Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 13:14:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
3x-ui/web/session/session.go
farhadh ce88b0b432
refactor(session): store user ID in session instead of full struct 
Replaces storing the full User object in the session cookie with just
the user ID. GetLoginUser now re-fetches the user from the database on
every request so credential/permission changes take effect immediately
without requiring a re-login. Includes a backward-compatible migration
path for existing sessions that still carry the old struct payload.
2026-05-11 21:16:22 +02:00

163 lines
3.2 KiB
Go
Raw Blame History

package session
import (
"encoding/gob"
"net/http"
"time"
"github.com/mhsanaei/3x-ui/v3/database"
"github.com/mhsanaei/3x-ui/v3/database/model"
"github.com/mhsanaei/3x-ui/v3/logger"
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
)
const (
loginUserKey = "LOGIN_USER"
apiAuthUserKey = "api_auth_user"
sessionCookieName = "3x-ui"
)
func init() {
gob.Register(model.User{})
}
func SetLoginUser(c *gin.Context, user *model.User) error {
if user == nil {
return nil
}
s := sessions.Default(c)
s.Set(loginUserKey, user.Id)
return s.Save()
}
func SetAPIAuthUser(c *gin.Context, user *model.User) {
if user == nil {
return
}
c.Set(apiAuthUserKey, user)
}
func GetLoginUser(c *gin.Context) *model.User {
if v, ok := c.Get(apiAuthUserKey); ok {
if u, ok2 := v.(*model.User); ok2 {
return u
}
}
s := sessions.Default(c)
obj := s.Get(loginUserKey)
if obj == nil {
return nil
}
userID, ok := sessionUserID(obj)
if !ok {
s.Delete(loginUserKey)
if err := s.Save(); err != nil {
logger.Warning("session: failed to drop stale user payload:", err)
}
return nil
}
if legacyUserID, ok := legacySessionUserID(obj); ok {
s.Set(loginUserKey, legacyUserID)
if err := s.Save(); err != nil {
logger.Warning("session: failed to migrate legacy user payload:", err)
}
}
user, err := getUserByID(userID)
if err != nil {
logger.Warning("session: failed to load user:", err)
s.Delete(loginUserKey)
if saveErr := s.Save(); saveErr != nil {
logger.Warning("session: failed to drop missing user:", saveErr)
}
return nil
}
return user
}
func IsLogin(c *gin.Context) bool {
return GetLoginUser(c) != nil
}
func sessionUserID(obj any) (int, bool) {
switch v := obj.(type) {
case int:
return v, v > 0
case int64:
return int(v), v > 0
case int32:
return int(v), v > 0
case float64:
id := int(v)
return id, v == float64(id) && id > 0
case model.User:
return v.Id, v.Id > 0
case *model.User:
if v == nil {
return 0, false
}
return v.Id, v.Id > 0
default:
return 0, false
}
}
func legacySessionUserID(obj any) (int, bool) {
switch v := obj.(type) {
case model.User:
return v.Id, v.Id > 0
case *model.User:
if v == nil {
return 0, false
}
return v.Id, v.Id > 0
default:
return 0, false
}
}
func getUserByID(id int) (*model.User, error) {
db := database.GetDB()
if db == nil {
return nil, http.ErrServerClosed
}
user := &model.User{}
if err := db.Model(model.User{}).Where("id = ?", id).First(user).Error; err != nil {
return nil, err
}
return user, nil
}
func ClearSession(c *gin.Context) error {
s := sessions.Default(c)
s.Clear()
cookiePath := c.GetString("base_path")
if cookiePath == "" {
cookiePath = "/"
}
secure := c.Request.TLS != nil
s.Options(sessions.Options{
Path: cookiePath,
MaxAge: -1,
HttpOnly: true,
Secure: secure,
SameSite: http.SameSiteLaxMode,
})
if err := s.Save(); err != nil {
return err
}
if cookiePath != "/" {
http.SetCookie(c.Writer, &http.Cookie{
Name: sessionCookieName,
Value: "",
Path: "/",
MaxAge: -1,
Expires: time.Unix(0, 0),
HttpOnly: true,
Secure: secure,
SameSite: http.SameSiteLaxMode,
})
}
return nil
}
Reference in a new issue View git blame Copy permalink