Jelajahi Sumber

fix: close panics and races the audit's own fixes left nearby

Second-pass review of the 54-commit self-correcting audit. Each item below
was confirmed by reading the surrounding source (and, where practical, the
pre-fix code) before being changed; regression tests are included for every
behavioral fix.

Concurrency:
- eventbus: Bus.Subscribe called wg.Add with no synchronization against a
  concurrent Bus.Stop's wg.Wait, a real "WaitGroup misuse" panic risk (e.g. a
  Telegram-bot settings save racing panel shutdown/restart). Stop now flips a
  mu-guarded `stopped` flag before waiting, and Subscribe checks it under the
  same lock, so Add and Wait can no longer race.

Security:
- login_limiter: evictForRoom's fallback eviction picked an arbitrary map
  key, including ones still under an active cooldown - an attacker flooding
  /login with fresh usernames could evict their own (or anyone's) blocked
  record and reset the lockout. The fallback now skips actively-blocked
  records, only falling back to an unconditional evict if the map is
  somehow entirely full of active blocks (preserves the hard memory cap).

Subscription-endpoint panics (reachable by any client hitting /sub):
- internal/sub/service.go: applyPathAndHostParams/Obj (ws/httpupgrade/xhttp
  with no path settings object) and the TLS alpn readers in three places
  used unchecked type assertions - exactly the bug class abab7cd0 patched
  elsewhere in the same switch statements, just not these call sites.
- internal/sub/json_service.go, clash_service.go: the externalProxy loops
  in the JSON and Clash generators used unchecked assertions on a
  legacy/admin-supplied field (missing "port", non-object entry, etc.).
- internal/sub/json_service.go: realityData's shortId/serverName selection
  could assert a non-string array element.

Other correctness:
- client_traffic.go: ResetAllTraffics (touched by 3eb214d0) still skipped
  clearing NodeClientTraffic node-sync baselines, unlike its sibling reset
  paths in the same file - a node's next sync would re-add pre-reset delta
  on top of the freshly-zeroed counter.
- inbound_traffic.go: the traffic-tick tx's Commit/Rollback errors were
  silently discarded; now logged so a backend-level commit failure (e.g. an
  aborted Postgres tx from a best-effort helper) doesn't masquerade as a
  successful tick.
- outbound_subscription.go: the new subscriptionFetchClient doc comment was
  wedged between fetchAndStore's existing comment and fetchAndStore itself,
  leaving fetchAndStore undocumented and the comment describing the wrong
  function.

Convention cleanup:
- Removed narrative // comments added by the audit that violate this repo's
  no-inline-comment rule (mostly narrating the specific bug/fix rather than
  a lasting contract, and mostly on new Test functions, which this repo's
  existing tests never comment) - calibrated against this exact codebase's
  own pre-existing comment style so legitimate godoc-style doc comments
  were left alone.
claude[bot] 18 jam lalu
induk
melakukan
fbad71d620
35 mengubah file dengan 179 tambahan dan 147 penghapusan
  1. 0 5
      frontend/src/pages/clients/ClientFormModal.tsx
  2. 0 2
      frontend/src/test/outbound-link-parser.test.ts
  3. 0 5
      internal/database/seeder_fastpath_test.go
  4. 15 6
      internal/eventbus/bus.go
  5. 14 0
      internal/eventbus/bus_test.go
  6. 10 4
      internal/sub/clash_service.go
  7. 12 6
      internal/sub/json_service.go
  8. 0 4
      internal/sub/remark_vars_test.go
  9. 11 5
      internal/sub/service.go
  10. 41 11
      internal/sub/sub_panic_test.go
  11. 0 5
      internal/util/link/outbound.go
  12. 0 2
      internal/util/link/outbound_helpers_test.go
  13. 12 4
      internal/web/controller/login_limiter.go
  14. 30 3
      internal/web/controller/login_limiter_test.go
  15. 0 2
      internal/web/entity/check_valid_test.go
  16. 0 4
      internal/web/service/access_log_parse_test.go
  17. 0 3
      internal/web/service/client_apply_field_test.go
  18. 0 3
      internal/web/service/client_locks_test.go
  19. 4 1
      internal/web/service/client_traffic.go
  20. 0 4
      internal/web/service/email/email_deadline_test.go
  21. 0 8
      internal/web/service/inbound_finalmask_reality_test.go
  22. 0 8
      internal/web/service/inbound_mtproto_txfail_test.go
  23. 5 3
      internal/web/service/inbound_traffic.go
  24. 0 3
      internal/web/service/integration/warp_response_test.go
  25. 0 4
      internal/web/service/key_gen_parse_test.go
  26. 1 1
      internal/web/service/outbound_subscription.go
  27. 0 3
      internal/web/service/outbound_subscription_ssrf_test.go
  28. 0 3
      internal/web/service/reset_writer_test.go
  29. 0 6
      internal/web/service/tgbot/tgbot_callback_auth_test.go
  30. 0 4
      internal/web/service/tgbot/tgbot_delete_after_test.go
  31. 0 5
      internal/web/service/tgbot/tgbot_router.go
  32. 24 8
      internal/web/service/traffic_commit_test.go
  33. 0 3
      internal/web/service/xray.go
  34. 0 6
      internal/web/service/xray_restart_test.go
  35. 0 3
      internal/xray/api_test.go

+ 0 - 5
frontend/src/pages/clients/ClientFormModal.tsx

@@ -151,11 +151,6 @@ export function gbToBytes(gb: number): number {
   return Math.round(gb * 1024 * 1024 * 1024);
 }
 
-// The quota field displays whole/2-decimal GB, so a byte total that isn't
-// aligned to 0.01 GB (e.g. one set via the API or an import) would drift on a
-// save that never touched the field. Keep the original byte total when the
-// displayed GB still matches it, and only re-derive from GB when the user
-// actually changed the value.
 export function resolveTotalBytes(originalBytes: number | null | undefined, displayedGB: number): number {
   if (originalBytes != null && displayedGB === bytesToGB(originalBytes)) {
     return originalBytes;

+ 0 - 2
frontend/src/test/outbound-link-parser.test.ts

@@ -252,8 +252,6 @@ describe('parseShadowsocksLink', () => {
   });
 
   it('decodes URL-safe base64 userinfo (as the emitter writes it)', () => {
-    // genShadowsocksLink emits Base64.encode(method:password, true) — URL-safe,
-    // so a password whose encoding contains - or _ must still round-trip.
     const method = 'aes-256-gcm';
     const password = '>>>';
     const userinfo = Base64.encode(`${method}:${password}`, true);

+ 0 - 5
internal/database/seeder_fastpath_test.go

@@ -7,11 +7,6 @@ import (
 	"github.com/mhsanaei/3x-ui/v3/internal/database/model"
 )
 
-// On a fresh install the fast path marks the one-time migration seeders as done
-// without running them. ResetIpLimitNoFail2ban must be in that set: otherwise it
-// is skipped on the first boot and runs on the second, where — on a host without
-// fail2ban — it destructively zeroes every client's limitIp, including limits the
-// admin configured between the two boots.
 func TestFreshInstallFastPathMarksResetIpLimitSeeder(t *testing.T) {
 	if err := InitDB(filepath.Join(t.TempDir(), "x-ui.db")); err != nil {
 		t.Fatalf("InitDB: %v", err)

+ 15 - 6
internal/eventbus/bus.go

@@ -29,11 +29,12 @@ type subscriber struct {
 // Producers call Publish (non-blocking) and every event is fanned out to all
 // subscribers; per-event filtering is the subscriber's responsibility.
 type Bus struct {
-	ch   chan Event
-	subs []*subscriber
-	mu   sync.RWMutex
-	done chan struct{}
-	wg   sync.WaitGroup
+	ch      chan Event
+	subs    []*subscriber
+	mu      sync.RWMutex
+	done    chan struct{}
+	wg      sync.WaitGroup
+	stopped bool
 }
 
 // New creates a Bus with the given buffer size. Use 0 for DefaultBufferSize.
@@ -57,6 +58,9 @@ func New(bufSize int) *Bus {
 func (b *Bus) Subscribe(id string, handler func(Event)) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
+	if b.stopped {
+		return
+	}
 	for i, s := range b.subs {
 		if s.id == id {
 			close(s.quit)
@@ -159,8 +163,13 @@ func safeCall(fn func(Event), e Event) {
 
 // Stop shuts down the bus: the dispatch loop and every subscriber worker exit
 // after finishing any handler already in progress, and any events still buffered
-// or queued may be dropped. Safe to call once.
+// or queued may be dropped. Safe to call once. After Stop returns, Subscribe is
+// a no-op — this also keeps Subscribe's wg.Add from ever racing with Wait below,
+// since both are serialized through mu.
 func (b *Bus) Stop() {
+	b.mu.Lock()
+	b.stopped = true
+	b.mu.Unlock()
 	close(b.done)
 	b.wg.Wait()
 }

+ 14 - 0
internal/eventbus/bus_test.go

@@ -260,3 +260,17 @@ func waitDone(wg *sync.WaitGroup) <-chan struct{} {
 	}()
 	return ch
 }
+
+func TestBusSubscribeAfterStopIsNoop(t *testing.T) {
+	b := New(4)
+	b.Stop()
+
+	b.Subscribe("late", func(Event) {})
+
+	b.mu.RLock()
+	n := len(b.subs)
+	b.mu.RUnlock()
+	if n != 0 {
+		t.Fatalf("Subscribe after Stop registered %d subscriber(s), want 0 (a stopped bus must not accept new subscribers, and must not call wg.Add after wg.Wait has been entered)", n)
+	}
+}

+ 10 - 4
internal/sub/clash_service.go

@@ -168,16 +168,22 @@ func (s *SubClashService) getProxies(subReq *SubService, inbound *model.Inbound,
 
 	proxies := make([]map[string]any, 0, len(externalProxies))
 	for _, ep := range externalProxies {
-		extPrxy := ep.(map[string]any)
+		extPrxy, ok := ep.(map[string]any)
+		if !ok {
+			continue
+		}
 		// Expand the host's {{VAR}} remark template for this client (no-op for
 		// the synthetic/legacy entry) before it becomes the proxy name.
 		subReq.renderHostRemark(inbound, client, extPrxy, network)
 		workingInbound := *inbound
-		workingInbound.Listen = extPrxy["dest"].(string)
-		workingInbound.Port = int(extPrxy["port"].(float64))
+		workingInbound.Listen, _ = extPrxy["dest"].(string)
+		if port, ok := extPrxy["port"].(float64); ok {
+			workingInbound.Port = int(port)
+		}
 		workingStream := cloneStreamForExternalProxy(stream)
 
-		switch extPrxy["forceTls"].(string) {
+		forceTls, _ := extPrxy["forceTls"].(string)
+		switch forceTls {
 		case "tls":
 			if workingStream["security"] != "tls" {
 				workingStream["security"] = "tls"

+ 12 - 6
internal/sub/json_service.go

@@ -177,14 +177,20 @@ func (s *SubJsonService) getConfig(subReq *SubService, inbound *model.Inbound, c
 	network, _ := stream["network"].(string)
 
 	for _, ep := range externalProxies {
-		extPrxy := ep.(map[string]any)
+		extPrxy, ok := ep.(map[string]any)
+		if !ok {
+			continue
+		}
 		// Expand the host's {{VAR}} remark template for this client (no-op for
 		// the synthetic/legacy entry) before it's used as the config remark.
 		subReq.renderHostRemark(inbound, client, extPrxy, network)
-		inbound.Listen = extPrxy["dest"].(string)
-		inbound.Port = int(extPrxy["port"].(float64))
+		inbound.Listen, _ = extPrxy["dest"].(string)
+		if port, ok := extPrxy["port"].(float64); ok {
+			inbound.Port = int(port)
+		}
 		newStream := cloneStreamForExternalProxy(stream)
-		switch extPrxy["forceTls"].(string) {
+		forceTls, _ := extPrxy["forceTls"].(string)
+		switch forceTls {
 		case "tls":
 			if newStream["security"] != "tls" {
 				newStream["security"] = "tls"
@@ -351,13 +357,13 @@ func (s *SubJsonService) realityData(rData map[string]any, clientKey string) map
 	rltyData["spiderX"] = deriveSpiderX(seed, clientKey)
 	shortIds, ok := rData["shortIds"].([]any)
 	if ok && len(shortIds) > 0 {
-		rltyData["shortId"] = shortIds[random.Num(len(shortIds))].(string)
+		rltyData["shortId"], _ = shortIds[random.Num(len(shortIds))].(string)
 	} else {
 		rltyData["shortId"] = ""
 	}
 	serverNames, ok := rData["serverNames"].([]any)
 	if ok && len(serverNames) > 0 {
-		rltyData["serverName"] = serverNames[random.Num(len(serverNames))].(string)
+		rltyData["serverName"], _ = serverNames[random.Num(len(serverNames))].(string)
 	} else {
 		rltyData["serverName"] = ""
 	}

+ 0 - 4
internal/sub/remark_vars_test.go

@@ -131,15 +131,11 @@ func TestExpandRemarkVars_DropUnlimitedSegments(t *testing.T) {
 func TestExpandRemarkVars_DropEmptySegments(t *testing.T) {
 	inbound := &model.Inbound{Remark: "host"}
 
-	// A client with no comment: the {{COMMENT}} segment resolves to empty and
-	// must be dropped, not left as a trailing "|".
 	noComment := expandCtx(model.Client{}, xray.ClientTraffic{Enable: true}, inbound)
 	if got := expandRemarkVars("{{INBOUND}}|{{COMMENT}}", noComment); got != "host" {
 		t.Errorf("empty comment segment = %q, want %q (no trailing pipe)", got, "host")
 	}
 
-	// A decorated empty segment (emoji + empty token) drops whole, not leaving
-	// a dangling emoji.
 	if got := expandRemarkVars("{{INBOUND}}|📅{{EXPIRE_DATE}}", noComment); got != "host" {
 		t.Errorf("decorated empty segment = %q, want %q", got, "host")
 	}

+ 11 - 5
internal/sub/service.go

@@ -993,7 +993,9 @@ func (s *SubService) genHysteriaLink(inbound *model.Inbound, email string) strin
 	alpns, _ := tlsSetting["alpn"].([]any)
 	var alpn []string
 	for _, a := range alpns {
-		alpn = append(alpn, a.(string))
+		if s, ok := a.(string); ok {
+			alpn = append(alpn, s)
+		}
 	}
 	if len(alpn) > 0 {
 		params["alpn"] = strings.Join(alpn, ",")
@@ -1180,7 +1182,7 @@ func unmarshalStreamSettings(streamSettings string) map[string]any {
 }
 
 func applyPathAndHostParams(settings map[string]any, params map[string]string) {
-	params["path"] = settings["path"].(string)
+	params["path"], _ = settings["path"].(string)
 	if host, ok := settings["host"].(string); ok && len(host) > 0 {
 		params["host"] = host
 	} else {
@@ -1190,7 +1192,7 @@ func applyPathAndHostParams(settings map[string]any, params map[string]string) {
 }
 
 func applyPathAndHostObj(settings map[string]any, obj map[string]any) {
-	obj["path"] = settings["path"].(string)
+	obj["path"], _ = settings["path"].(string)
 	if host, ok := settings["host"].(string); ok && len(host) > 0 {
 		obj["host"] = host
 	} else {
@@ -1312,7 +1314,9 @@ func applyShareTLSParams(stream map[string]any, params map[string]string) {
 	alpns, _ := tlsSetting["alpn"].([]any)
 	var alpn []string
 	for _, a := range alpns {
-		alpn = append(alpn, a.(string))
+		if s, ok := a.(string); ok {
+			alpn = append(alpn, s)
+		}
 	}
 	if len(alpn) > 0 {
 		params["alpn"] = strings.Join(alpn, ",")
@@ -1346,7 +1350,9 @@ func applyVmessTLSParams(stream map[string]any, obj map[string]any) {
 	if len(alpns) > 0 {
 		var alpn []string
 		for _, a := range alpns {
-			alpn = append(alpn, a.(string))
+			if s, ok := a.(string); ok {
+				alpn = append(alpn, s)
+			}
 		}
 		obj["alpn"] = strings.Join(alpn, ",")
 	}

+ 41 - 11
internal/sub/sub_panic_test.go

@@ -11,11 +11,6 @@ import (
 	"github.com/mhsanaei/3x-ui/v3/internal/database/model"
 )
 
-// A subscription is built by iterating every client's share link with no
-// recover(), so any panic in the link generators 500s the whole subscription
-// for every client. Valid-but-unusual stream settings (an empty Reality
-// shortIds/serverNames array, a tcp-http header with no request, a grpc block
-// missing its keys) must therefore produce a link, not a panic.
 func TestGetSubsToleratesUnusualStreamSettings(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 	cases := []struct {
@@ -27,6 +22,9 @@ func TestGetSubsToleratesUnusualStreamSettings(t *testing.T) {
 		{"tcp http empty path", `{"network":"tcp","security":"none","tcpSettings":{"header":{"type":"http","request":{"path":[]}}}}`},
 		{"grpc missing keys", `{"network":"grpc","security":"none","grpcSettings":{}}`},
 		{"empty stream settings", `{}`},
+		{"ws missing wsSettings", `{"network":"ws","security":"none"}`},
+		{"httpupgrade missing settings", `{"network":"httpupgrade","security":"none"}`},
+		{"tls alpn non-string element", `{"network":"tcp","security":"tls","tlsSettings":{"alpn":[123]}}`},
 	}
 
 	for i, tc := range cases {
@@ -46,9 +44,6 @@ func TestGetSubsToleratesUnusualStreamSettings(t *testing.T) {
 	}
 }
 
-// The JSON subscription generator for a Hysteria inbound whose StreamSettings
-// omit the hysteriaSettings key must not panic (which would 500 the whole JSON
-// subscription); the raw generator already tolerates this shape.
 func TestGetJsonToleratesHysteriaWithoutHysteriaSettings(t *testing.T) {
 	seedSubDB(t)
 	db := database.GetDB()
@@ -83,9 +78,21 @@ func TestGetJsonToleratesHysteriaWithoutHysteriaSettings(t *testing.T) {
 	}
 }
 
-// A Clash subscription must carry the pinned peer certificate SHA-256 when the
-// inbound configures one, matching the JSON subscription; dropping it silently
-// downgrades certificate pinning for Clash subscribers.
+func TestGetJsonToleratesNonStringRealityShortId(t *testing.T) {
+	seedSubDB(t)
+	stream := `{"network":"tcp","security":"reality","realitySettings":{"serverNames":["sni.example.com"],"shortIds":[42],"settings":{"publicKey":"pk"}}}`
+	seedSubInbound(t, "rlty1", "rlty", 46400, 1, stream)
+
+	jsonService := NewSubJsonService("", "", "", NewSubService(""))
+	out, _, err := jsonService.GetJson("rlty1", "sub.example.com", true)
+	if err != nil {
+		t.Fatalf("GetJson: %v", err)
+	}
+	if out == "" {
+		t.Fatal("GetJson returned empty for a reality inbound with a non-string shortId element")
+	}
+}
+
 func TestGetClashEmitsPinnedCertSha256(t *testing.T) {
 	seedSubDB(t)
 	const pin = "abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789"
@@ -100,3 +107,26 @@ func TestGetClashEmitsPinnedCertSha256(t *testing.T) {
 		t.Fatalf("Clash proxy dropped the pinned cert sha256:\n%s", out)
 	}
 }
+
+func TestJsonAndClashTolerateExternalProxyMissingPort(t *testing.T) {
+	seedSubDB(t)
+	stream := `{"network":"tcp","security":"none","externalProxy":[{"forceTls":"same","dest":"cdn.example.com"}]}`
+	seedSubInbound(t, "extp1", "extp", 46500, 1, stream)
+
+	jsonService := NewSubJsonService("", "", "", NewSubService(""))
+	jsonOut, _, err := jsonService.GetJson("extp1", "sub.example.com", true)
+	if err != nil {
+		t.Fatalf("GetJson: %v", err)
+	}
+	if jsonOut == "" {
+		t.Fatal("GetJson returned empty for an externalProxy entry missing port")
+	}
+
+	clashOut, _, err := NewSubClashService(false, "", NewSubService("")).GetClash("extp1", "sub.example.com")
+	if err != nil {
+		t.Fatalf("GetClash: %v", err)
+	}
+	if clashOut == "" {
+		t.Fatal("GetClash returned empty for an externalProxy entry missing port")
+	}
+}

+ 0 - 5
internal/util/link/outbound.go

@@ -621,11 +621,6 @@ func applyTransport(stream map[string]any, p url.Values) {
 		if m := p.Get("mode"); m != "" {
 			xh["mode"] = m
 		}
-		// The panel's own emitters carry the advanced xhttp knobs as a
-		// snake_case x_padding_bytes plus an extra=<json> blob, not as top-level
-		// camelCase params. Mirror the TS parser's precedence (snake_case alias
-		// -> extra JSON -> explicit camelCase) so a re-imported share link keeps
-		// them instead of silently reverting to the stream defaults.
 		if v := p.Get("x_padding_bytes"); v != "" {
 			xh["xPaddingBytes"] = v
 		}

+ 0 - 2
internal/util/link/outbound_helpers_test.go

@@ -178,8 +178,6 @@ func TestParse_XhttpExtraAndSnakeCaseFields(t *testing.T) {
 }
 
 func TestParse_VmessWSPathWithoutHostKey(t *testing.T) {
-	// Some generators omit "host" when it equals the address; the path must
-	// still be honored (matching the TS parser), not dropped to the default.
 	inner := `{"v":"2","add":"h","port":443,"id":"11111111-2222-4333-8444-555555555555","net":"ws","path":"/api","tls":"tls"}`
 	link := "vmess://" + base64.StdEncoding.EncodeToString([]byte(inner))
 	res, err := ParseLink(link)

+ 12 - 4
internal/web/controller/login_limiter.go

@@ -110,11 +110,19 @@ func (l *loginLimiter) evictForRoom(now time.Time) {
 			delete(l.attempts, key)
 		}
 	}
-	if len(l.attempts) >= loginLimitMaxRecords {
-		for key := range l.attempts {
-			delete(l.attempts, key)
-			break
+	if len(l.attempts) < loginLimitMaxRecords {
+		return
+	}
+	for key, record := range l.attempts {
+		if now.Before(record.blockedUntil) {
+			continue
 		}
+		delete(l.attempts, key)
+		return
+	}
+	for key := range l.attempts {
+		delete(l.attempts, key)
+		return
 	}
 }
 

+ 30 - 3
internal/web/controller/login_limiter_test.go

@@ -2,13 +2,11 @@ package controller
 
 import (
 	"strconv"
+	"strings"
 	"testing"
 	"time"
 )
 
-// An unauthenticated attacker can flood /login with fresh usernames, each of
-// which seeds a record keyed on that username. The attempts map must stay
-// bounded rather than growing until the process OOMs.
 func TestLoginLimiterBoundsMemoryUnderUsernameFlood(t *testing.T) {
 	limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
 	for i := 0; i < loginLimitMaxRecords+100; i++ {
@@ -24,6 +22,35 @@ func TestLoginLimiterBoundsMemoryUnderUsernameFlood(t *testing.T) {
 	}
 }
 
+func TestLoginLimiterEvictionSparesActiveBlocks(t *testing.T) {
+	now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
+	limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
+	limiter.now = func() time.Time { return now }
+
+	limiter.mu.Lock()
+	for i := 0; i < loginLimitMaxRecords-1; i++ {
+		limiter.attempts["victim-"+strconv.Itoa(i)] = &loginLimitRecord{blockedUntil: now.Add(10 * time.Minute)}
+	}
+	limiter.attempts["filler"] = &loginLimitRecord{failures: []time.Time{now}}
+	limiter.mu.Unlock()
+
+	if _, blocked := limiter.registerFailure("9.9.9.9", "newcomer"); blocked {
+		t.Fatal("the eviction-triggering failure itself should not be blocked yet")
+	}
+
+	limiter.mu.Lock()
+	defer limiter.mu.Unlock()
+	survivors := 0
+	for key, record := range limiter.attempts {
+		if strings.HasPrefix(key, "victim-") && now.Before(record.blockedUntil) {
+			survivors++
+		}
+	}
+	if survivors != loginLimitMaxRecords-1 {
+		t.Fatalf("eviction under a full map dropped an actively-blocked record: %d/%d victims survived", survivors, loginLimitMaxRecords-1)
+	}
+}
+
 func TestLoginLimiterBlocksAfterConfiguredFailures(t *testing.T) {
 	now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
 	limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)

+ 0 - 2
internal/web/entity/check_valid_test.go

@@ -29,13 +29,11 @@ func TestCheckValidSmtpFrom(t *testing.T) {
 }
 
 func TestCheckValidWildcardListenPortConflict(t *testing.T) {
-	// Same port, both bind all interfaces but spelled differently -> conflict.
 	s := &AllSetting{WebPort: 2053, SubPort: 2053, WebListen: "0.0.0.0", SubListen: ""}
 	if err := s.CheckValid(); err == nil {
 		t.Error("CheckValid must reject the same port bound on 0.0.0.0 and \"\" (both wildcard)")
 	}
 
-	// Same port on two distinct specific addresses can coexist and must be allowed.
 	ok := &AllSetting{WebPort: 2053, SubPort: 2053, WebListen: "127.0.0.1", SubListen: "192.168.1.1"}
 	if err := ok.CheckValid(); err != nil {
 		t.Errorf("distinct specific listens on the same port should be allowed: %v", err)

+ 0 - 4
internal/web/service/access_log_parse_test.go

@@ -2,10 +2,6 @@ package service
 
 import "testing"
 
-// Xray access-log lines carry attacker-influenced content (a client's requested
-// destination is logged verbatim) and can be truncated. parseAccessLogFields
-// must never panic on a short or malformed line, and must still parse a
-// well-formed line correctly.
 func TestParseAccessLogFields(t *testing.T) {
 	malformed := []string{
 		"",

+ 0 - 3
internal/web/service/client_apply_field_test.go

@@ -88,9 +88,6 @@ func TestResetClientExpiryTimeByEmail_MultiInbound(t *testing.T) {
 	}
 }
 
-// A disable-by-email (Telegram bot / LDAP sync) must flip enable on every
-// inbound the client is attached to. Patching only the first inbound left the
-// client connecting through its siblings' running Xray.
 func TestSetClientEnableByEmail_MultiInbound(t *testing.T) {
 	dbDir := t.TempDir()
 	t.Setenv("XUI_DB_FOLDER", dbDir)

+ 0 - 3
internal/web/service/client_locks_test.go

@@ -5,9 +5,6 @@ import (
 	"time"
 )
 
-// lockInbound must not hold the global registry mutex while it waits on a busy
-// inbound's own mutex, otherwise one slow client operation on a single inbound
-// freezes client mutations on every other inbound panel-wide.
 func TestLockInboundReleasesRegistryMutexWhileWaiting(t *testing.T) {
 	const id = 990006
 	held := lockInbound(id)

+ 4 - 1
internal/web/service/client_traffic.go

@@ -210,7 +210,10 @@ func (s *ClientService) ResetAllTraffics() (bool, error) {
 				return res.Error
 			}
 			affected = res.RowsAffected
-			return tx.Where("1 = 1").Delete(&model.ClientGlobalTraffic{}).Error
+			if err := tx.Where("1 = 1").Delete(&model.ClientGlobalTraffic{}).Error; err != nil {
+				return err
+			}
+			return tx.Where("1 = 1").Delete(&model.NodeClientTraffic{}).Error
 		})
 	})
 	if err != nil {

+ 0 - 4
internal/web/service/email/email_deadline_test.go

@@ -6,10 +6,6 @@ import (
 	"time"
 )
 
-// A server that accepts the TCP connection but then never speaks must not block
-// the sender goroutine indefinitely: sendPlain arms a connection deadline so the
-// SMTP greeting read fails instead of hanging until the OS TCP timeout, long
-// after the caller's own 30s budget has passed.
 func TestSendPlainReturnsOnStalledServer(t *testing.T) {
 	orig := smtpDeadline
 	smtpDeadline = 300 * time.Millisecond

+ 0 - 8
internal/web/service/inbound_finalmask_reality_test.go

@@ -91,10 +91,6 @@ func TestAddInbound_RejectsFinalMaskRealityCombo(t *testing.T) {
 	}
 }
 
-// AddInbound must always create a new row. The add controller binds the model's
-// `id` form field and never clears it, so a client that reuses an existing id
-// (e.g. duplicating an inbound fetched from /get) must not silently overwrite
-// that stored row via GORM Save's upsert-on-primary-key behavior.
 func TestAddInbound_IgnoresBoundIdAndCreatesNewRow(t *testing.T) {
 	setupConflictDB(t)
 	svc := &InboundService{}
@@ -127,10 +123,6 @@ func TestAddInbound_IgnoresBoundIdAndCreatesNewRow(t *testing.T) {
 	}
 }
 
-// A WireGuard inbound carrying clients (an imported config, or a node-reconcile
-// re-add) must be accepted: WG clients are keyed by their public key and have no
-// `id`, so the generic default validation branch wrongly rejected them with
-// "empty client ID".
 func TestAddInbound_AcceptsWireguardClientWithKey(t *testing.T) {
 	setupConflictDB(t)
 	svc := &InboundService{}

+ 0 - 8
internal/web/service/inbound_mtproto_txfail_test.go

@@ -11,11 +11,6 @@ import (
 	"github.com/mhsanaei/3x-ui/v3/internal/web/runtime"
 )
 
-// A local MTProto inbound edit must not push to the managed sidecar from inside
-// the serialized write transaction: that blocks the single traffic-writer
-// goroutine on process/network I/O, and a later step failing the transaction
-// would leave the sidecar ahead of the rolled-back database. The push belongs in
-// the post-commit hook, exactly as the xray branch already does it.
 func TestUpdateInboundLocalMtprotoDefersPushUntilCommit(t *testing.T) {
 	setupConflictDB(t)
 
@@ -52,9 +47,6 @@ func TestUpdateInboundLocalMtprotoDefersPushUntilCommit(t *testing.T) {
 	}
 }
 
-// Re-enabling a routed MTProto inbound must request an xray restart: the egress
-// SOCKS bridge is only injected for enabled inbounds, so the running config
-// needs regenerating or the sidecar dials a bridge that is not there.
 func TestSetInboundEnableRoutedMtprotoRequestsRestart(t *testing.T) {
 	setupConflictDB(t)
 

+ 5 - 3
internal/web/service/inbound_traffic.go

@@ -37,9 +37,11 @@ func (s *InboundService) addTrafficLocked(inboundTraffics []*xray.Traffic, clien
 
 	defer func() {
 		if err != nil {
-			tx.Rollback()
-		} else {
-			tx.Commit()
+			if rbErr := tx.Rollback().Error; rbErr != nil {
+				logger.Warning("Error rolling back traffic tx:", rbErr)
+			}
+		} else if cErr := tx.Commit().Error; cErr != nil {
+			logger.Warning("Error committing traffic tx:", cErr)
 		}
 	}()
 	err = s.addInboundTraffic(tx, inboundTraffics)

+ 0 - 3
internal/web/service/integration/warp_response_test.go

@@ -10,9 +10,6 @@ import (
 	"github.com/mhsanaei/3x-ui/v3/internal/database"
 )
 
-// A hostile egress proxy (or a MITM on the WARP endpoint) could stream an
-// arbitrarily large body; doWarpRequest must cap the read at maxResponseSize so
-// the panel cannot be forced into an unbounded allocation.
 func TestDoWarpRequestCapsResponseBody(t *testing.T) {
 	if err := database.InitDB(filepath.Join(t.TempDir(), "x-ui.db")); err != nil {
 		t.Fatalf("InitDB: %v", err)

+ 0 - 4
internal/web/service/key_gen_parse_test.go

@@ -2,10 +2,6 @@ package service
 
 import "testing"
 
-// The x25519 / mldsa65 / mlkem768 key generators parse xray's stdout by fixed
-// slice index. A short or reformatted output (a future xray release, or a
-// binary that failed silently) must yield an error, never an out-of-range
-// panic that 500s the handler.
 func TestParseXrayKeyPairOutput(t *testing.T) {
 	a, b, err := parseXrayKeyPairOutput("Private key: abc123\nPublic key: def456\n")
 	if err != nil {

+ 1 - 1
internal/web/service/outbound_subscription.go

@@ -277,7 +277,6 @@ func (s *OutboundSubscriptionService) RefreshAllEnabled() (int, error) {
 	return refreshed, nil
 }
 
-// fetchAndStore does the actual network + parse + stability + persist work.
 // subscriptionFetchClient builds the HTTP client used to fetch a subscription.
 // A configured panel egress proxy dials the loopback SOCKS bridge (xray handles
 // the real egress), so its localhost dial must not be SSRF-blocked. A direct
@@ -295,6 +294,7 @@ func (s *OutboundSubscriptionService) subscriptionFetchClient(timeout time.Durat
 	}
 }
 
+// fetchAndStore does the actual network + parse + stability + persist work.
 func (s *OutboundSubscriptionService) fetchAndStore(sub *model.OutboundSubscription) ([]any, error) {
 	// Re-sanitize on every fetch (handles legacy rows + defense in depth against
 	// any direct DB tampering). Private targets are blocked unless this

+ 0 - 3
internal/web/service/outbound_subscription_ssrf_test.go

@@ -10,9 +10,6 @@ import (
 	"github.com/mhsanaei/3x-ui/v3/internal/util/netsafe"
 )
 
-// The direct subscription-fetch client must dial through the SSRF guard so a
-// subscription host that resolves to a private/internal address (including a
-// DNS-rebinding flip after validation) is blocked at dial time, not connected to.
 func TestSubscriptionFetchClientBlocksPrivateDial(t *testing.T) {
 	setupSettingTestDB(t)
 	client := (&OutboundSubscriptionService{}).subscriptionFetchClient(5 * time.Second)

+ 0 - 3
internal/web/service/reset_writer_test.go

@@ -21,9 +21,6 @@ func (b *blockingResetRuntime) ResetAllTraffics(context.Context) error {
 	return nil
 }
 
-// A "Reset All Traffics" that propagates to nodes must not hold the single serial
-// traffic writer across the remote HTTP calls: each can block for seconds, and
-// stalling the writer drops every concurrent poll's traffic deltas.
 func TestResetAllTrafficsDoesNotBlockWriterOnNodeCall(t *testing.T) {
 	db := initTrafficTestDB(t)
 	resetTrafficWriterForTest(t)

+ 0 - 6
internal/web/service/tgbot/tgbot_callback_auth_test.go

@@ -6,12 +6,6 @@ import (
 	"github.com/mymmrac/telego"
 )
 
-// A non-admin callback must never reach a privileged handler. The second
-// callback switch runs outside the isAdmin guard, so without the default-deny
-// check a non-admin who can tap an admin's inline button (e.g. in a group) could
-// export the database backup or reset all traffic. Here the privileged handler
-// would panic on the nil bot/services of a bare Tgbot; the guard must return
-// first, so no panic occurs.
 func TestAnswerCallbackDeniesPrivilegedActionToNonAdmin(t *testing.T) {
 	defer func() {
 		if r := recover(); r != nil {

+ 0 - 4
internal/web/service/tgbot/tgbot_delete_after_test.go

@@ -2,10 +2,6 @@ package tgbot
 
 import "testing"
 
-// A transient "delete after N seconds" message must not reset the conversation
-// state when its timer fires: the user may have advanced to the next wizard step
-// (setting a fresh state) within that window, and clearing it would silently
-// drop their next input.
 func TestDeleteMessageAfterDelayKeepsUserState(t *testing.T) {
 	userStateMgr.reset()
 	t.Cleanup(userStateMgr.reset)

+ 0 - 5
internal/web/service/tgbot/tgbot_router.go

@@ -1128,11 +1128,6 @@ func (t *Tgbot) answerCallback(callbackQuery *telego.CallbackQuery, isAdmin bool
 		}
 	}
 
-	// The callbacks below sit outside the isAdmin block above, so a non-admin who
-	// can see an admin's inline keyboard (for example when the bot runs in a
-	// group) could otherwise trigger a database backup export, a mass traffic
-	// reset or client creation. Default-deny: a non-admin may only run the
-	// per-user client_* callbacks that key off their own Telegram id.
 	if !isAdmin && !isClientSelfCallback(callbackQuery.Data) {
 		return
 	}

+ 24 - 8
internal/web/service/traffic_commit_test.go

@@ -11,11 +11,6 @@ import (
 	"github.com/mhsanaei/3x-ui/v3/internal/xray"
 )
 
-// The traffic tick stages inbound and client deltas, then runs three best-effort
-// maintenance helpers (renew, disable-depleted-clients, disable-depleted-inbounds)
-// that are meant to log and continue. A failure in one of them must not roll back
-// the already-staged traffic — xray has already advanced its baseline, so a
-// rolled-back tick loses that traffic permanently.
 func TestAddTrafficCommitsDespiteDisableHelperError(t *testing.T) {
 	db := initTrafficTestDB(t)
 	svc := &InboundService{}
@@ -53,9 +48,6 @@ func TestAddTrafficCommitsDespiteDisableHelperError(t *testing.T) {
 	}
 }
 
-// Reset All Client Traffic must re-enable clients that were auto-disabled for
-// exceeding their quota, matching every other reset path; otherwise a reset
-// leaves depleted clients cut with zero usage.
 func TestResetAllTrafficsReenablesDepletedClients(t *testing.T) {
 	db := initTrafficTestDB(t)
 	svc := &ClientService{}
@@ -76,3 +68,27 @@ func TestResetAllTrafficsReenablesDepletedClients(t *testing.T) {
 		t.Fatal("a depleted client must be re-enabled after Reset All Client Traffic, matching every other reset path")
 	}
 }
+
+func TestResetAllTrafficsClearsNodeBaselines(t *testing.T) {
+	db := initTrafficTestDB(t)
+	svc := &ClientService{}
+
+	if err := db.Create(&xray.ClientTraffic{InboundId: 1, Email: "spent@x", Enable: true, Up: 60, Down: 60, Total: 100}).Error; err != nil {
+		t.Fatalf("seed traffic: %v", err)
+	}
+	if err := db.Create(&model.NodeClientTraffic{NodeId: 1, Email: "spent@x", Up: 60, Down: 60}).Error; err != nil {
+		t.Fatalf("seed node baseline: %v", err)
+	}
+
+	if _, err := svc.ResetAllTraffics(); err != nil {
+		t.Fatalf("ResetAllTraffics: %v", err)
+	}
+
+	var cnt int64
+	if err := db.Model(&model.NodeClientTraffic{}).Where("email = ?", "spent@x").Count(&cnt).Error; err != nil {
+		t.Fatalf("count baselines: %v", err)
+	}
+	if cnt != 0 {
+		t.Fatalf("Reset All Client Traffic must clear node baselines like its sibling reset paths, found %d", cnt)
+	}
+}

+ 0 - 3
internal/web/service/xray.go

@@ -986,9 +986,6 @@ func (s *XrayService) RestartXray(isForce bool) error {
 	lock.Lock()
 	defer lock.Unlock()
 	logger.Debug("restart Xray, force:", isForce)
-	// A background reconcile (a pending config-change flag, warp/ldap/outbound
-	// jobs) must not revive an Xray the admin deliberately stopped; only an
-	// explicit forced restart clears the manual-stop state.
 	if !isForce && isManuallyStopped.Load() {
 		return nil
 	}

+ 0 - 6
internal/web/service/xray_restart_test.go

@@ -4,9 +4,6 @@ import (
 	"testing"
 )
 
-// A background (non-forced) restart — the pending-config-change cron, warp/ldap/
-// outbound reconcile jobs — must not revive an Xray the admin deliberately
-// stopped. Only an explicit forced restart clears the manual-stop state.
 func TestRestartXrayRespectsManualStop(t *testing.T) {
 	setupSettingTestDB(t)
 	if err := (&SettingService{}).saveSetting("xrayTemplateConfig", "{ not valid json"); err != nil {
@@ -22,9 +19,6 @@ func TestRestartXrayRespectsManualStop(t *testing.T) {
 	}
 }
 
-// When the pending-restart reconcile consumes the need-restart flag but the
-// restart itself fails, the flag must be re-armed so the config change is
-// retried rather than silently dropped.
 func TestApplyPendingRestartReArmsFlagOnFailure(t *testing.T) {
 	setupSettingTestDB(t)
 	if err := (&SettingService{}).saveSetting("xrayTemplateConfig", "{ not valid json"); err != nil {

+ 0 - 3
internal/xray/api_test.go

@@ -5,9 +5,6 @@ import (
 	"testing"
 )
 
-// RemoveUser must return an error, not panic, when the handler client is not
-// initialized — matching every sibling API method. A depletion sweep can reach
-// it with a nil client during a restart window where Init(0) failed.
 func TestRemoveUserGuardsNilHandlerClient(t *testing.T) {
 	err := (&XrayAPI{}).RemoveUser("in-443-tcp", "[email protected]")
 	if err == nil {