ws/inbounds: realtime fixes + perf for 10k+ client inbounds (#4123)

* ws/inbounds: realtime fixes + perf for 10k+ client inbounds

- hub: dedup, throttle, panic-restart, deadlock fix, race tests
- client: backoff cap + slow-retry instead of giving up
- broadcast: delta-only payload, count-based invalidate fallback
- filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound)
- perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint
- traffic: monotonic all_time + UI clamp + propagate in delta handler
- session: persist on update/logout (fixes logout-after-password-change)
- ui: protocol tags flex, traffic bar normalize

* Remove hub_test.go file

* fix: ws hub, inbound service, and frontend correctness

- propagate DelInbound error on disable path in SetInboundEnable
- skip empty emails in updateClientTraffics to avoid constraint violations
- use consistent IN ? clause, drop redundant ErrRecordNotFound guards
- Hub.Unregister: direct removeClient fallback when channel is full
- applyClientStatsDelta: O(1) email lookup via per-inbound Map cache
- WS payload size check: Blob.size instead of .length for real byte count

* fix: chunk large IN ? queries and fix IPv6 same-origin check

* fix: chunk large IN ? queries and fix IPv6 same-origin check

* fix: unify clientStats cache, throttle clarity, hub constants

* fix(ui): align traffic/expiry cell columns across all rows

* style(ui): redesign outbounds table for visual consistency

* style(ui): redesign routing table for visual consistency

* fix:

* fix:

* fix:

* fix:

* fix:

* fix: font

* refactor: simplify outbound tone functions for consistency and maintainability

---------

Co-authored-by: lolka1333 <test123@gmail.com>

web/session/session.go

@@ -7,6 +7,7 @@ import (
 	"net/http"
 
 	"github.com/mhsanaei/3x-ui/v2/database/model"
+	"github.com/mhsanaei/3x-ui/v2/logger"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@@ -20,14 +21,16 @@ func init() {
 	gob.Register(model.User{})
 }
 
-// SetLoginUser stores the authenticated user in the session.
-// The user object is serialized and stored for subsequent requests.
-func SetLoginUser(c *gin.Context, user *model.User) {
+// SetLoginUser stores the authenticated user in the session and persists it.
+// gin-contrib/sessions does not auto-save; callers that forget Save() leave
+// the cookie out of sync with server state — this helper avoids that pitfall.
+func SetLoginUser(c *gin.Context, user *model.User) error {
 	if user == nil {
-		return
+		return nil
 	}
 	s := sessions.Default(c)
 	s.Set(loginUserKey, *user)
+	return s.Save()
 }
 
 // GetLoginUser retrieves the authenticated user from the session.
@@ -40,22 +43,26 @@ func GetLoginUser(c *gin.Context) *model.User {
 	}
 	user, ok := obj.(model.User)
 	if !ok {
-
+		// Stale or incompatible session payload — wipe and persist immediately
+		// so subsequent requests don't keep hitting the same broken cookie.
 		s.Delete(loginUserKey)
+		if err := s.Save(); err != nil {
+			logger.Warning("session: failed to drop stale user payload:", err)
+		}
 		return nil
 	}
 	return &user
 }
 
 // IsLogin checks if a user is currently authenticated in the session.
-// Returns true if a valid user session exists, false otherwise.
 func IsLogin(c *gin.Context) bool {
 	return GetLoginUser(c) != nil
 }
 
-// ClearSession removes all session data and invalidates the session.
-// This effectively logs out the user and clears any stored session information.
-func ClearSession(c *gin.Context) {
+// ClearSession invalidates the session and tells the browser to drop the cookie.
+// The cookie attributes (Path/HttpOnly/SameSite) must mirror those used when
+// the cookie was created or browsers will keep it.
+func ClearSession(c *gin.Context) error {
 	s := sessions.Default(c)
 	s.Clear()
 	cookiePath := c.GetString("base_path")
@@ -68,4 +75,5 @@ func ClearSession(c *gin.Context) {
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
 	})
+	return s.Save()
 }