3ecdae7c92
The legacy panel pages got their CSRF token from a <meta name="csrf-token"> tag rendered by Go. SPA pages built by Vite don't have that, so every unsafe (POST/PUT/DELETE) request from them was hitting CSRFMiddleware with no token and getting 403 — visible as the settings page being stuck on "Loading…" because POST /panel/setting/all failed. - web/controller/xui.go: GET /panel/csrf-token returns the session token. Lives under the xui group so checkLogin still gates it; the CSRFMiddleware on the same group is a no-op for GET. - frontend/src/api/axios-init.js: cache the token at module scope and lazy-fetch it when a non-safe request needs one. Seed from the meta tag first when present (legacy compat). On a 403 response, drop the cache and retry once — handles the case where a server restart rotated the token after the SPA loaded. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
3x-ui frontend
Vue 3 + Ant Design Vue 4 + Vite. Builds into ../web/dist/, which the
Go binary will embed via embed.FS once the migration reaches the page
handlers (Phase 4+).
This directory exists alongside the legacy web/html/ Vue 2 templates
during the migration. Pages will move over one at a time on the
vue3-migration branch.
Dev
cd frontend
npm install
npm run dev
The dev server runs on http://localhost:5173/ and proxies API calls to
the Go panel at http://localhost:2053/ — start the Go panel first
(go run main.go), then start Vite.
Production build
npm run build
Outputs to ../web/dist/. The Go binary picks it up at compile time via
embed.FS.
Where things live
src/main.js— app entrypoint (createApp, install Antd, mount)src/App.vue— root component (currently a smoke-test placeholder)vite.config.js— build + dev-server configindex.html— Vite HTML template
Adding new pages
For each legacy page being migrated, add an entry to
vite.config.js rollupOptions.input. Each entry produces its own
HTML file in web/dist/, which the Go panel route handler will serve.