The trafficDiff InputNumber and form schema lacked an upper bound, so values above 100 were accepted in the UI but rejected by the backend (gte=0,lte=100), failing the entire settings save with a misleading 'request body failed validation' error. Add max=100 to the input and .max(100) to the schema.
The link-to-JSON importer dropped two VLESS Reality fields:
- pqv (post-quantum ML-DSA-65 verify key) was never parsed; map it back
to realitySettings.mldsa65Verify, matching the inbound link generator.
- encryption was force-reset to 'none' in the form adapter regardless of
the parsed value, discarding post-quantum encryption strings.
Add regression tests for both paths.
The image bundles fail2ban (enabled by default) to enforce per-client IP
limits via iptables, but docker-compose.yml granted no capabilities. The
job logs the ban and fail2ban reports it as banned, yet the iptables
action fails with "Permission denied (you must be root)" and no rule is
inserted, so the client is never actually blocked. Add cap_add
NET_ADMIN/NET_RAW to the service and document the docker run flags.
PR #4699 restored the "keep newest live IP, ban the oldest" policy in
check_client_ip_job.go but left the integration test asserting the old
"protect original, ban newcomer" behavior, so it failed. Update the test
to expect the oldest live IP banned and the newest kept, and fix the now
misleading name/comment on the partitionLiveIps concurrency unit test.
Rename the DNS rule wire key qtype to qType (reading the legacy qtype on parse for back-compat), add the new rCode response-code field for the return action (omitted when zero), and rename the reject action to return. Align the DNS rule action set across the form dropdown, schema, and adapter to the core's valid values (direct/drop/return/hijack), dropping the never-valid rejectIPv4/rejectIPv6 entries.
Consolidate the eight legacy mKCP/header UDP mask types into a single mkcp-legacy type ({header, value}), simplify xicmp to {dgram, ips}, and add the new realm UDP mask type, matching the updated Xray-core wire format. Update the FinalMask schema enum, the transport form, the mKCP seeding default, and the backend KCP share-link translation. Refresh golden fixtures/snapshots and add backend coverage for the mapping.
The routing-rule tag picker reads inboundTags from the xray config query
(['xray','config']), but refresh() only invalidated the inbounds/clients
buckets. So after adding, editing or deleting an inbound the tag list stayed
stale until a hard refresh wiped the react-query cache. Invalidate the xray
config query too, alongside the existing inbounds-options fix.
A non-empty, non-any Address (listen) leaked into the tag as
in-<listen>:<port>-<transport> (e.g. in-127.0.0.1:443-tcp). The tag is
now always in-<port>-<transport>, with the node prefix and numeric dedup
suffix still handling uniqueness across nodes and same-port/different-listen
inbounds. Mirrored in the Go authority and the TS form preview, kept in
parity by tests.
Existing colon-form tags are now treated as custom, so editing such an
inbound preserves its tag rather than rewriting it; new inbounds (or a
cleared tag field) get the clean form.
setImmediate is a Node global not declared in the frontend's DOM tsconfig,
so tsc --noEmit failed with 'Cannot find name setImmediate'. setTimeout is
universally typed and still flushes React's pending setImmediate: looping
the awaits keeps afterEach unresolved across several event-loop iterations,
so the queued check-phase callback fires while window still exists.
Bump several Go module versions in go.mod and regenerate go.sum. Updated dependencies include github.com/go-playground/validator/v10 (v10.30.2 -> v10.30.3), github.com/shirou/gopsutil/v4 (v4.26.4 -> v4.26.5), github.com/ebitengine/purego (v0.10.0 -> v0.10.1), github.com/rogpeppe/go-internal (v1.14.1 -> v1.15.0), golang.org/x/exp (updated pseudo-version), and google.golang.org/genproto/googleapis/rpc (updated pseudo-version). These are routine patch/minor updates to pick up fixes and checksum changes.
React 19 defers passive-effect flushes onto a setImmediate callback that
reads window.event. When one was still queued as vitest tore down the
jsdom environment, it fired after window was deleted and surfaced as an
unhandled 'window is not defined' error, failing the run with exit 1
despite all tests passing. Drain the macrotask queue in afterEach so any
pending callback runs while window still exists.
The Online column already surfaced last-online on the offline tag; extend the same tooltip to the depleted (ended) tag so a depleted client's last activity is visible without enabling it.
Reject creating or editing a client with a subId already owned by a different client, mirroring the email-uniqueness checks against client_records in Create and Update (BulkCreate inherits via Create). The old multi-inbound model duplicated a client across inbounds sharing one subId, so this check was dropped; the first-class multi-client model makes per-client subId uniqueness correct again. Existing duplicates are left untouched; only new/edited duplicates are blocked.
The client column under-counted clients attached to an inbound whose shared client_traffics row is keyed to a different inbound: rollupClients filtered settings.clients down to emails that had a stat row on that inbound. Count from settings.clients membership instead. Also surface all/active/disable/depleted/online with the Clients-page color scheme and widen the column.
The summary card derived active/bucket counts from the live client_stats snapshot, which only refreshed on the next traffic broadcast (up to 5s). A removal therefore left the counts stale while only total tracked the refetched server summary. Clear the snapshot in invalidateAll so the card falls back to the authoritative server summary immediately; the next stats event repopulates it for live tracking.
List pages wrapped content in <Spin spinning={!fetched}> where 'fetched' only flipped true once data arrived. With staleTime: Infinity + retry: 1, a transient network error on first load left the query in a permanent error state and the spinner stuck forever.
Now 'fetched' also settles on query.isError, and a failed load shows a Result error card with a Refresh button that self-heals when the backend returns, mirroring the existing XrayPage pattern. Applied to clients, inbounds, groups, nodes, and the dashboard.
Fixes#4723
Adds an 'Attach Existing Clients' row action on multi-user inbounds (shown even when the inbound is empty). It opens a modal listing the whole client pool with search and group filter, all attachable clients pre-selected, and attaches the selection to that inbound via the existing bulkAttach endpoint. Clients already on the inbound are shown disabled and skipped. Translations added for all 13 locales.
Adds the ability to update node panels to the latest release from the Nodes
page: select online, enabled nodes (checkboxes) and trigger their official
self-updater, or use the per-row Update action. A node whose reported panel
version trails the latest GitHub release is flagged with an 'update available'
tag (compared via lib/panel-version, mirroring the Go isNewerVersion).
Backend: Remote.UpdatePanel calls the node's existing
POST /panel/api/server/updatePanel; NodeService.UpdatePanels fans out over the
selected ids, skipping disabled/offline nodes with a per-node reason; exposed
as POST /panel/api/nodes/updatePanel (documented in endpoints.ts + openapi.json).
The bulk request sends a JSON body, so it sets Content-Type: application/json
explicitly — axios defaults POST to form-urlencoded, which made ShouldBindJSON
fail with 'invalid character i'.
Also reuses the clients-page online cue on the Nodes page: a pulsing green dot
plus green label for an online node. The .online-dot style moved to the shared
styles/utils.css so both pages load it.
Translations for all new node keys added across every language file.
Two small UX cues on the clients table online column:
- a pulsing green dot next to the Online tag so an active client reads as
live at a glance (honors prefers-reduced-motion).
- hovering the Offline tag shows the client's last-online timestamp from
record.traffic.lastOnline, formatted with the panel's calendar setting
(or "-" when the client has never connected).
The clients page summary counters (Online / Depleted / Depleting / Disabled
/ Active) came only from the paged-list response (staleTime: Infinity), so
they stayed frozen until a manual refresh or a mutation-triggered refetch —
the per-row columns updated over WebSocket but the summary card did not.
The client_stats WS event already broadcasts every client's traffic
(enable/up/down/total/expiryTime) every few seconds, so recompute the summary
client-side from it: computeClientsSummary mirrors the server's
buildClientsSummary, the latest event is stored in allClientStats, and the
summary is a useMemo over that plus the live onlines set. Falls back to the
server summary until the first event lands and keeps the server's
authoritative total. No extra polling, consistent with the existing
no-REST-fallback traffic design.
The subscription page leaked an inbound's server-side Listen IP into the
client-facing URLs when a bind address was set:
- Per-config links: resolveInboundAddress returned the bind Listen IP
(loopback/private/public alike) instead of the host the subscriber
reached the panel on. It now returns the node address for node-managed
inbounds, otherwise the subscriber host; the bind Listen is ignored
(External Proxy remains the way to advertise a specific endpoint).
- Subscription Copy URL (SUB/JSON/CLASH): BuildURLs composed the base
differently from the panel's Client Information page and never
normalized the request host, so a loopback/bind request leaked the raw
IP. The composition is extracted into the shared
SettingService.BuildSubURIBase, used by both the panel and the sub page
so they render identically, and fed the already-normalized subscriber
host.
Auto-generated inbound tags (in-<port>-<l4>, n<id>- prefixed for node inbounds) now re-derive when port/listen/transport change on update instead of keeping the stale round-tripped value. The resolved tag is mirrored onto the API response, and NodeID is pinned to the stored row so a node inbound never loses its n<id>- prefix on edit. The edit form recomputes the tag live via a Go-parity helper so the JSON preview matches what gets saved.
Make node/central tag matching prefix-agnostic in all three places (traffic attribution, remote-id resolution, and the orphan sweep) so an n<id>- prefix present on only one side can no longer spawn duplicate inbounds or drop traffic on sync.
Force LF on shell scripts via .gitattributes (CRLF broke the Docker build shebang when the repo is checked out on Windows) and add a .dockerignore to keep node_modules/.git out of the build context.
Adds Go and frontend tests covering tag re-derivation, prefix-agnostic matching, and node-snapshot prefix mismatch.
UserLoginNotify ran SendMsgToTgbotAdmins synchronously on the login request goroutine. When Telegram was unreachable, the send retried up to 3x with a 30s timeout each, blocking the login handler for ~90s+ and effectively locking users out (issue #4585).
Dispatch the send in a goroutine after the cheap bot-running/login-notify-enabled guards so login always returns promptly; the existing per-send 30s context timeout and bounded retries keep the background goroutine from leaking.
Adding a TUN inbound failed with "request body failed validation" because the Inbound.Protocol oneof allowlist omitted "tun". Add it so the validator matches the protocol the frontend already offers.
Closes#4736
The handle-issue job capped at 25 turns, which only covered the
early-exit spam/duplicate paths. Real bug reports went through the full
flow (categorize + Read/Grep the code + post an answer) and hit the cap
mid-step 5, leaving the issue labeled but with no reply. Raise to 45 to
match the heavier path; the mention job already uses 40.
@
When an inbound is deleted and recreated it gets a new id, but the shared-by-email client_traffics row keeps the old (now deleted) inbound_id because AddClientStat's OnConflict-DoNothing never refreshes it. The traffic updater matched rows with inbound_id IN (local inbounds), so those orphaned rows were dropped: client traffic and online status stopped updating and auto-renew skipped them, while inbound-level traffic (matched by tag) kept working and the client count still showed (matched by email).
Match by email and exclude only rows owned by a node inbound (inbound_id NOT IN (node inbounds)) in addClientTraffic and autoRenewClients. The local Xray only reports local-client emails, so a stale local pointer no longer hides the row, while genuine node-owned rows stay protected. Verified against a real affected dump: visible rows went from 4/668 to 668/668.
ESLint failed the frontend build on four react-hooks/exhaustive-deps errors. Add the missing dependencies: the hysteria streamSettings effect now lists form, and the inbounds page prompt/import/general-action callbacks now list t. Both form (Form.useForm) and t (useTranslation) are stable references, so no extra re-renders or loops.
MigrationRequirements backfills missing client_traffics rows from each inbound's settings.clients, but the later MultiDomain->ExternalProxy detection query used SQLite-only json_extract and executed via .Scan. On PostgreSQL it errored, rolling back the whole transaction including the backfill, so clients had no traffic rows: client traffic was never recorded, clients showed offline, and the inbound list showed 0 clients until each inbound was edited and saved.
Make the detection query dialect-aware (NULLIF(stream_settings,'')::jsonb #>> / #>) so the function runs to completion and commits on both dialects.
The handle-issue job uses claude-code-action, which by default refuses
to run unless the triggering user has write access. Public issue authors
never do, so the job failed on essentially every real issue. Set
allowed_non_write_users: "*" on the triage job (mention job left gated).
resetPostgresSequences hardcoded table names that did not match the models: it used "client_records" (real table is "clients") and "inbound_fallback_children" (real table is "inbound_fallbacks"). For both, pg_get_serial_sequence returned NULL, so the guarded setval was a silent no-op and those id sequences were never advanced past MAX(id) after a SQLite->Postgres migration. The first client added afterward reused an existing id and failed with duplicate key value violates unique constraint "clients_pkey".
Resolve table names from the models via GORM instead of hardcoding, and run the resync on every Postgres startup (initModels) so databases already broken by the previous migration repair themselves on boot.
Commit 80110f9 realigned sqlite_sequence to MAX(id) after every delete,
which recycled freed ids and let a newly added inbound take an old
inbound id. Now the sequence row is cleared only when the table is empty,
so the counter keeps climbing while any inbound remains and existing ids
are never reused. Still guarded behind !IsPostgres().
@
When an inbound save fails Zod validation, the toast previously showed a
raw path like `settings.clients.494.tgId: Invalid input`, which gave no
hint which of hundreds of clients was at fault. Resolve the client array
index back to the client email, name the field, and append a "(+N more)"
count when several fields fail. console.error now logs a readable list of
every issue instead of dumping the whole form.
Adds the invalidClientField/invalidField/moreIssues toast strings across
all 13 translations.
Drop the table header sorter on the inbounds page: the sortKey/sortOrder
state, the sortedInbounds memo and onChange handler, the per-column
sorterFor spreads, the SORT_FNS comparator map, and the now-unused
SortKey/SortOrder types. The list renders in DB order.
The schema was written for SQLite, which never enforces foreign keys, so
relationships are managed in application code and deleting an inbound keeps
its client_traffics by design. On Postgres GORM auto-created the
fk_inbounds_client_stats constraint, which rejected those deletes with
SQLSTATE 23503.
Set DisableForeignKeyConstraintWhenMigrating so neither backend creates the
constraint, and drop the already-created one on existing Postgres DBs via
dropLegacyForeignKeys. Also revert the client_traffics deletion that
c20ee00f added to DelInbound so traffic is preserved.
freedomToWire called Object.entries(s.fragment), but getFieldsValue(true)
returns freedom settings without a fragment object when the Fragment switch
is off (its sub-fields never register). That threw 'Cannot convert undefined
or null to object' and silently killed the save. Guard fragment with a
fallback so an unset value is treated as empty.
While verifying against xray-core's freedom config, also:
- add the missing userLevel field (schema, form schema, adapter, UI)
- fix noise applyTo enum to ip/ipv4/ipv6 (xray rejects the old host/all)
Closes#4686
DelInbound removed the client_inbounds join rows but never deleted the
inbound's client_traffics, so Postgres rejected the inbound delete with
fk_inbounds_client_stats (SQLSTATE 23503). SQLite never enforced the FK
so this went unnoticed. Delete client_traffics first, matching the order
already used in the sync path.
- entity.go: tighten SessionMaxAge validate tag gte=0 -> gte=1 to match the panel UI (min 60) and the hand-written setting.ts schema
- GeneralTab.tsx: add max bounds to sessionMaxAge (525600) and pageSize (1000), raise pageSize min to 1
- regenerate zod.ts/types.ts, picking up pending drift: panelProxy field, client group field, InboundFallback.dest, and dropping the stale hysteria2 protocol enum value
Two PostgreSQL gaps on the panel:
1. x-ui setting and other CLI subcommands read XUI_DB_TYPE/XUI_DB_DSN from
the process environment, which systemd injects via EnvironmentFile but a
plain shell invocation does not. On a PostgreSQL install the CLI silently
fell back to SQLite, so changes made from the management menu never
reached the panel's database. Load the systemd EnvironmentFile
(/etc/default/x-ui and distro equivalents) at startup; godotenv.Load does
not override existing vars, so it stays a no-op for the managed service.
2. DB backup/restore (panel endpoints and the Telegram bot) only handled the
SQLite file, so on PostgreSQL Back Up returned a stale/absent x-ui.db and
Restore silently did nothing. Add pg_dump/pg_restore based backup/restore:
- GetDb/ImportDB run pg_dump (custom format) / pg_restore, passing
credentials via the PG* environment instead of argv.
- getDb downloads x-ui.dump on Postgres, x-ui.db on SQLite.
- Telegram backup sends the matching file via GetDb.
- BackupModal shows a Postgres note and accepts .dump; the dist page
injects window.X_UI_DB_TYPE; new strings translated for all locales.
- install.sh installs postgresql-client for the external-DSN path and
points the user to in-panel Backup & Restore.
Closes#4658
New peers were always seeded with allowedIPs 10.0.0.2/32, so each "Add
peer" reused the same address. Derive the next address from the highest
IPv4 already present across existing peers (max + 1, keeping its prefix),
falling back to 10.0.0.2/32 when there are no peers yet.
Closes#4682
The client create/edit form left `group` out of the request payload, so choosing a group in the form was silently dropped (bulkAdd from the Groups page still worked because it writes the column directly). Add `group` to the payload next to `comment`.
SyncInbound also overwrote group_name unconditionally; a group set via bulkAdd is never pushed to the node, so the next node snapshot — which lacks it — wiped the column. Keep group sticky (only overwrite when the incoming value is non-empty); group is only ever set/cleared via the Groups page. Preserve comment for node clients during snapshot sync the same way. Add tests.
