From 588ea862981fc8c57c82a004037dc02b6dad0162 Mon Sep 17 00:00:00 2001
From: MHSanaei <ho3ein.sanaei@gmail.com>
Date: Mon, 1 Jun 2026 22:02:37 +0200
Subject: [PATCH] fix(hysteria): use pinSHA256 for pinned cert and emit ech in
 share links

Hysteria links now carry the pinned peer cert under the hysteria2-standard pinSHA256 key instead of pcs (frontend genHysteriaLink + outbound importer round-trip), and the Go subscription generator emits ech from echConfigList. Also drops the dead allowInsecure guard in genHysteriaLink, which read a field that does not exist on TlsClientSettings.
---
 frontend/src/lib/xray/inbound-link.ts         | 3 +++
 frontend/src/lib/xray/outbound-link-parser.ts | 2 +-
 sub/subService.go                             | 6 +++---
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/frontend/src/lib/xray/inbound-link.ts b/frontend/src/lib/xray/inbound-link.ts
index 314c125b..e35d1b39 100644
--- a/frontend/src/lib/xray/inbound-link.ts
+++ b/frontend/src/lib/xray/inbound-link.ts
@@ -610,6 +610,9 @@ export function genHysteriaLink(input: GenHysteriaLinkInput): string {
   if (tls.alpn.length > 0) params.set('alpn', tls.alpn.join(','));
   if (tls.settings.echConfigList.length > 0) params.set('ech', tls.settings.echConfigList);
   if (tls.serverName.length > 0) params.set('sni', tls.serverName);
+  if (tls.settings.pinnedPeerCertSha256.length > 0) {
+    params.set('pinSHA256', tls.settings.pinnedPeerCertSha256.join(','));
+  }
 
   const udpMasks = stream.finalmask?.udp;
   if (Array.isArray(udpMasks)) {
diff --git a/frontend/src/lib/xray/outbound-link-parser.ts b/frontend/src/lib/xray/outbound-link-parser.ts
index 1dd4ad9a..973ad270 100644
--- a/frontend/src/lib/xray/outbound-link-parser.ts
+++ b/frontend/src/lib/xray/outbound-link-parser.ts
@@ -417,7 +417,7 @@ export function parseHysteria2Link(link: string): Raw | null {
       fingerprint: params.get('fp') ?? '',
       echConfigList: params.get('ech') ?? '',
       verifyPeerCertByName: '',
-      pinnedPeerCertSha256: params.get('pcs') ?? '',
+      pinnedPeerCertSha256: params.get('pinSHA256') ?? '',
     },
   };
   applyFinalMaskParam(stream, params);
diff --git a/sub/subService.go b/sub/subService.go
index 40aebe46..6bcaa81e 100644
--- a/sub/subService.go
+++ b/sub/subService.go
@@ -603,9 +603,9 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 		if fpValue, ok := searchKey(tlsSettings, "fingerprint"); ok {
 			params["fp"], _ = fpValue.(string)
 		}
-		if insecure, ok := searchKey(tlsSettings, "allowInsecure"); ok {
-			if insecure.(bool) {
-				params["insecure"] = "1"
+		if echValue, ok := searchKey(tlsSettings, "echConfigList"); ok {
+			if ech, _ := echValue.(string); ech != "" {
+				params["ech"] = ech
 			}
 		}
 		if pins, ok := pinnedSha256List(tlsSettings); ok {