ||
| api_docs_test.go | ||
| base.go | ||
| custom_geo.go | ||
| dist.go | ||
| inbound.go | ||
| index.go | ||
| login_limiter.go | ||
| login_limiter_test.go | ||
| node.go | ||
| server.go | ||
| setting.go | ||
| util.go | ||
| util_test.go | ||
| websocket.go | ||
| xray_setting.go | ||
| xui.go | ||