Files
3x-ui/internal/web/service/client_apply_field_test.go
T
claude[bot] fbad71d620 fix: close panics and races the audit's own fixes left nearby
Second-pass review of the 54-commit self-correcting audit. Each item below
was confirmed by reading the surrounding source (and, where practical, the
pre-fix code) before being changed; regression tests are included for every
behavioral fix.

Concurrency:
- eventbus: Bus.Subscribe called wg.Add with no synchronization against a
  concurrent Bus.Stop's wg.Wait, a real "WaitGroup misuse" panic risk (e.g. a
  Telegram-bot settings save racing panel shutdown/restart). Stop now flips a
  mu-guarded `stopped` flag before waiting, and Subscribe checks it under the
  same lock, so Add and Wait can no longer race.

Security:
- login_limiter: evictForRoom's fallback eviction picked an arbitrary map
  key, including ones still under an active cooldown - an attacker flooding
  /login with fresh usernames could evict their own (or anyone's) blocked
  record and reset the lockout. The fallback now skips actively-blocked
  records, only falling back to an unconditional evict if the map is
  somehow entirely full of active blocks (preserves the hard memory cap).

Subscription-endpoint panics (reachable by any client hitting /sub):
- internal/sub/service.go: applyPathAndHostParams/Obj (ws/httpupgrade/xhttp
  with no path settings object) and the TLS alpn readers in three places
  used unchecked type assertions - exactly the bug class abab7cd0 patched
  elsewhere in the same switch statements, just not these call sites.
- internal/sub/json_service.go, clash_service.go: the externalProxy loops
  in the JSON and Clash generators used unchecked assertions on a
  legacy/admin-supplied field (missing "port", non-object entry, etc.).
- internal/sub/json_service.go: realityData's shortId/serverName selection
  could assert a non-string array element.

Other correctness:
- client_traffic.go: ResetAllTraffics (touched by 3eb214d0) still skipped
  clearing NodeClientTraffic node-sync baselines, unlike its sibling reset
  paths in the same file - a node's next sync would re-add pre-reset delta
  on top of the freshly-zeroed counter.
- inbound_traffic.go: the traffic-tick tx's Commit/Rollback errors were
  silently discarded; now logged so a backend-level commit failure (e.g. an
  aborted Postgres tx from a best-effort helper) doesn't masquerade as a
  successful tick.
- outbound_subscription.go: the new subscriptionFetchClient doc comment was
  wedged between fetchAndStore's existing comment and fetchAndStore itself,
  leaving fetchAndStore undocumented and the comment describing the wrong
  function.

Convention cleanup:
- Removed narrative // comments added by the audit that violate this repo's
  no-inline-comment rule (mostly narrating the specific bug/fix rather than
  a lasting contract, and mostly on new Test functions, which this repo's
  existing tests never comment) - calibrated against this exact codebase's
  own pre-existing comment style so legitimate godoc-style doc comments
  were left alone.
2026-07-15 12:00:09 +00:00

152 lines
4.9 KiB
Go

package service
import (
"encoding/json"
"path/filepath"
"testing"
"github.com/mhsanaei/3x-ui/v3/internal/database"
"github.com/mhsanaei/3x-ui/v3/internal/database/model"
"github.com/mhsanaei/3x-ui/v3/internal/xray"
)
// TestResetClientExpiryTimeByEmail_MultiInbound reproduces #5039: a client
// attached to several inbounds had its expiry patched only on the first
// inbound's JSON, so the stale siblings reverted the change on the next sync.
func TestResetClientExpiryTimeByEmail_MultiInbound(t *testing.T) {
dbDir := t.TempDir()
t.Setenv("XUI_DB_FOLDER", dbDir)
if err := database.InitDB(filepath.Join(dbDir, "x-ui.db")); err != nil {
t.Fatalf("InitDB: %v", err)
}
t.Cleanup(func() { _ = database.CloseDB() })
db := database.GetDB()
const email = "multi@example.com"
const uid = "ce8d33df-3a64-4f10-8f9b-91c3a8e0c111"
const oldExpiry = int64(1700000000000)
const newExpiry = int64(1800000000000)
clientJSON := func(expiry int64) string {
b, _ := json.Marshal(map[string]any{"clients": []map[string]any{{
"email": email, "id": uid, "enable": true, "expiryTime": expiry, "subId": "sub-multi-1",
}}})
return string(b)
}
first := &model.Inbound{
Tag: "vless-a", Enable: true, Port: 50001, Protocol: model.VLESS,
StreamSettings: `{"network":"tcp","security":"reality"}`, Settings: clientJSON(oldExpiry),
}
second := &model.Inbound{
Tag: "vless-b", Enable: true, Port: 50002, Protocol: model.VLESS,
StreamSettings: `{"network":"ws","security":"tls"}`, Settings: clientJSON(oldExpiry),
}
for _, ib := range []*model.Inbound{first, second} {
if err := db.Create(ib).Error; err != nil {
t.Fatalf("create inbound %s: %v", ib.Tag, err)
}
}
clientSvc := ClientService{}
inboundSvc := InboundService{}
for _, ib := range []*model.Inbound{first, second} {
clients, err := inboundSvc.GetClients(ib)
if err != nil {
t.Fatalf("GetClients(%s): %v", ib.Tag, err)
}
if err := clientSvc.SyncInbound(nil, ib.Id, clients); err != nil {
t.Fatalf("SyncInbound(%s): %v", ib.Tag, err)
}
}
if _, err := clientSvc.ResetClientExpiryTimeByEmail(&inboundSvc, email, newExpiry); err != nil {
t.Fatalf("ResetClientExpiryTimeByEmail: %v", err)
}
for _, ib := range []*model.Inbound{first, second} {
fresh, err := inboundSvc.GetInbound(ib.Id)
if err != nil {
t.Fatalf("GetInbound(%s): %v", ib.Tag, err)
}
clients, err := inboundSvc.GetClients(fresh)
if err != nil {
t.Fatalf("GetClients(%s): %v", ib.Tag, err)
}
if len(clients) != 1 || clients[0].ExpiryTime != newExpiry {
t.Errorf("inbound %s settings expiry = %d, want %d (#5039)", ib.Tag, clients[0].ExpiryTime, newExpiry)
}
}
rec, err := clientSvc.GetRecordByEmail(nil, email)
if err != nil {
t.Fatalf("GetRecordByEmail: %v", err)
}
if rec.ExpiryTime != newExpiry {
t.Errorf("client record expiry = %d, want %d", rec.ExpiryTime, newExpiry)
}
}
func TestSetClientEnableByEmail_MultiInbound(t *testing.T) {
dbDir := t.TempDir()
t.Setenv("XUI_DB_FOLDER", dbDir)
if err := database.InitDB(filepath.Join(dbDir, "x-ui.db")); err != nil {
t.Fatalf("InitDB: %v", err)
}
t.Cleanup(func() { _ = database.CloseDB() })
db := database.GetDB()
const email = "multienable@example.com"
const uid = "ce8d33df-3a64-4f10-8f9b-91c3a8e0c222"
clientJSON := `{"clients":[{"email":"` + email + `","id":"` + uid + `","enable":true,"subId":"sub-en-1"}]}`
first := &model.Inbound{
Tag: "vless-en-a", Enable: true, Port: 50011, Protocol: model.VLESS,
StreamSettings: `{"network":"tcp","security":"reality"}`, Settings: clientJSON,
}
second := &model.Inbound{
Tag: "vless-en-b", Enable: true, Port: 50012, Protocol: model.VLESS,
StreamSettings: `{"network":"ws","security":"tls"}`, Settings: clientJSON,
}
for _, ib := range []*model.Inbound{first, second} {
if err := db.Create(ib).Error; err != nil {
t.Fatalf("create inbound %s: %v", ib.Tag, err)
}
}
clientSvc := ClientService{}
inboundSvc := InboundService{}
for _, ib := range []*model.Inbound{first, second} {
clients, err := inboundSvc.GetClients(ib)
if err != nil {
t.Fatalf("GetClients(%s): %v", ib.Tag, err)
}
if err := clientSvc.SyncInbound(nil, ib.Id, clients); err != nil {
t.Fatalf("SyncInbound(%s): %v", ib.Tag, err)
}
}
if err := db.Create(&xray.ClientTraffic{InboundId: first.Id, Email: email, Enable: true}).Error; err != nil {
t.Fatalf("seed traffic: %v", err)
}
if _, _, err := clientSvc.SetClientEnableByEmail(&inboundSvc, email, false); err != nil {
t.Fatalf("SetClientEnableByEmail: %v", err)
}
for _, ib := range []*model.Inbound{first, second} {
fresh, err := inboundSvc.GetInbound(ib.Id)
if err != nil {
t.Fatalf("GetInbound(%s): %v", ib.Tag, err)
}
clients, err := inboundSvc.GetClients(fresh)
if err != nil {
t.Fatalf("GetClients(%s): %v", ib.Tag, err)
}
if len(clients) != 1 || clients[0].Enable {
t.Errorf("inbound %s: client still enabled after disable-by-email; a sibling inbound kept access", ib.Tag)
}
}
}