Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 05:04:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
3x-ui/frontend/src/schemas/setting.ts
MHSanaei 4ecbb0e55f
feat(frontend): block invalid settings saves with Zod pre-save check 
Tighten AllSettingSchema with the actual valid ranges and patterns:

- webPort / subPort / ldapPort: integer 1-65535
- pageSize: integer 1-1000
- sessionMaxAge: integer >= 1
- tgCpu: integer 0-100 (percentage)
- subUpdates: integer 1-168 (hours)
- expireDiff / trafficDiff / ldapDefault*: non-negative integers
- webBasePath / subPath / subJsonPath / subClashPath: must start with /

The existing useAllSettings save path runs AllSettingSchema.partial()
through safeParse and logs drift without blocking. SettingsPage now
adds a stronger gate before the mutation: run the full schema against
the draft and, on failure, surface the first issue (field path +
message) via the existing messageApi.error so the user actually sees
what's wrong instead of silently sending bad data to the backend.

Use cases caught: port out of range, negative quota, sub path missing
leading slash, page size set to 0, tgCpu > 100.
2026-05-25 17:55:21 +02:00

94 lines
3.7 KiB
TypeScript
Raw Blame History

import { z } from 'zod';
const port = z.number().int().min(1).max(65535);
const nonNegativeInt = z.number().int().min(0);
const absolutePath = z.string().regex(/^\//, 'pages.settings.validation.pathLeadingSlash');
export const AllSettingSchema = z.object({
webListen: z.string().optional(),
webDomain: z.string().optional(),
webPort: port.optional(),
webCertFile: z.string().optional(),
webKeyFile: z.string().optional(),
webBasePath: absolutePath.optional(),
sessionMaxAge: z.number().int().min(1).optional(),
trustedProxyCIDRs: z.string().optional(),
pageSize: z.number().int().min(1).max(1000).optional(),
expireDiff: nonNegativeInt.optional(),
trafficDiff: nonNegativeInt.optional(),
remarkModel: z.string().optional(),
datepicker: z.enum(['gregorian', 'jalalian']).optional(),
tgBotEnable: z.boolean().optional(),
tgBotToken: z.string().optional(),
tgBotProxy: z.string().optional(),
tgBotAPIServer: z.string().optional(),
tgBotChatId: z.string().optional(),
tgRunTime: z.string().optional(),
tgBotBackup: z.boolean().optional(),
tgBotLoginNotify: z.boolean().optional(),
tgCpu: z.number().int().min(0).max(100).optional(),
tgLang: z.string().optional(),
twoFactorEnable: z.boolean().optional(),
twoFactorToken: z.string().optional(),
xrayTemplateConfig: z.string().optional(),
subEnable: z.boolean().optional(),
subJsonEnable: z.boolean().optional(),
subTitle: z.string().optional(),
subSupportUrl: z.string().optional(),
subProfileUrl: z.string().optional(),
subAnnounce: z.string().optional(),
subEnableRouting: z.boolean().optional(),
subRoutingRules: z.string().optional(),
subListen: z.string().optional(),
subPort: port.optional(),
subPath: absolutePath.optional(),
subJsonPath: absolutePath.optional(),
subClashEnable: z.boolean().optional(),
subClashPath: absolutePath.optional(),
subDomain: z.string().optional(),
externalTrafficInformEnable: z.boolean().optional(),
externalTrafficInformURI: z.string().optional(),
restartXrayOnClientDisable: z.boolean().optional(),
subCertFile: z.string().optional(),
subKeyFile: z.string().optional(),
subUpdates: z.number().int().min(1).max(168).optional(),
subEncrypt: z.boolean().optional(),
subShowInfo: z.boolean().optional(),
subEmailInRemark: z.boolean().optional(),
subURI: z.string().optional(),
subJsonURI: z.string().optional(),
subClashURI: z.string().optional(),
subJsonFragment: z.string().optional(),
subJsonNoises: z.string().optional(),
subJsonMux: z.string().optional(),
subJsonRules: z.string().optional(),
timeLocation: z.string().optional(),
ldapEnable: z.boolean().optional(),
ldapHost: z.string().optional(),
ldapPort: port.optional(),
ldapUseTLS: z.boolean().optional(),
ldapBindDN: z.string().optional(),
ldapPassword: z.string().optional(),
ldapBaseDN: z.string().optional(),
ldapUserFilter: z.string().optional(),
ldapUserAttr: z.string().optional(),
ldapVlessField: z.string().optional(),
ldapSyncCron: z.string().optional(),
ldapFlagField: z.string().optional(),
ldapTruthyValues: z.string().optional(),
ldapInvertFlag: z.boolean().optional(),
ldapInboundTags: z.string().optional(),
ldapAutoCreate: z.boolean().optional(),
ldapAutoDelete: z.boolean().optional(),
ldapDefaultTotalGB: nonNegativeInt.optional(),
ldapDefaultExpiryDays: nonNegativeInt.optional(),
ldapDefaultLimitIP: nonNegativeInt.optional(),
hasTgBotToken: z.boolean().optional(),
hasTwoFactorToken: z.boolean().optional(),
hasLdapPassword: z.boolean().optional(),
hasApiToken: z.boolean().optional(),
hasWarpSecret: z.boolean().optional(),
hasNordSecret: z.boolean().optional(),
}).loose();
export type AllSettingInput = z.infer<typeof AllSettingSchema>;
Reference in a new issue View git blame Copy permalink