Relocate Remark Model & Separation Character from the General/Panel tab to the Subscription tab's Information section, beside Show Info and Email in Remark, since it only governs how share-link remarks are composed. The sample preview uses concrete example values and renders the separator literally.
Also drop the port from the subscription page link rows so each row shows just the inbound remark; the port still appears in the client QR modal and the client info modal.
Two multi-inbound client bugs from issue #4834:
- Clearing a client's reverse tag never persisted: SyncInbound keeps a non-empty sticky guard on reverse (shared with node-sync/rename), so the cleared value never reached the canonical clients.reverse column the edit form reads. Update now writes that column authoritatively from the submitted client, matching how it already writes email/updated_at directly.
- Attaching a new inbound reset xtls-rprx-vision: Attach seeded its wire client from the canonical clients.flow column, which a non-flow inbound can zero during the preceding update. It now derives the flow from EffectiveFlow (the per-inbound flow_override), so flow-capable targets keep the flow and others stay empty.
Adds service tests for both paths and a guard test confirming node-snapshot sync still preserves a stored reverse tag.
The panel's copy/QR share links are built client-side and fell back to window.location.hostname, so reaching the panel over an SSH tunnel (127.0.0.1/localhost) leaked localhost into the links - unlike the backend subscription path, which falls back to the configured Sub/Web Domain (issue #4829).
Expose webDomain/subDomain via /defaultSettings and add preferPublicHost: when the browser host is loopback, prefer the configured Sub Domain (then Web Domain) for share/QR links. An explicit node override or per-inbound listen still wins; a routable browser host is kept as-is.
Closes#4829
A setting row whose value column is empty or NULL (seen on some migrated databases) was parsed directly, so getInt/getBool and the GetAllSetting reflection path crashed with 'strconv.Atoi: parsing "": invalid syntax'. This made the Inbounds page (/defaultSettings -> GetPageSize) and the Settings page fail to load.
Treat an empty stored value the same as a missing row and fall back to the built-in default at the int/bool parse sites. String getters are unchanged, so legitimately-empty string settings stay empty.
Closes#4830
The inbounds page and Nodes page checked each client's email against a
single deduped union of every node's online clients, so a client connected
to one node showed as online on every inbound across every node. The local
online set was also derived from the email-keyed client_traffics.last_online
column, which remote-node syncs bump too, leaking remote-only clients onto
local inbounds.
Track online clients per node: the local panel's own xray clients under key
0 (derived from live traffic-poll deltas via RefreshLocalOnline, kept in
memory and independent of the shared last_online column) and each remote
node under its id. Add GetOnlineClientsByNode plus a /clients/onlinesByNode
endpoint and onlineByNode WS field; node.go and the inbounds rollup now scope
online by node. The flat GetOnlineClients union is kept for client-centric and
total-count views (Clients page, dashboard, telegram).
Closes#4809
xray-core >=26.5 makes the freedom finalRules context-aware: reverse-proxy traffic defaults to "block all targets". The template seeded finalRules with only allow geoip:private, so a bridge could not exit to WAN and reverse proxy silently broke
Switch the default direct freedom to a no-condition allow rule, the documented way to restore pre-policy behavior. Unlike an ip-based rule (0.0.0.0/0 or !geoip:private), it does not force per-connection OS DNS resolution under domainStrategy AsIs, so happyEyeballs/AsIs pass-through stay intact. LAN is still blocked by the geoip:private->blocked routing rule, and removing that rule still regains LAN access
Note: only affects new configs; existing installs keep their stored finalRules until reset or a follow-up migration.
SyncInbound runs once per inbound and unconditionally overwrites the canonical clients.Flow column. A non-flow inbound (Hysteria, WS, gRPC) strips flow to "", so when it syncs after a VLESS Reality inbound the column is wiped, and the hydrate endpoint returned that empty value — the edit form loaded a blank flow for multi-inbound clients (#4792).
Derive the hydrate flow from the first flow-capable client_inbounds.flow_override instead, which is always correct and order-independent. A non-empty guard in SyncInbound was rejected because it would make flow impossible to clear.
Closes#4792
The pinnedCertSha256 form field unmounts for non-pin TLS modes, so antd dropped it from the onFinish values and Zod rejected the missing string (the user-facing "invalid input"). Make it optional with a default so saving works in every TLS mode.
Saving now runs the connection test first and only persists when the probe is online; the add/update endpoints enforce the same probe so an unreachable node cannot be stored via the API either.
Selecting the http scheme forces TLS verify mode to skip and disables the control, normalized on open for existing http nodes.
http-vs-https probe failures report a clear "set the node scheme to http" message across the test button, save, and the backend gate.
Closes#4794
BulkDetach removed one client per (email x inbound) pair, each with its own
settings rewrite, transaction and full SyncInbound. Add delInboundClients to
remove all targeted clients from an inbound in a single pass and group removals
by inbound, turning O(emails x inbounds) write cycles into O(inbounds).
BulkAttach ran the global getAllEmailSubIDs scan once per target inbound via
checkEmailsExistForClients. Compute that snapshot once per call and thread it
through a new internal addInboundClient; the duplicate check is unaffected
because attach reuses each client's existing identity (same subId).
Covered by bulk_clients_test.go: VLESS round-trip (linkage, settings JSON,
idempotency, record survival), skip-unattached, and Trojan key matching.
FetchCertFingerprint must accept any certificate by design: it fetches a
not-yet-pinned node's leaf cert (trust-on-first-use) so the admin can pin
it. Disabling verification is inherent to that, so go/disabled-certificate-check
cannot be cleared by code changes. Suppress the finding inline, matching the
existing lgtm convention in custom_geo.go.
FetchCertFingerprint read the leaf certificate from a bare insecure TLS
handshake, which CodeQL flagged as go/disabled-certificate-check. The
function intentionally accepts any cert (trust-on-first-use, so the admin
can pin a not-yet-trusted node), so verification cannot be enabled.
Capture the leaf cert inside a VerifyConnection callback instead, matching
the existing pattern in nodeHTTPClientFor that already clears the same
query. Behavior is unchanged.
Adds a per-node TLS verification mode to the Add/Edit Node dialog so the panel can reach nodes that serve HTTPS with a self-signed certificate:
- verify (default): normal CA validation.
- skip: InsecureSkipVerify, with a clear UI warning that it drops MITM protection.
- pin: validates the leaf certificate's SHA-256 (base64 or hex) via VerifyConnection while bypassing the default chain/name check — keeps MITM protection for self-signed certs, the secure alternative to skip.
New Node model fields tlsVerifyMode + pinnedCertSha256 (gorm auto-migrated). Probe() selects the HTTP client per node via nodeHTTPClientFor, keeping the SSRF-guarded dialer. A new POST /panel/api/nodes/certFingerprint endpoint (FetchCertFingerprint) lets the UI fetch and pin the node's current certificate in one click. Endpoint documented in api-docs/openapi; i18n added across all locales. Verified end-to-end in Docker (verify rejects, skip bypasses, fetch matches, pin accepts correct / rejects wrong).
UDS listen already worked for proxying (the listen string is passed to xray verbatim and port 0 is accepted), and the Go sub/link layer already ignores the bind listen. The only gap was the frontend resolveAddr, which would put a socket-path listen into share/sub links (e.g. vless://uuid@/run/xray/x.sock:0). resolveAddr now treats a path-style listen (starting with / or @) as having no client-reachable address and falls back to hostOverride/hostname. Adds a test and a Listen-field help hint across all locales.
Since v3.1.0 every fallback row had to reference a panel inbound via childId, so rows with only a free-form dest (e.g. 8080 or 127.0.0.1:8080 to an external Nginx) were silently dropped at three layers: the frontend save filter, the backend SetByMaster guard, and BuildFallbacksJSON. A row is now valid when it has a child OR an explicit dest; self-references normalize to childId 0, and BuildFallbacksJSON prefers an explicit dest (also fixing rows whose child was deleted). UI gains allowClear on the child picker; help text updated across all locales. Verified end-to-end in Docker: a free-form dest fallback now persists and is injected into the live xray config. Refs #4554, #4639.
RegWarp now stores config.client_id from the Cloudflare registration, and WarpModal sources the reserved bytes from the live config response (falling back to stored creds). Previously reservedFor read an always-missing client_id, producing an empty reserved array.
A client shared across multiple nodes has a single email-keyed client_traffics row, but each node reports its cumulative up/down. setRemoteTrafficLocked overwrote the row with one node's cumulative, so non-owning nodes hit the create branch and OnConflict-DoNothing, silently dropping their traffic and under-counting the client.
Make the shared row a pure accumulator (like the local path): a new node_client_traffics(node_id, email) baseline table stores each node's last cumulative; the node path converts cumulative to a per-node delta (clamped to the post-reset value on a negative delta) and does up = up + delta. First observation seeds the baseline and adds 0 so upgrades and newly-shared clients are not double-counted. Create-vs-accumulate now keys off global email existence. Baselines are cleaned in DelClientStat, the node sweeps, and NodeService.Delete.
A non-empty, non-any Address (listen) leaked into the tag as
in-<listen>:<port>-<transport> (e.g. in-127.0.0.1:443-tcp). The tag is
now always in-<port>-<transport>, with the node prefix and numeric dedup
suffix still handling uniqueness across nodes and same-port/different-listen
inbounds. Mirrored in the Go authority and the TS form preview, kept in
parity by tests.
Existing colon-form tags are now treated as custom, so editing such an
inbound preserves its tag rather than rewriting it; new inbounds (or a
cleared tag field) get the clean form.
Reject creating or editing a client with a subId already owned by a different client, mirroring the email-uniqueness checks against client_records in Create and Update (BulkCreate inherits via Create). The old multi-inbound model duplicated a client across inbounds sharing one subId, so this check was dropped; the first-class multi-client model makes per-client subId uniqueness correct again. Existing duplicates are left untouched; only new/edited duplicates are blocked.
Adds the ability to update node panels to the latest release from the Nodes
page: select online, enabled nodes (checkboxes) and trigger their official
self-updater, or use the per-row Update action. A node whose reported panel
version trails the latest GitHub release is flagged with an 'update available'
tag (compared via lib/panel-version, mirroring the Go isNewerVersion).
Backend: Remote.UpdatePanel calls the node's existing
POST /panel/api/server/updatePanel; NodeService.UpdatePanels fans out over the
selected ids, skipping disabled/offline nodes with a per-node reason; exposed
as POST /panel/api/nodes/updatePanel (documented in endpoints.ts + openapi.json).
The bulk request sends a JSON body, so it sets Content-Type: application/json
explicitly — axios defaults POST to form-urlencoded, which made ShouldBindJSON
fail with 'invalid character i'.
Also reuses the clients-page online cue on the Nodes page: a pulsing green dot
plus green label for an online node. The .online-dot style moved to the shared
styles/utils.css so both pages load it.
Translations for all new node keys added across every language file.
The subscription page leaked an inbound's server-side Listen IP into the
client-facing URLs when a bind address was set:
- Per-config links: resolveInboundAddress returned the bind Listen IP
(loopback/private/public alike) instead of the host the subscriber
reached the panel on. It now returns the node address for node-managed
inbounds, otherwise the subscriber host; the bind Listen is ignored
(External Proxy remains the way to advertise a specific endpoint).
- Subscription Copy URL (SUB/JSON/CLASH): BuildURLs composed the base
differently from the panel's Client Information page and never
normalized the request host, so a loopback/bind request leaked the raw
IP. The composition is extracted into the shared
SettingService.BuildSubURIBase, used by both the panel and the sub page
so they render identically, and fed the already-normalized subscriber
host.
Auto-generated inbound tags (in-<port>-<l4>, n<id>- prefixed for node inbounds) now re-derive when port/listen/transport change on update instead of keeping the stale round-tripped value. The resolved tag is mirrored onto the API response, and NodeID is pinned to the stored row so a node inbound never loses its n<id>- prefix on edit. The edit form recomputes the tag live via a Go-parity helper so the JSON preview matches what gets saved.
Make node/central tag matching prefix-agnostic in all three places (traffic attribution, remote-id resolution, and the orphan sweep) so an n<id>- prefix present on only one side can no longer spawn duplicate inbounds or drop traffic on sync.
Force LF on shell scripts via .gitattributes (CRLF broke the Docker build shebang when the repo is checked out on Windows) and add a .dockerignore to keep node_modules/.git out of the build context.
Adds Go and frontend tests covering tag re-derivation, prefix-agnostic matching, and node-snapshot prefix mismatch.
UserLoginNotify ran SendMsgToTgbotAdmins synchronously on the login request goroutine. When Telegram was unreachable, the send retried up to 3x with a 30s timeout each, blocking the login handler for ~90s+ and effectively locking users out (issue #4585).
Dispatch the send in a goroutine after the cheap bot-running/login-notify-enabled guards so login always returns promptly; the existing per-send 30s context timeout and bounded retries keep the background goroutine from leaking.
When an inbound is deleted and recreated it gets a new id, but the shared-by-email client_traffics row keeps the old (now deleted) inbound_id because AddClientStat's OnConflict-DoNothing never refreshes it. The traffic updater matched rows with inbound_id IN (local inbounds), so those orphaned rows were dropped: client traffic and online status stopped updating and auto-renew skipped them, while inbound-level traffic (matched by tag) kept working and the client count still showed (matched by email).
Match by email and exclude only rows owned by a node inbound (inbound_id NOT IN (node inbounds)) in addClientTraffic and autoRenewClients. The local Xray only reports local-client emails, so a stale local pointer no longer hides the row, while genuine node-owned rows stay protected. Verified against a real affected dump: visible rows went from 4/668 to 668/668.
MigrationRequirements backfills missing client_traffics rows from each inbound's settings.clients, but the later MultiDomain->ExternalProxy detection query used SQLite-only json_extract and executed via .Scan. On PostgreSQL it errored, rolling back the whole transaction including the backfill, so clients had no traffic rows: client traffic was never recorded, clients showed offline, and the inbound list showed 0 clients until each inbound was edited and saved.
Make the detection query dialect-aware (NULLIF(stream_settings,'')::jsonb #>> / #>) so the function runs to completion and commits on both dialects.
Commit 80110f9 realigned sqlite_sequence to MAX(id) after every delete,
which recycled freed ids and let a newly added inbound take an old
inbound id. Now the sequence row is cleared only when the table is empty,
so the counter keeps climbing while any inbound remains and existing ids
are never reused. Still guarded behind !IsPostgres().
@
The schema was written for SQLite, which never enforces foreign keys, so
relationships are managed in application code and deleting an inbound keeps
its client_traffics by design. On Postgres GORM auto-created the
fk_inbounds_client_stats constraint, which rejected those deletes with
SQLSTATE 23503.
Set DisableForeignKeyConstraintWhenMigrating so neither backend creates the
constraint, and drop the already-created one on existing Postgres DBs via
dropLegacyForeignKeys. Also revert the client_traffics deletion that
c20ee00f added to DelInbound so traffic is preserved.
DelInbound removed the client_inbounds join rows but never deleted the
inbound's client_traffics, so Postgres rejected the inbound delete with
fk_inbounds_client_stats (SQLSTATE 23503). SQLite never enforced the FK
so this went unnoticed. Delete client_traffics first, matching the order
already used in the sync path.
Two PostgreSQL gaps on the panel:
1. x-ui setting and other CLI subcommands read XUI_DB_TYPE/XUI_DB_DSN from
the process environment, which systemd injects via EnvironmentFile but a
plain shell invocation does not. On a PostgreSQL install the CLI silently
fell back to SQLite, so changes made from the management menu never
reached the panel's database. Load the systemd EnvironmentFile
(/etc/default/x-ui and distro equivalents) at startup; godotenv.Load does
not override existing vars, so it stays a no-op for the managed service.
2. DB backup/restore (panel endpoints and the Telegram bot) only handled the
SQLite file, so on PostgreSQL Back Up returned a stale/absent x-ui.db and
Restore silently did nothing. Add pg_dump/pg_restore based backup/restore:
- GetDb/ImportDB run pg_dump (custom format) / pg_restore, passing
credentials via the PG* environment instead of argv.
- getDb downloads x-ui.dump on Postgres, x-ui.db on SQLite.
- Telegram backup sends the matching file via GetDb.
- BackupModal shows a Postgres note and accepts .dump; the dist page
injects window.X_UI_DB_TYPE; new strings translated for all locales.
- install.sh installs postgresql-client for the external-DSN path and
points the user to in-panel Backup & Restore.
Closes#4658
The client create/edit form left `group` out of the request payload, so choosing a group in the form was silently dropped (bulkAdd from the Groups page still worked because it writes the column directly). Add `group` to the payload next to `comment`.
SyncInbound also overwrote group_name unconditionally; a group set via bulkAdd is never pushed to the node, so the next node snapshot — which lacks it — wiped the column. Keep group sticky (only overwrite when the incoming value is non-empty); group is only ever set/cleared via the Groups page. Preserve comment for node clients during snapshot sync the same way. Add tests.
SQLite AUTOINCREMENT keeps a high-water mark in sqlite_sequence that
deleting rows never lowers, so after removing inbounds the next add kept
climbing instead of reusing freed ids. DelInbound now realigns the
counter to MAX(id) after each delete, clearing the sqlite_sequence row
entirely when the table is empty so the next inbound starts at id 1.
Guarded behind !IsPostgres(); Postgres sequences are left untouched.
Mirror the clients page: checkbox selection on the desktop table and on
mobile cards, with a danger Delete button in the toolbar that removes all
selected inbounds in one call.
Backend adds POST /panel/api/inbounds/bulkDel, which loops the existing
DelInbound per id (xray restarts at most once) and returns {deleted,
skipped}. Frontend shows a confirm modal plus a result toast, clears the
selection on success, adds bulk-delete i18n keys across all 13 languages,
and documents the endpoint in the in-panel API docs.
Deleting an inbound now only detaches its clients (removes the
client_inbounds rows). It no longer deletes client_traffics or client IP
logs: those are keyed centrally by email (one row per client) and must
survive, since a client may stay attached to other inbounds and is
managed from the Clients page.
Separately, /get/:id now uses a new GetInboundDetail that preloads and
enriches ClientStats, so hydrated records (info / QR / export) carry
per-client traffic instead of null. DBInbound.toJSON drops the internal
_clientStatsMap cache so it no longer leaks into the exported JSON.
Like the client email, the subId is embedded directly in subscription
URLs, so the same characters break it. Validate it on the backend
(Create + Update) and the frontend (Zod), with a localized message
across all 13 locales. An empty subId stays allowed (it is then
auto-generated).
Client emails containing a slash broke the path-param routes
(edit/delete/view returned 404 / "client not found"), leaving stale
records that could only be cleared with manual SQLite edits. Validate
the email on both the backend (Create + Update, which also covers the
bulk paths) and the frontend (Zod) so these characters are rejected at
save time with a clear, localized message across all 13 locales.
Closes#4695
Outbound connection tester (#4657): UDP-based outbounds (wireguard,
hysteria, kcp/quic transports) were probed with a raw UDP dial that
treated the inevitable read timeout as success, so every one reported a
fake ~5s 'alive'. Route them through the authoritative xray
burstObservatory probe and drop the broken raw-UDP path. Test All now
runs a parallel TCP lane and a serial HTTP lane so xray-probe outbounds
don't collide on the test semaphore.
Vision testseed: the [900, 500, 900, 256] default repeats 900, and a
tags Select keys each tag by value -> 'two children with the same key,
900'. Render it as four InputNumbers (inbound + outbound forms); the
field is a fixed 4-tuple where repeats are valid.
Inbound form: drop the null-valued 'Local Panel' Select option (AntD
rejects null option values; placeholder + allowClear already cover it).
Outbound form: add an explicit 'None' option to the Flow selector.
A client shared across inbounds (e.g. VLESS+TCP+Reality and VLESS+WS+TLS)
had its `flow` applied globally, so enabling xtls-rprx-vision for Reality
broke the WS+TLS inbound for the same client (#4628).
Gate flow per inbound at every fan-out site via clientWithInboundFlow,
reusing inboundCanEnableTlsFlow (VLESS+TCP+TLS/Reality only), and make
ListForInbound treat flow_override as authoritative so an empty override
means "no flow on this inbound" instead of inheriting the record's global
flow. Also tighten buildTargetClientFromSource (copy-clients) to gate on
transport, not just protocol.
setRemoteTrafficLocked merged last_online with MAX(last_online, ?), which
is SQLite's two-argument scalar max. PostgreSQL's MAX() is aggregate-only,
so node traffic sync failed every cycle with "function max(bigint, unknown)
does not exist (SQLSTATE 42883)", flooding the logs.
Add a dialect-aware database.GreatestExpr helper (GREATEST on Postgres,
MAX on SQLite) and use it for the last_online merge. last_online is a
non-null int64, so the two functions are semantically identical here.
Closes#4633
When a remote node disconnects or one of its inbounds vanishes from the
traffic snapshot, setRemoteTrafficLocked deleted the central inbound row
but left the client_inbounds join rows behind. Affected clients ended up
linked to hundreds of phantom inbounds, and editing one then failed with
"record not found" / "Load Old Data Error" because Update aborted on the
first GetInbound miss.
- Detach client_inbounds rows when deleting a vanished node inbound
- Prune stale links during client Update instead of aborting the save
- Drop orphaned client_inbounds rows on startup to heal existing DBs
Closes#4636
Operators can now type an explicit dest (e.g. "8443", "127.0.0.1:8443",
"/dev/shm/x.sock") on each fallback row to override the auto-resolved
child listen+port. Empty keeps the existing auto behavior.
Adds the column to inbound_fallbacks (GORM AutoMigrate), threads it
through the panel form, API docs, and translations.
Legacy clients (and any API consumer that POSTs to AddInboundClient
without a subId) ended up with an empty SubID, which breaks the panel's
sub-link generation. Backfill them once at startup and stop the gap at
the write path so new clients can't reintroduce it.
- util/random: add NumLower(n) — 16-char [0-9a-z] generator that matches
the frontend's RandomUtil.randomLowerAndNum convention.
- database/db.go: new InboundClientSubIdFix seeder, modeled on
InboundClientTgIdFix. Loops every inbound, parses settings.clients,
fills empty/missing subId with random.NumLower(16), persists via the
same transaction-wrapped Update("settings", …) path, then records in
HistoryOfSeeders so it runs at most once.
- web/service/client.go: defense-in-depth in AddInboundClient and
UpdateInboundClient — fill subId on the persisted settings map when
the payload omits it (Update prefers the previous value before
generating a fresh one).
- database/db_seed_test: cover empty subId, missing-key subId, and
preserved-existing subId; assert exactly one HistoryOfSeeders row.
Surface ~400 hardcoded English labels, tooltips, placeholders, dt/divider
text, modal okText/cancelText, and Spin loading from the panel pages
(clients/groups/inbounds/nodes/settings/xray/sub/index) into
web/translation/en-US.json under existing pages.<page>.* namespaces, with
JSX swapped to t(...). Brand and protocol identifiers (TLS, MTU, SNI,
NordVPN, Cloudflare WARP, etc.) stay literal.
Sync all 12 non-English locales (ar-EG, es-ES, fa-IR, id-ID, ja-JP,
pt-BR, ru-RU, tr-TR, uk-UA, vi-VN, zh-CN, zh-TW) to match en-US's
structure and translate the 521 new key paths per locale. Every locale
file now has 1539 lines, mirroring en-US ordering.
Also remove a dead duplicate "info": "Info" key under pages.inbounds
that collided with the new pages.inbounds.info.* object.
Backend: bulk attach/detach errors in web/service/client.go now route
through logger.Warningf (so they appear under /panel/api/server/logs/)
instead of only living on the response payload.
The canonical tag is now "[n<id>-]in-[<listen>:]<port>-<transport>"
instead of "[n<id>-]in-[<listen>:]<port>-<protocol>-<transport>".
Two TCP inbounds on the same port are already blocked by
checkPortConflict, so only the transport segment is needed to
disambiguate the legitimate tcp/udp coexistence case.
Existing DB rows keep their current tags via resolveInboundTag's
"reuse if free" branch — no migration needed (protocol-segment
form was never released).
- Detach preserves client traffic stats. DelInboundClient,
DelInboundClientByEmail, and bulkDelInboundClients now take a
keepTraffic flag; Detach passes true, delete-paths keep prior
behavior. Runtime user removal still runs so xray drops the session.
- Two startup seeders normalize legacy inbound settings JSON:
clients:null -> [] and any non-numeric tgId -> 0 (string, bool,
NaN, Inf, non-integer floats). Each records itself once in
history_of_seeders.
- MigrationRequirements no longer rewrites empty clients arrays back
to null: newClients is initialized as a non-nil slice and incoming
clients:null is coerced before the type assertion.
- TLS cert form: rawInboundToFormValues synthesizes a useFile
discriminator per cert from whichever side carries data, so the
edit modal can show file-mode paths again. formValuesToWirePayload
strips useFile so saved JSON stays in wire shape.
This bundles a set of group-related improvements that built up across
one session and only make sense together.
Terminology / API surface:
- Rename "assign group" → "add to group" everywhere: i18n keys,
callback names (bulkAddToGroup), component + file names
(BulkAddToGroupModal, AddClientsToGroupModal), Go controller/struct
names (bulkAddToGroup, AddToGroup), OpenAPI summaries. Nothing keeps
the word "assign" anymore.
- Move group routes under /panel/api/clients/groups/* (was
/bulkAssignGroup at the clients root).
- Split add and remove into two endpoints: /groups/bulkAdd now rejects
empty group; new /groups/bulkRemove clears the label for the given
emails. The old "submit empty to clear" UX is gone — Ungroup is its
own action.
UI affordances on Clients page:
- Promote Group + Ungroup to visible bar buttons next to Attach +
Detach. Group reuses BulkAddToGroupModal; Ungroup pops a danger
confirm and calls bulkRemoveFromGroup.
- Custom UngroupIcon (TagsOutlined with a diagonal strike) for the
Ungroup button so the pairing reads at a glance.
- Hide the Group column when no clients have a group label yet —
removes a column of em-dashes on fresh installs.
UI on Groups page:
- New per-row Add clients… / Remove clients… actions backed by
GroupAddClientsModal and GroupRemoveClientsModal: rich client picker
(email / comment / current group / enable) with search and
preserveSelectedRowKeys, mirroring the inbounds Attach modal UX.
Controller split:
- Move all /groups/* routes, handlers, and request bodies out of
web/controller/client.go into a dedicated web/controller/group.go
(GroupController with leaner clientService + xrayService
dependencies). URLs are byte-identical because the new controller
registers on the same parent gin.RouterGroup; api_docs_test.go gets
a group.go → /panel/api/clients basePath entry so its route
extraction keeps working.
Invalidation dedup:
- Removing a client from a group on the Groups page used to refetch
/clients/groups and /clients/onlines three times: once from the
mutation's onSuccess, once from a redundant invalidate() in the
page's onSubmit, once from the WebSocket invalidate broadcast that
the backend fires after every mutation. The manual invalidate() is
gone, and a small invalidationTracker module lets websocketBridge
skip WS-driven invalidates that arrive within 1.5s of a local
invalidate — bringing the refetch count down to one. The WS path
still works for changes made by another tab or user.
Change the out-of-the-box remarkModel from "-io" (Inbound, Other) to
"-ieo" so newly provisioned panels include the client's email between
the inbound name and the other slot — much easier to identify which
client a generated remark belongs to. Existing installs that have
already written a remarkModel value are unaffected; only first-run /
unset defaults inherit the new pattern.
Inbounds page:
- AttachClientsModal now shows a per-client selection table (email,
comment, enabled tag) with search and a live "selected of total"
counter; all clients are pre-selected so the old "attach all"
workflow stays a single OK click.
- New DetachClientsModal on the inbound row menu lets you pick which
clients to remove from that inbound (records are kept so they can be
re-attached later; for full removal use Delete).
Clients page:
- New "Attach (N)" bulk-action button + BulkAttachInboundsModal that
attaches selected clients to one or more multi-user inbounds.
- New "Detach (N)" bulk-action button + BulkDetachInboundsModal that
removes selected clients from chosen inbounds; (email, inbound) pairs
where the client isn't attached are silently skipped.
Backend adds POST /panel/api/clients/bulkDetach, wrapping the existing
Detach service for each email and reporting per-email
detached/skipped/errors. ClientRecord rows are kept on detach to match
the single-client endpoint; bulkDel remains the path for full removal.
- Bulk-attach an inbound's clients onto other inbounds (same identity, shared traffic): new ClientService.BulkAttach + POST /clients/bulkAttach, an inbound row action, and AttachClientsModal.
- Assign all of an inbound's clients to a group from the inbound page, reusing /clients/bulkAssignGroup and the existing BulkAssignGroupModal.
- Default a random user/pass account for new Mixed and HTTP inbounds instead of an empty accounts list.
- Capitalize the inbound Security toggle labels (None/TLS/Reality).
