3x-ui

mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-28 00:24:19 +00:00

Author	SHA1	Message	Date
MHSanaei	4915d6b18d	refactor(frontend): move form-item hints from extra to tooltip Switch reality target, node options, and WARP auto-update-IP hints from inline extra text to label tooltips for a cleaner form layout.	2026-06-17 17:24:16 +02:00
Sentiago	eec030f86f	feat(notifications): event bus architecture with Telegram and SMTP subscribers (#5326 ) * feat(notifications): event bus architecture with Telegram and SMTP subscribers - Event bus core with buffered channel, fan-out, panic recovery - Telegram subscriber with HTML formatting and rate limiting - Email subscriber with SMTP/TLS/STARTTLS support and stage diagnostics - 5 event types: outbound.down/up, xray.crash, cpu.high, login.attempt - CPU threshold checks per subscriber (tgCpu for TG, smtpCpu for Email) - SystemMetricData struct for raw metric values in events - i18n keys for en-US, ru-RU, and English defaults for other locales * fix * fix(notifications): repair crash/CPU alerts, harden secrets, add node alerts Bug fixes: - Xray crash notifications were permanently suppressed after the first crash: XrayStateTracker latched state="down" with no reset and no recovery event, so only the first crash per process lifetime ever notified. Removed the tracker; the existing 1/min rate limiter already dedupes crash-loop spam. - Email CPU alerts could never fire unless Telegram was also enabled, because the CPU job was registered only inside the tgbot block. Register it whenever either Telegram or SMTP wants cpu.high (new cpuAlarmWanted gate) and relax the cadence to @every 1m (cpu.Percent already samples over a full minute). - SMTP password (and, pre-existing, all other secrets) were shipped to the browser in plaintext: GetAllSettingView was dead code and /setting/all returned the raw model. Wire getAllSetting -> GetAllSettingView, redact smtpPassword with a hasSmtpPassword presence flag, and preserve it on blank save. Closes the leak for tgBotToken/ldapPassword/2FA token too. Polish: - email Send: use nil SMTP auth when no credentials (Go refuses PlainAuth over the unencrypted "none" transport). - Remove unused EventClientDepleted; fix inaccurate bus.go doc comments; drop stale tgBotLoginNotify from the frontend schema; gofmt alignment. Feature - node online/offline alerts: - Emit node.down/node.up from the heartbeat job on a real status transition (with a startup-spam guard), reusing NodeHealthData. Formatted by both the Telegram and email subscribers and selectable in the settings UI. Regenerated frontend types (hasSmtpPassword). New i18n keys added to en-US; other locales fall back to English (bundle default) until translated. * fix(settings): use antd Space orientation instead of deprecated direction Ant Design 6 deprecated Space's `direction` prop in favor of `orientation`, which logged a console warning from the Telegram/Email notification tabs. Brings these two tabs in line with the rest of the codebase, which already uses `orientation`. * i18n(notifications): translate the notification feature into all locales The notifications PR shipped ~99 new strings (SMTP settings, event labels, Telegram/email message templates) as English placeholders in every non-English locale. Translate them — plus the node-alert keys added during this review — into all 12 locales: Arabic, Spanish, Persian, Indonesian, Japanese, Portuguese-BR, Russian, Turkish, Ukrainian, Vietnamese, and Simplified/ Traditional Chinese. Go-template placeholders ({{ .Tag }}, {{ .Name }}, etc.) are preserved exactly; tgbot message values carry no leading status emoji (the bot/email code adds those, so an emoji in the value would duplicate it); product/protocol names (SMTP, STARTTLS, TLS, CPU, Xray, Telegram) are kept as-is. --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>	2026-06-15 21:03:41 +02:00
Sanaei	7605902324	Test-quality audit: fix 2 prod bugs, strengthen weak tests, add mutation/fuzz/CI tooling (#5345 ) * test(audit): add gremlins/rapid/coverage tooling + AUDIT.md scaffold * test(audit): hygiene sweep (race-clean except logger global; Finding #2) + smell inventory * test(audit): cover untested error/edge branches (TLS proxy+pin, migration tag cleanup=Finding #1) * test(audit): strengthen internal/sub link tests (dedup key, TLS/Reality mapping, clash well-formedness) * test(audit): property (rapid) + fuzz tests for joinHostPort/userinfo/pin/ParseLink * test(audit): tighten frontend subSortIndex rejection assertions + wire coverage * ci(audit): add shuffle gate + non-blocking race job (Finding #2) + fuzz-smoke; document mutation policy * chore(audit): gitignore frontend coverage output * test(audit): exhaustive whole-repo pass — strengthen 5 weak/fake tests (netproxy, CSP, modal per-protocol loops, schema coercions) * docs(contributing): add Testing section (conventions, race/shuffle, fuzz, mutation policy); drop AUDIT.md ledger * fix(logger,migration): guard logBuffer with mutex; execute legacy tag cleanup (tx.Exec); make CI race gate blocking * ci(mutation): add nightly scoped gremlins workflow (informational artifacts) * test(audit): strengthen runtime tests — baseURL scheme/port bounds, isNonEmptySlice, trafficReset * test(audit): strengthen clash tests — reality field mapping + tcp-header validation * test(audit): runtime — egress-proxy + content-type tests; drop redundant bp=='' branch * test(audit): strengthen link parser/helper tests (defaultPort, splitComma, base64, canonicalQuery, tls/reality/transport mapping) * test(audit): strengthen sub/xray/common/netsafe/mtproto/config/middleware tests (kill surviving mutants) * test(audit): raise timeout on protocol-iteration modal tests (heavy re-renders, slow on CI) * fix(logger): GetLogs returns at most c entries (off-by-one fix; addresses PR review) * perf(logger): snapshot logBuffer under lock so GetLogs doesn't block logging; clarify fuzz-seed docs (addresses PR review)	2026-06-15 15:17:03 +02:00
n0ctal	2188830612	perf(db): index group_name and client_traffics hot columns (#5268 ) * perf(db): index group_name and client_traffics hot columns * fix --------- Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>	2026-06-14 22:54:59 +02:00
MHSanaei	7bcc5830c6	feat(online): use xray online-stats API for onlines and access-log-free IP limit Adopt xray-core's statsUserOnline policy and GetUsersStats RPC so online detection is connection-based and IP limiting no longer requires an access log. Falls back to the legacy traffic-delta onlines and access-log parsing when the running core lacks the RPCs (Unimplemented), probed lazily per process so a panel-driven version switch re-evaluates automatically. Backend: - xray/api.go: GetOnlineUsers (one GetUsersStats call returns all online users and their source IPs) and IsUnimplementedErr. - xray/process.go: per-process OnlineAPISupport tri-state capability cache. - service/xray.go: ensureStatsPolicy injects statsUserOnline into every policy level of the generated config; XrayService.GetOnlineUsers probes and falls back. - job/xray_traffic_job.go: union API onlines into the delta-derived active set; bump last_online for idle-but-connected clients. - job/check_client_ip_job.go: API-first IP source with shared enforcement; live observations bypass the 30-min stale cutoff; access-log path unchanged for older cores. - service/setting.go: GetIpLimitEnable always true; new accessLogEnable default for features that genuinely read the access log. Frontend: - Client form split into Basic and Config tabs; IP Limit and IP Log no longer gated on access log; compact Auto Renew next to Start After First Use; tabBasic/tabConfig added to all 13 locales. - Xray logs button on the dashboard now gated on accessLogEnable.	2026-06-11 19:42:03 +02:00
MHSanaei	6b16d8c37a	feat: apply inbound/outbound/routing changes live via Xray gRPC API Add a hot-apply layer that computes a diff between the old and new generated config and applies only the changed parts through the Xray gRPC HandlerService and RoutingService, avoiding a full process restart whenever possible. A restart is still performed when sections that have no reload API (log, dns, policy, observatory, ...) actually change. Key additions: - internal/xray/hot_diff.go: ComputeHotDiff with canonical-JSON comparison (sorted keys, null=absent, full number precision) so UI reformatting never triggers a spurious restart - internal/xray/api.go: AddOutbound/DelOutbound, ApplyRoutingConfig, GetBalancerInfo, SetBalancerTarget, TestRoute gRPC wrappers - internal/web/service/xray.go: tryHotApply, ensureAPIServices, GetBalancersStatus, OverrideBalancer, TestRoute service methods - internal/web/controller/xray_setting.go: balancerStatus, balancerOverride, routeTest API endpoints - frontend: BalancersTab live-status/override columns, RouteTester component, Restart button removed (Save now hot-applies) - balancer-helpers.ts: syncObservatories never creates observatory sections for random/roundRobin balancers (no reload API → restart) - i18n: balancerLive/Override/routeTester keys added to all 13 locales	2026-06-10 23:01:33 +02:00
MHSanaei	3092326d9e	refactor: replace custom geo manager with Xray-core native geodata auto-update Remove the panel-side custom geo download feature (service, controller, /panel/api/custom-geo/* endpoints, CustomGeoResource model, UI tab) in favor of Xray-core's native geodata section (https://xtls.github.io/config/geodata.html). - pass the top-level "geodata" key through xray.Config so it survives the template round-trip into the generated config - add a Geodata Auto-Update section to the Xray Updates modal that edits geodata (cron schedule, download outbound, asset list) in the config template and restarts Xray on save - previously downloaded geo files in the bin folder keep working in ext: routing rules; the orphaned custom_geo_resources table is left in place so existing source URLs stay recoverable	2026-06-10 18:27:12 +02:00
Sanaei	41645255f1	refactor: focused service files, leaf subpackages, and an internal/ layout (#5167 ) * refactor(service): split client.go into focused files client.go had grown to 4455 lines mixing ~10 responsibilities. Split it verbatim into cohesive same-package files (no behavior change): client.go foundation: ClientService, ClientWithAttachments, ClientCreatePayload, ErrClientNotInInbound, sqlInChunk client_locks.go inbound mutation locks, delete tombstones, compactOrphans client_lookup.go read-only lookups (GetByID, List, EffectiveFlow, ...) client_link.go inbound association sync (SyncInbound, DetachInbound, ...) client_crud.go single-client CRUD + validation + protocol defaults client_inbound_apply.go low-level inbound-settings mutators + by-email setters client_bulk.go bulk attach/detach/adjust/delete/create + DelDepleted client_traffic.go traffic-reset paths client_groups.go client group management client_paging.go paged listing, filtering, sorting, summary Every declaration moved unchanged (verified: identical func/type/const/var signature set before vs after). Imports redistributed per file via goimports. go build ./..., go vet, and go test ./web/service/... all pass. * refactor(service): split inbound.go into focused files inbound.go was 4100 lines. Split it verbatim into cohesive same-package files (no behavior change): inbound.go core inbound CRUD + InboundService (keeps pkg doc) inbound_protocol.go protocol / stream capability helpers inbound_node.go node/runtime/remote coordination + online tracking inbound_traffic.go traffic accounting, reset, client stats inbound_client_ips.go per-client IP tracking inbound_clients.go client lookups within inbounds + copy-clients inbound_disable.go auto-disable invalid inbounds/clients inbound_migration.go DB migrations inbound_sublink.go subscription link providers inbound_util.go generic slice/string helpers Identical func/type/const/var signature set before vs after; package doc comment preserved on inbound.go. Imports redistributed via goimports. Build, vet, and go test ./web/service/... all pass. * refactor(service): split tgbot.go into focused files tgbot.go was 3738 lines dominated by a 1246-line answerCallback. Split it verbatim into cohesive same-package files (no behavior change): tgbot.go lifecycle, bot setup, caches, small utils tgbot_router.go incoming update / command / callback dispatch tgbot_send.go outbound messaging primitives tgbot_client.go client views, actions, subscription links tgbot_inbound.go inbound listing / pickers tgbot_report.go server usage, exhausted, online, backups, notifications Identical func/type/const/var signature set before vs after. Imports redistributed via goimports. Build, vet, and go test ./web/service/... pass. * refactor(client): dedupe single-field by-email setters ResetClientIpLimitByEmail, ResetClientExpiryTimeByEmail, and ResetClientTrafficLimitByEmail shared an identical ~50-line body that resolves the inbound by email, confirms the client exists, rewrites a single-client settings payload, and delegates to UpdateInboundClient. Extract that into applyClientFieldByEmail(inboundSvc, email, mutate) and reduce each setter to a 3-line wrapper. Behavior is unchanged: same checks and error strings, same single-client payload contract, same totalGB guard. SetClientTelegramUserID (resolves by traffic id, different error text) and ToggleClientEnableByEmail/SetClientEnableByEmail (different return shape and a pre-read of the old state) intentionally keep their own bodies. * refactor(service): extract panel/ subpackage Move the panel-administration leaf services out of the flat service package into web/service/panel/ (package panel): user.go UserService (auth / 2FA / LDAP) panel.go PanelService (restart / self-update) + version helpers panel_other.go non-unix RestartPanel panel_unix.go unix RestartPanel api_token.go ApiTokenService websocket.go WebSocketService panel_test.go version/shellQuote unit tests These are leaves: they depend on core (SettingService, Release) but no core file references them, so the extraction creates no import cycle. Core references are now qualified (service.SettingService, service.Release); callers in main.go, web/web.go, and web/controller/* updated to panel.. Build, vet, and go test ./web/... pass. refactor(service): extract integration/ subpackage Move the external-provider integration leaves into web/service/integration/ (package integration): warp.go WarpService (Cloudflare WARP) nord.go NordService (NordVPN) custom_geo.go CustomGeoService (custom geo asset management) _test.go custom_geo / panel-proxy tests These depend on core (SettingService, ServerService, XraySettingService) but no core file references them. xray_setting.go stays in core because it calls the unexported SettingService.saveSetting. The shared isBlockedIP SSRF helper (used by core url_safety.go and by custom_geo) now has a small copy in each package rather than being exported. Core references qualified; callers in web/web.go, web/job/, and web/controller/* updated to integration.. Build, vet, and go test ./web/... pass. refactor(service): extract tgbot/ subpackage Move the Telegram bot (6 files + test) into web/service/tgbot/ (package tgbot). It is a leaf: it embeds five core services (Inbound/Client/Setting/ Server/Xray) and the core never references it, so no import cycle. To support the package boundary without changing behavior: - core exposes XrayProcess() xray.Process so tgbot keeps calling the exact same running-process methods it used via the package-level `p`; - three core methods tgbot calls are exported: ClientService.checkIs- EnabledByEmail -> CheckIsEnabledByEmail, InboundService.getAllEmails -> GetAllEmails (callers updated in-package); - tgbot's embedded-field types and the few core type refs (Status, ClientCreatePayload, SanitizePublicHTTPURL) are now service-qualified. Callers in main.go, web/web.go, web/job/, and web/controller/* updated to tgbot.. Build, vet, and go test ./web/... pass. refactor(service): extract outbound/ subpackage OutboundService (outbound.go) imports only neutral packages (config, database, model, xray) and its production code is referenced by no core or sibling service file — only by web/controller/xray_setting.go and web/job/xray_traffic_job.go. Move it to web/service/outbound/ (package outbound); no core qualification needed inside. Callers updated to outbound.. The one coupling was a tiny pure test helper, outboundsContainTag, used by both outbound.go and the core outbound_subscription_test.go; it now has a small copy in that test file rather than being shared across the boundary. Build, vet, and go test ./web/... pass. refactor(util): move wireguard into its own subpackage util/wireguard.go was the lone file of the root `util` package (24 lines, one exported func GenerateWireguardKeypair), while every other util concern lives in a focused subpackage (util/common, util/crypto, util/netsafe, ...). Move it to util/wireguard/ (package wireguard) for consistency; its only importer, web/service/integration/warp.go, is updated. The root `util` package no longer exists. * refactor(sub): drop redundant sub prefix from filenames Inside package sub the subXxx.go prefix just repeats the package name (like client_.go did inside service). Rename for consistency; content and type names are unchanged: subController.go -> controller.go subService.go -> service.go subClashService.go -> clash_service.go subJsonService.go -> json_service.go (+ matching _test.go files) refactor(controller): rename xui.go -> spa.go XUIController serves the panel's single-page-app shell; spa.go names that role plainly (the other controller files are domain-named). File rename only — the type stays XUIController. api_docs_test.go keys route base paths by filename, so its "xui.go" case is updated to "spa.go". * refactor: move backend packages under internal/ Adopt the idiomatic Go application layout: the backend packages now live under internal/ (a boundary the toolchain enforces), signalling private implementation instead of a library-style flat root. No runtime behavior changes — only import paths and a few build/config paths move. Moved: config, database, logger, mtproto, sub, util, web, xray -> internal/. main.go stays at the repo root and tools/openapigen stays under tools/ (both still import internal/* because the internal rule keys off the module root). The module path github.com/mhsanaei/3x-ui/v3 is unchanged; 149 .go files had their import prefix rewritten to .../internal/<pkg>. Couplings the Go compiler can't see, updated to the new layout: - frontend i18n imports of web/translation (react.ts, setup.components.ts) - vite outDir + eslint/tsconfig ignore globs -> internal/web/dist - Dockerfile COPY paths for web/dist and web/translation - locale.go os.DirFS("web") disk fallback -> "internal/web" - .gitignore and ci.yml go:embed stub for internal/web/dist - api_docs_test.go repo-root relative walk (one level deeper) - tools/openapigen filesystem package paths; ApiTokenView repointed to the web/service/panel subpackage and codegen regenerated (clears a stale type the ci.yml codegen check was failing on) Verified: go build/vet/test (all packages), and frontend typecheck, lint, vitest (478 tests), and production build into internal/web/dist. * fix(config): keep test runs from writing logs into the source tree GetLogFolder() returns a CWD-relative "./log" on Windows. Under `go test` the working directory is each package's own folder, so InitLogger (called by tests in web/job, web/service, xray, web/websocket) created stray log/ directories scattered through the source tree (e.g. internal/web/job/log/). Redirect to a shared temp folder when testing.Testing() reports a test run. Production behavior is unchanged: Windows still uses ./log next to the binary and Linux /var/log/x-ui. The log files were always gitignored (.log) and never committed; this just stops the noise at the source. docs: move subscription-template guide out of root into docs/ sub_templates/ was a top-level folder holding only a README and no actual templates (3x-ui ships none by design), referenced nowhere and unlinked from any doc — it read like an empty placeholder cluttering the repo root. Move the guide to docs/custom-subscription-templates.md (a proper docs home), reword its intro to read as documentation rather than a folder note, link it from the Features list in README.md, and drop the empty sub_templates/ folder. * fix: update stale web/ path references after the internal/ move The internal/ migration rewrote Go import paths but left some references to the old top-level layout in docs, comments, and a few runtime disk paths. Functional (dev-mode only): the disk-serving fallbacks that read the Vite build from disk when running from source still pointed at web/dist/, which moved to internal/web/dist/ — so `os.DirFS`/`os.Stat`/`os.ReadFile` in internal/web/web.go and internal/sub/{sub,controller}.go are corrected. Production was unaffected (it serves the embedded FS; verified by the Docker build), but `go run` with a live frontend build silently fell back to embed. Docs/comments: frontend/README.md, CONTRIBUTING.md, the claude-issue-bot and release workflows, the openapigen -root help text, and assorted Go comments now reference internal/web, internal/database, internal/sub, internal/xray, etc. Package-name mentions (the "web" package), root paths (main.go, frontend/, install scripts, /etc/x-ui), routes (/panel/api/xray), and the historical "web/assets no longer exists" note were intentionally left as-is. * refactor(web): remove the legacy /xui -> /panel redirect middleware RedirectMiddleware existed only for backward compatibility with the old `/xui` URL scheme (301-redirecting /xui and /xui/API to /panel and /panel/api). That cutover was long ago, so drop the middleware, its registration in initRouter, and the now-inaccurate "URL redirection" mention in the middleware package doc. Old /xui URLs now 404 like any other unknown path. HTTPS auto-redirect and auth redirects are unrelated and stay. * build: fix .dockerignore for internal/ layout and exclude runtime dir - web/dist -> internal/web/dist: the embedded frontend moved under internal/, so the stale exclude no longer matched and the locally-built dist could be sent to the build context (the frontend stage rebuilds it fresh anyway). - exclude x-ui/: the local runtime directory (SQLite db, geo .dat files, xray binaries, certs — ~150MB) was being shipped into the build context for no reason. Verified the pattern excludes only the directory and still keeps x-ui.sh, which the Dockerfile copies to /usr/bin/x-ui.	2026-06-10 15:19:22 +02:00

8 Commits