fix(frontend): Phase 9 — restore index dashboard, fix login/CSRF, port legacy styles

- Index dashboard regains the 8 cards that were lost in the SPA port (3X-UI panel info, Operation Hours, System Load, Usage, Overall Speed, Total Data, IP Addresses, Connection Stats), plus a Config button that shows the live xray config.json. Version display falls back through panelUpdateInfo → window.__X_UI_CUR_VER__ → '?' so dev mode isn't blank. - Xray config no longer hangs on load: useXraySetting surfaces failures instead of leaving a perpetual spinner, and the Vite dev proxy stops hijacking POST requests to migrated routes (only GETs get bypassed). - Inbound page no longer throws __asyncLoader/emitsOptions errors — inbound.js was missing imports (NumberFormatter, SizeFormatter, Wireguard) and InboundList kept emitting after unmount. - Login round-trip works after logout: a public /csrf-token endpoint bootstraps the SPA before authentication, axios caches the token module-level, and the dev 401 handler navigates to /login.html instead of reloading the dashboard into a redirect loop. - legacy.css mirrors the legacy panel's surface/text variables so dark and ultra-dark themes match main; every SPA entry imports it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-31 17:39:35 +00:00 · 2026-05-08 17:21:03 +02:00
parent 4322a18ee3
commit 36e75143fa
26 changed files with 585 additions and 290 deletions
--- a/web/controller/dist.go
+++ b/web/controller/dist.go
@@ -3,11 +3,16 @@ package controller
 import (
 	"bytes"
 	"embed"
+	htmlpkg "html"
 	"net/http"
 	"strings"
 	"time"

 	"github.com/gin-gonic/gin"
+
+	"github.com/mhsanaei/3x-ui/v2/config"
+	"github.com/mhsanaei/3x-ui/v2/logger"
+	"github.com/mhsanaei/3x-ui/v2/web/session"
 )

 // distFS is filled in once at startup by the web package via SetDistFS.
@@ -72,7 +77,7 @@ func serveDistPage(c *gin.Context, name string) {
 	// Escape just enough that a hostile basePath setting can't break
 	// out of the JS string literal. The setting is admin-controlled
 	// but defense-in-depth costs nothing here.
-	escaped := strings.NewReplacer(
+	jsEscape := strings.NewReplacer(
 		`\`, `\\`,
 		`"`, `\"`,
 		"\n", `\n`,
@@ -80,8 +85,27 @@ func serveDistPage(c *gin.Context, name string) {
 		"<", `<`,
 		">", `>`,
 		"&", `&`,
-	).Replace(basePath)
-	inject := []byte(`<script>window.__X_UI_BASE_PATH__="` + escaped + `";</script></head>`)
+	)
+	escapedBase := jsEscape.Replace(basePath)
+	escapedVer := jsEscape.Replace(config.GetVersion())
+
+	// Embed a CSRF token in the served HTML the same way the legacy
+	// templates did via `<meta name="csrf-token">`. Without this the
+	// SPA login page has no way to acquire a token (the existing
+	// /panel/csrf-token endpoint sits behind checkLogin), and POST
+	// /login is rejected by CSRFMiddleware. EnsureCSRFToken creates
+	// a session token on first call even for anonymous visitors.
+	csrfToken, err := session.EnsureCSRFToken(c)
+	if err != nil {
+		logger.Warning("Unable to mint CSRF token for", name+":", err)
+		csrfToken = ""
+	}
+	csrfMeta := []byte(`<meta name="csrf-token" content="` + htmlpkg.EscapeString(csrfToken) + `">`)
+
+	inject := []byte(`<script>window.__X_UI_BASE_PATH__="` + escapedBase +
+		`";window.__X_UI_CUR_VER__="` + escapedVer + `";</script>`)
+	inject = append(inject, csrfMeta...)
+	inject = append(inject, []byte(`</head>`)...)
 	out := bytes.Replace(body, []byte("</head>"), inject, 1)

 	c.Header("Cache-Control", "no-cache, no-store, must-revalidate")
--- a/web/controller/index.go
+++ b/web/controller/index.go
@@ -40,6 +40,12 @@ func NewIndexController(g *gin.RouterGroup) *IndexController {
 func (a *IndexController) initRouter(g *gin.RouterGroup) {
 	g.GET("/", a.index)
 	g.GET("/logout", a.logout)
+	// Public CSRF endpoint — the SPA login page (served by Vite in
+	// dev or by serveDistPage in prod) needs a token to POST /login,
+	// but the panel-side /panel/csrf-token sits behind checkLogin.
+	// EnsureCSRFToken creates a session token even for anonymous
+	// callers, so any pre-login flow can bootstrap from here.
+	g.GET("/csrf-token", a.csrfToken)

 	g.POST("/login", middleware.CSRFMiddleware(), a.login)
 	g.POST("/getTwoFactorEnable", middleware.CSRFMiddleware(), a.getTwoFactorEnable)
@@ -148,6 +154,17 @@ func (a *IndexController) logout(c *gin.Context) {
 	c.Redirect(http.StatusTemporaryRedirect, c.GetString("base_path"))
 }

+// csrfToken returns the session CSRF token. Public — the login page
+// needs a token before authenticating.
+func (a *IndexController) csrfToken(c *gin.Context) {
+	token, err := session.EnsureCSRFToken(c)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"success": false, "msg": err.Error()})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"success": true, "obj": token})
+}
+
 // getTwoFactorEnable retrieves the current status of two-factor authentication.
 func (a *IndexController) getTwoFactorEnable(c *gin.Context) {
 	status, err := a.settingService.GetTwoFactorEnable()