mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-05-17 08:15:56 +03:00
428f1333ac
* refactor(session): store user ID in session instead of full struct
Replaces storing the full User object in the session cookie with just
the user ID. GetLoginUser now re-fetches the user from the database on
every request so credential/permission changes take effect immediately
without requiring a re-login. Includes a backward-compatible migration
path for existing sessions that still carry the old struct payload.
* feat(auth): block panel with default admin/admin credentials and guide credential change
checkLogin middleware now detects default admin/admin credentials and
redirects every panel route to /panel/settings until they are changed.
The settings page auto-opens the Authentication tab, shows a
non-dismissible error banner, and lists 'Default credentials' first in
the security checklist. Login response includes mustChangeCredentials
so the login page can redirect directly. Logout is now POST-only.
Password must be at least 10 characters and cannot be admin/admin.
* feat(settings): redact secrets in AllSettingView and add TrustedProxyCIDRs
Introduces AllSettingView which strips tgBotToken, twoFactorToken,
ldapPassword, apiToken and warp/nord secrets before sending them to
the browser, replacing them with boolean hasFoo presence flags. A new
/panel/setting/secret endpoint allows updating individual secrets by
key. Secrets that arrive blank on a save are preserved from the DB
rather than overwritten. Adds TrustedProxyCIDRs as a configurable
setting (defaults to localhost CIDRs). URL fields are validated before
save.
* fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts
Adds SanitizeHTTPURL / SanitizePublicHTTPURL to reject private-range
and loopback targets before any outbound HTTP request (node probe,
xray download, outbound test, external traffic inform, tgbot API
server, panel updater). Forwarded headers (X-Real-IP, X-Forwarded-For,
X-Forwarded-Host) are now only trusted when the direct connection
arrives from a CIDR in TrustedProxyCIDRs. CSP policy is tightened with
a per-request nonce. HTTP server gains read/write/idle timeouts. Panel
updater downloads the script to a temp file instead of piping curl into
shell. Xray archive download adds a size cap and response-code check.
backuptotgbot is changed from GET to POST.
* feat(nodes): add allow-private-address toggle per node
Adds AllowPrivateAddress to the Node model (DB default false). When
enabled it bypasses the SSRF private-range check for that node's probe
URL, allowing nodes hosted on RFC-1918 or loopback addresses (e.g.
a private VPN or LAN setup).
* chore: frontend UX improvements, CI pipeline, and dev tooling
- AppSidebar: logout via POST /logout instead of navigating to GET
- InboundList: persist filter state (search, protocol, node) to
localStorage across page reloads; add protocol and node filter dropdowns
- IndexPage: add health status strip (Xray, CPU, Memory, Update) with
quick-action buttons
- dependabot: weekly go mod and npm update schedule
- ci.yml: add GitHub Actions workflow for build and vet
- .nvmrc: pin Node 22 for local development
- frontend: bump package.json and package-lock.json
- SubPage, DnsPresetsModal, api-docs: minor fixes
* fix(ci): stub web/dist before go list to satisfy go:embed at compile time
* chore(ui): remove health-strip bar from dashboard top
* Revert "feat(auth): block panel with default admin/admin credentials and guide credential change"
This reverts commit 56ce6073ce.
* fix(auth): make logout POST+CSRF and propagate session loss to other tabs
- Switch /logout from GET to POST with CSRFMiddleware so it matches the
SPA's existing HttpUtil.post('/logout') call (previously 404'd silently)
and blocks GET-based logout via image tags or link prefetchers. Handler
now returns JSON; the SPA already navigates client-side.
- Return 401 (instead of 404) from /panel/api/* when the caller is a
browser XHR (X-Requested-With: XMLHttpRequest) so the axios interceptor
redirects to the login page on logout-in-another-tab, cookie expiry,
and server restart. Anonymous callers still get 404 to keep endpoints
hidden from casual scanners.
- One-shot the 401 redirect in axios-init.js and hang the rejected
promise so queued polls don't stack reloads or surface error toasts
while the browser is navigating away.
- Add the CSP nonce to the runtime-injected <script> in dist.go so the
panel loads under the existing script-src 'nonce-...' policy.
- Update api-docs endpoints.js: GET /logout doc entry was missing.
* fix(settings): POST /logout after credential change
* fix(auth): invalidate other sessions when credentials change
When the admin changes username/password from one machine, sessions
on every other machine kept working until they manually logged out
because session storage is a signed client-side cookie — there is
no server-side session list to revoke.
Add a per-user LoginEpoch counter stamped into the session at login
and re-verified on every authenticated request. UpdateUser and
UpdateFirstUser bump the epoch (UpdateUser via gorm.Expr so a single
update statement is atomic), so any cookie issued before the change
no longer matches the user's current epoch and GetLoginUser returns
nil — the SPA's 401 interceptor then redirects to the login page.
Backward compatible: the column defaults to 0 and missing cookie
values are treated as 0, so sessions issued before this change
remain valid until the first credential update.
---------
Co-authored-by: Sanaei <ho3ein.sanaei@gmail.com>
240 lines
7.7 KiB
Vue
240 lines
7.7 KiB
Vue
<script setup>
|
|
import { onMounted, reactive, ref } from 'vue';
|
|
import { useI18n } from 'vue-i18n';
|
|
import { Modal, message } from 'ant-design-vue';
|
|
|
|
import { HttpUtil, RandomUtil } from '@/utils';
|
|
import SettingListItem from '@/components/SettingListItem.vue';
|
|
import TwoFactorModal from './TwoFactorModal.vue';
|
|
|
|
const { t } = useI18n();
|
|
|
|
const props = defineProps({
|
|
allSetting: { type: Object, required: true },
|
|
});
|
|
|
|
// 2FA modal state — both the "set" (enabling) and "confirm" (changing
|
|
// password / disabling) flows route through the same component.
|
|
const tfa = reactive({
|
|
open: false,
|
|
title: '',
|
|
description: '',
|
|
token: '',
|
|
type: 'set',
|
|
// resolveConfirm is called by the modal's @confirm with the success bool;
|
|
// it then routes the value back to whichever flow opened the modal.
|
|
resolveConfirm: (_success) => { },
|
|
});
|
|
|
|
function openTfa({ title, description = '', token = '', type, onConfirm }) {
|
|
tfa.title = title;
|
|
tfa.description = description;
|
|
tfa.token = token;
|
|
tfa.type = type;
|
|
tfa.resolveConfirm = onConfirm;
|
|
tfa.open = true;
|
|
}
|
|
|
|
function onTfaConfirm(success) {
|
|
tfa.resolveConfirm(success);
|
|
}
|
|
|
|
const user = reactive({
|
|
oldUsername: '',
|
|
oldPassword: '',
|
|
newUsername: '',
|
|
newPassword: '',
|
|
});
|
|
const updating = ref(false);
|
|
|
|
async function sendUpdateUser() {
|
|
updating.value = true;
|
|
try {
|
|
const msg = await HttpUtil.post('/panel/setting/updateUser', user);
|
|
if (msg?.success) {
|
|
await HttpUtil.post('/logout');
|
|
const basePath = window.X_UI_BASE_PATH || '/';
|
|
window.location.replace(basePath);
|
|
}
|
|
} finally {
|
|
updating.value = false;
|
|
}
|
|
}
|
|
|
|
function updateUser() {
|
|
if (props.allSetting.twoFactorEnable) {
|
|
openTfa({
|
|
title: t('pages.settings.security.twoFactorModalChangeCredentialsTitle'),
|
|
description: t('pages.settings.security.twoFactorModalChangeCredentialsStep'),
|
|
token: props.allSetting.twoFactorToken,
|
|
type: 'confirm',
|
|
onConfirm: (ok) => { if (ok) sendUpdateUser(); },
|
|
});
|
|
} else {
|
|
sendUpdateUser();
|
|
}
|
|
}
|
|
|
|
// === API Token =========================================================
|
|
// Surfaces the panel's API token so a remote central panel can register
|
|
// this instance as a node. Lazy-loaded on tab mount; rotation requires
|
|
// confirmation since it invalidates any cached value upstream.
|
|
const apiToken = ref('');
|
|
const apiTokenLoading = ref(false);
|
|
const apiTokenRotating = ref(false);
|
|
|
|
async function loadApiToken() {
|
|
apiTokenLoading.value = true;
|
|
try {
|
|
const msg = await HttpUtil.get('/panel/setting/getApiToken');
|
|
if (msg?.success) apiToken.value = msg.obj || '';
|
|
} finally {
|
|
apiTokenLoading.value = false;
|
|
}
|
|
}
|
|
|
|
async function copyApiToken() {
|
|
if (!apiToken.value) return;
|
|
try {
|
|
await navigator.clipboard.writeText(apiToken.value);
|
|
message.success(t('copySuccess'));
|
|
} catch (_e) {
|
|
// navigator.clipboard can be undefined on http:// — fall back to
|
|
// a transient input + execCommand path.
|
|
const ta = document.createElement('textarea');
|
|
ta.value = apiToken.value;
|
|
document.body.appendChild(ta);
|
|
ta.select();
|
|
document.execCommand('copy');
|
|
document.body.removeChild(ta);
|
|
message.success(t('copySuccess'));
|
|
}
|
|
}
|
|
|
|
function regenerateApiToken() {
|
|
Modal.confirm({
|
|
title: t('pages.nodes.regenerateConfirm'),
|
|
okText: t('confirm'),
|
|
cancelText: t('cancel'),
|
|
okType: 'danger',
|
|
onOk: async () => {
|
|
apiTokenRotating.value = true;
|
|
try {
|
|
const msg = await HttpUtil.post('/panel/setting/regenerateApiToken');
|
|
if (msg?.success) {
|
|
apiToken.value = msg.obj || '';
|
|
message.success(t('success'));
|
|
}
|
|
} finally {
|
|
apiTokenRotating.value = false;
|
|
}
|
|
},
|
|
});
|
|
}
|
|
|
|
onMounted(loadApiToken);
|
|
|
|
function toggleTwoFactor() {
|
|
// Switch read-only — the actual flip happens after the modal succeeds.
|
|
if (!props.allSetting.twoFactorEnable) {
|
|
const newToken = RandomUtil.randomBase32String();
|
|
openTfa({
|
|
title: t('pages.settings.security.twoFactorModalSetTitle'),
|
|
token: newToken,
|
|
type: 'set',
|
|
onConfirm: (ok) => {
|
|
if (ok) {
|
|
message.success(t('pages.settings.security.twoFactorModalSetSuccess'));
|
|
props.allSetting.twoFactorToken = newToken;
|
|
}
|
|
props.allSetting.twoFactorEnable = ok;
|
|
},
|
|
});
|
|
} else {
|
|
openTfa({
|
|
title: t('pages.settings.security.twoFactorModalDeleteTitle'),
|
|
description: t('pages.settings.security.twoFactorModalRemoveStep'),
|
|
token: props.allSetting.twoFactorToken,
|
|
type: 'confirm',
|
|
onConfirm: (ok) => {
|
|
if (!ok) return;
|
|
message.success(t('pages.settings.security.twoFactorModalDeleteSuccess'));
|
|
props.allSetting.twoFactorEnable = false;
|
|
props.allSetting.twoFactorToken = '';
|
|
},
|
|
});
|
|
}
|
|
}
|
|
</script>
|
|
|
|
<template>
|
|
<a-collapse default-active-key="1">
|
|
<a-collapse-panel key="1" :header="t('pages.settings.security.admin')">
|
|
<SettingListItem paddings="small">
|
|
<template #title>{{ t('pages.settings.oldUsername') }}</template>
|
|
<template #control>
|
|
<a-input v-model:value="user.oldUsername" autocomplete="username" />
|
|
</template>
|
|
</SettingListItem>
|
|
|
|
<SettingListItem paddings="small">
|
|
<template #title>{{ t('pages.settings.currentPassword') }}</template>
|
|
<template #control>
|
|
<a-input-password v-model:value="user.oldPassword" autocomplete="current-password" />
|
|
</template>
|
|
</SettingListItem>
|
|
|
|
<SettingListItem paddings="small">
|
|
<template #title>{{ t('pages.settings.newUsername') }}</template>
|
|
<template #control>
|
|
<a-input v-model:value="user.newUsername" />
|
|
</template>
|
|
</SettingListItem>
|
|
|
|
<SettingListItem paddings="small">
|
|
<template #title>{{ t('pages.settings.newPassword') }}</template>
|
|
<template #control>
|
|
<a-input-password v-model:value="user.newPassword" autocomplete="new-password" />
|
|
</template>
|
|
</SettingListItem>
|
|
|
|
<a-list-item>
|
|
<a-space direction="horizontal" :style="{ padding: '0 20px' }">
|
|
<a-button type="primary" :loading="updating" @click="updateUser">{{ t('confirm') }}</a-button>
|
|
</a-space>
|
|
</a-list-item>
|
|
</a-collapse-panel>
|
|
|
|
<a-collapse-panel key="2" :header="t('pages.settings.security.twoFactor')">
|
|
<SettingListItem paddings="small">
|
|
<template #title>{{ t('pages.settings.security.twoFactorEnable') }}</template>
|
|
<template #description>{{ t('pages.settings.security.twoFactorEnableDesc') }}</template>
|
|
<template #control>
|
|
<a-switch :checked="allSetting.twoFactorEnable" @click="toggleTwoFactor" />
|
|
</template>
|
|
</SettingListItem>
|
|
</a-collapse-panel>
|
|
|
|
<a-collapse-panel key="3" :header="t('pages.nodes.apiToken')">
|
|
<SettingListItem paddings="small">
|
|
<template #title>{{ t('pages.nodes.apiToken') }}</template>
|
|
<template #description>{{ t('pages.nodes.apiTokenHint') }}</template>
|
|
<template #control>
|
|
<a-input-password :value="apiToken" readonly :loading="apiTokenLoading" style="min-width: 240px" />
|
|
</template>
|
|
</SettingListItem>
|
|
<a-list-item>
|
|
<a-space direction="horizontal" :style="{ padding: '0 20px' }">
|
|
<a-button :disabled="!apiToken" @click="copyApiToken">{{ t('copy') }}</a-button>
|
|
<a-button danger :loading="apiTokenRotating" @click="regenerateApiToken">
|
|
{{ t('pages.nodes.regenerate') }}
|
|
</a-button>
|
|
</a-space>
|
|
</a-list-item>
|
|
</a-collapse-panel>
|
|
</a-collapse>
|
|
|
|
<TwoFactorModal v-model:open="tfa.open" :title="tfa.title" :description="tfa.description" :token="tfa.token"
|
|
:type="tfa.type" @confirm="onTfaConfirm" />
|
|
</template>
|