mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-07 13:44:24 +00:00
36114a2fcc
- Node model + service + controller (/panel/api/nodes/*) with bearer-token apiToken auth - Heartbeat job @every 10s; status/latency/xrayVersion surfaced in Nodes UI - Runtime abstraction (Local + Remote) so inbound/client mutations target the inbound's owning node instead of always hitting the local xray - Inbounds gain optional NodeID; tag-based correlation with remote panel (no RemoteInboundID column needed) - NodeTrafficSyncJob @every 10s pulls absolute counters + online/lastOnline from each enabled+online node and writes them into central DB; 30s reset grace window prevents post-reset overwrite - Reset propagation to nodes (best-effort) on client/inbound/all reset paths - Subscription server uses node.Address for inbounds with NodeID, falling back to existing host resolution for local inbounds - Frontend: Nodes page, "Deploy to" select in inbound form, Node column on inbound list, hostOverride threaded through genAllLinks/QR/Info modals Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
54 lines
1.4 KiB
Go
54 lines
1.4 KiB
Go
package middleware
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"github.com/mhsanaei/3x-ui/v2/web/session"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// SecurityHeadersMiddleware adds browser hardening headers to panel responses.
|
|
func SecurityHeadersMiddleware(directHTTPS bool) gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
c.Header("X-Content-Type-Options", "nosniff")
|
|
c.Header("X-Frame-Options", "DENY")
|
|
c.Header("Referrer-Policy", "no-referrer")
|
|
c.Header("Content-Security-Policy", "frame-ancestors 'none'; base-uri 'self'; form-action 'self'")
|
|
if directHTTPS {
|
|
c.Header("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// CSRFMiddleware rejects unsafe requests that do not include the session CSRF token.
|
|
// Bearer-token-authenticated callers (api_authed flag set by APIController.checkAPIAuth)
|
|
// short-circuit the CSRF check — they are not browser sessions, so the
|
|
// cross-site request forgery threat model doesn't apply to them.
|
|
func CSRFMiddleware() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
if c.GetBool("api_authed") {
|
|
c.Next()
|
|
return
|
|
}
|
|
if isSafeMethod(c.Request.Method) {
|
|
c.Next()
|
|
return
|
|
}
|
|
if !session.ValidateCSRFToken(c) {
|
|
c.AbortWithStatus(http.StatusForbidden)
|
|
return
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
func isSafeMethod(method string) bool {
|
|
switch method {
|
|
case http.MethodGet, http.MethodHead, http.MethodOptions, http.MethodTrace:
|
|
return true
|
|
default:
|
|
return false
|
|
}
|
|
}
|