feat(mtproto): per-client ad-tags, management-API auth, and record secret sync

Catch the panel up to the mtg-multi README (v1.14.0):

- Each client can now carry its own 32-hex advertising tag overriding the
  inbound-level one. The tag lives on the client (settings JSON is the
  source of truth, clients.ad_tag is the UI projection), is rendered into
  the fork's [secret-ad-tags] section for active secrets only (mtg rejects
  a config whose override names an unknown secret), is pushed per entry
  through PUT /secrets, and is part of the reload fingerprint so a tag
  edit hot-applies without dropping connections.
- The loopback management API can replace the whole secret set, so every
  mtg process now gets a random per-process api-token; the manager sends
  it as a bearer token on PUT /secrets and GET /stats and reuses it across
  config rewrites, because mtg reads the token only at startup.
- Malformed tags are rejected at every save path and additionally dropped
  in InstanceFromInbound: one bad tag would otherwise fail the whole
  generated config and take every client of the inbound down with it.
- SyncInbound never copied a re-keyed mtproto secret into the canonical
  clients table, so the clients page and subscription links kept serving
  the old secret, which mtg then rejects. It is now guarded-copied like
  the other credentials.
This commit is contained in:
MHSanaei
2026-07-07 12:00:43 +02:00
parent 659f0f404c
commit 43500a5470
33 changed files with 361 additions and 54 deletions
+9
View File
@@ -435,6 +435,15 @@ func (s *ClientService) Update(inboundSvc *InboundService, id int, updated model
return needRestart, err
}
// Same shape as the group write above: SyncInbound keeps a stored ad-tag
// when the incoming settings carry none, so clearing the override must be
// applied here, where the editor always round-trips the field.
if err := database.GetDB().Model(&model.ClientRecord{}).
Where("id = ?", id).
UpdateColumn("ad_tag", updated.AdTag).Error; err != nil {
return needRestart, err
}
if err := database.GetDB().Model(&model.ClientRecord{}).
Where("id = ?", id).
UpdateColumn("enable", updated.Enable).Error; err != nil {
@@ -388,6 +388,9 @@ func (s *ClientService) addInboundClient(inboundSvc *InboundService, data *model
if client.Secret == "" {
return false, common.NewError("mtproto client requires a secret")
}
if client.AdTag != "" && !model.ValidMtprotoAdTag(client.AdTag) {
return false, common.NewError("mtproto client ad tag must be 32 hex characters")
}
default:
if client.ID == "" {
return false, common.NewError("empty client ID")
@@ -579,6 +582,9 @@ func (s *ClientService) UpdateInboundClient(inboundSvc *InboundService, data *mo
if strings.TrimSpace(clients[0].Email) == "" {
return false, common.NewError("client email is required")
}
if oldInbound.Protocol == model.MTProto && clients[0].AdTag != "" && !model.ValidMtprotoAdTag(clients[0].AdTag) {
return false, common.NewError("mtproto client ad tag must be 32 hex characters")
}
if clients[0].Email != oldEmail {
existEmail, err := s.checkEmailsExistForClients(inboundSvc, clients, nil)
+6
View File
@@ -75,6 +75,12 @@ func (s *ClientService) SyncInbound(tx *gorm.DB, inboundId int, clients []model.
if incoming.Auth != "" {
row.Auth = incoming.Auth
}
if incoming.Secret != "" {
row.Secret = incoming.Secret
}
if incoming.AdTag != "" {
row.AdTag = incoming.AdTag
}
row.Flow = incoming.Flow
if incoming.Security != "" {
row.Security = incoming.Security
@@ -0,0 +1,70 @@
package service
import (
"path/filepath"
"testing"
"github.com/mhsanaei/3x-ui/v3/internal/database"
"github.com/mhsanaei/3x-ui/v3/internal/database/model"
)
func TestSyncInbound_UpdatesMtprotoSecretAndAdTag(t *testing.T) {
dbDir := t.TempDir()
t.Setenv("XUI_DB_FOLDER", dbDir)
if err := database.InitDB(filepath.Join(dbDir, "x-ui.db")); err != nil {
t.Fatalf("InitDB: %v", err)
}
t.Cleanup(func() { _ = database.CloseDB() })
db := database.GetDB()
mtproto := &model.Inbound{Tag: "mtproto-in", Enable: true, Port: 10004, Protocol: model.MTProto}
if err := db.Create(mtproto).Error; err != nil {
t.Fatalf("create mtproto inbound: %v", err)
}
svc := ClientService{}
const email = "tg@example.com"
const firstSecret = "ee0123456789abcdef0123456789abcdef6578616d706c652e636f6d"
const rekeyedSecret = "eefedcba9876543210fedcba98765432106578616d706c652e636f6d"
const firstTag = "0123456789abcdef0123456789abcdef"
const retaggedTag = "fedcba9876543210fedcba9876543210"
first := model.Client{Email: email, Secret: firstSecret, AdTag: firstTag, Enable: true}
if err := svc.SyncInbound(nil, mtproto.Id, []model.Client{first}); err != nil {
t.Fatalf("SyncInbound (create): %v", err)
}
var row model.ClientRecord
if err := db.Where("email = ?", email).First(&row).Error; err != nil {
t.Fatalf("lookup client row: %v", err)
}
if row.Secret != firstSecret || row.AdTag != firstTag {
t.Fatalf("create must store secret and ad tag: got secret=%q adTag=%q", row.Secret, row.AdTag)
}
rekeyed := model.Client{Email: email, Secret: rekeyedSecret, AdTag: retaggedTag, Enable: true}
if err := svc.SyncInbound(nil, mtproto.Id, []model.Client{rekeyed}); err != nil {
t.Fatalf("SyncInbound (rekey): %v", err)
}
if err := db.Where("email = ?", email).First(&row).Error; err != nil {
t.Fatalf("lookup client row after rekey: %v", err)
}
if row.Secret != rekeyedSecret {
t.Errorf("a re-keyed secret must reach the client record (sub links and the clients page read it), got %q", row.Secret)
}
if row.AdTag != retaggedTag {
t.Errorf("a changed ad tag must reach the client record, got %q", row.AdTag)
}
secretless := model.Client{Email: email, Enable: true}
if err := svc.SyncInbound(nil, mtproto.Id, []model.Client{secretless}); err != nil {
t.Fatalf("SyncInbound (secretless): %v", err)
}
if err := db.Where("email = ?", email).First(&row).Error; err != nil {
t.Fatalf("lookup client row after secretless sync: %v", err)
}
if row.Secret != rekeyedSecret || row.AdTag != retaggedTag {
t.Errorf("a payload without mtproto fields must not wipe them: got secret=%q adTag=%q", row.Secret, row.AdTag)
}
}
+3
View File
@@ -739,6 +739,9 @@ func (s *InboundService) AddInbound(inbound *model.Inbound) (*model.Inbound, boo
if client.Secret == "" {
return inbound, false, common.NewError("mtproto client requires a secret")
}
if client.AdTag != "" && !model.ValidMtprotoAdTag(client.AdTag) {
return inbound, false, common.NewError("mtproto client ad tag must be 32 hex characters")
}
default:
if client.ID == "" {
return inbound, false, common.NewError("empty client ID")