1
0

db.go 44 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667
  1. package database
  2. import (
  3. "bytes"
  4. "context"
  5. "encoding/json"
  6. "errors"
  7. "fmt"
  8. "io"
  9. "log"
  10. "math"
  11. "os"
  12. "os/exec"
  13. "path"
  14. "runtime"
  15. "slices"
  16. "strconv"
  17. "strings"
  18. "time"
  19. "github.com/mhsanaei/3x-ui/v3/internal/config"
  20. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  21. "github.com/mhsanaei/3x-ui/v3/internal/util/crypto"
  22. "github.com/mhsanaei/3x-ui/v3/internal/util/random"
  23. "github.com/mhsanaei/3x-ui/v3/internal/xray"
  24. "gorm.io/driver/postgres"
  25. "gorm.io/driver/sqlite"
  26. "gorm.io/gorm"
  27. "gorm.io/gorm/logger"
  28. )
  29. var db *gorm.DB
  30. const (
  31. DialectSQLite = "sqlite"
  32. DialectPostgres = "postgres"
  33. )
  34. func IsPostgres() bool {
  35. if db == nil {
  36. return config.GetDBKind() == "postgres"
  37. }
  38. return db.Name() == "postgres"
  39. }
  40. func Dialect() string {
  41. if db == nil {
  42. return ""
  43. }
  44. return db.Name()
  45. }
  46. const (
  47. defaultUsername = "admin"
  48. defaultPassword = "admin"
  49. )
  50. func initModels() error {
  51. models := []any{
  52. &model.User{},
  53. &model.Inbound{},
  54. &model.OutboundTraffics{},
  55. &model.Setting{},
  56. &model.InboundClientIps{},
  57. &xray.ClientTraffic{},
  58. &model.HistoryOfSeeders{},
  59. &model.Node{},
  60. &model.ApiToken{},
  61. &model.ClientRecord{},
  62. &model.ClientInbound{},
  63. &model.ClientExternalLink{},
  64. &model.ClientGroup{},
  65. &model.InboundFallback{},
  66. &model.Host{},
  67. &model.NodeClientTraffic{},
  68. &model.NodeClientIp{},
  69. &model.ClientGlobalTraffic{},
  70. &model.OutboundSubscription{},
  71. }
  72. for _, mdl := range models {
  73. if IsPostgres() && postgresModelSettled(mdl) {
  74. continue
  75. }
  76. if err := db.AutoMigrate(mdl); err != nil {
  77. if isIgnorableDuplicateColumnErr(err, mdl) {
  78. log.Printf("Ignoring duplicate column during auto migration for %T: %v", mdl, err)
  79. continue
  80. }
  81. log.Printf("Error auto migrating model: %v", err)
  82. return err
  83. }
  84. }
  85. if err := migrateHostVerifyPeerCertByNameColumn(); err != nil {
  86. return err
  87. }
  88. if err := normalizeApiTokenCreatedAtSeconds(); err != nil {
  89. return err
  90. }
  91. if err := dropLegacyForeignKeys(); err != nil {
  92. return err
  93. }
  94. if err := pruneOrphanedClientInbounds(); err != nil {
  95. return err
  96. }
  97. if err := pruneOrphanedHosts(); err != nil {
  98. return err
  99. }
  100. if err := normalizeInboundSubSortIndex(); err != nil {
  101. return err
  102. }
  103. if err := repairOverflowedTrafficCounters(); err != nil {
  104. return err
  105. }
  106. if err := dedupeInboundSettingsClients(); err != nil {
  107. return err
  108. }
  109. if err := migrateLegacySocksInboundsToMixed(); err != nil {
  110. return err
  111. }
  112. if IsPostgres() {
  113. if err := resyncPostgresSequences(db, models); err != nil {
  114. log.Printf("Error resyncing postgres sequences: %v", err)
  115. return err
  116. }
  117. }
  118. return nil
  119. }
  120. func postgresModelSettled(mdl any) bool {
  121. migrator := db.Migrator()
  122. if !migrator.HasTable(mdl) {
  123. return false
  124. }
  125. stmt := &gorm.Statement{DB: db}
  126. if err := stmt.Parse(mdl); err != nil || stmt.Schema == nil {
  127. return false
  128. }
  129. for _, dbName := range stmt.Schema.DBNames {
  130. if !migrator.HasColumn(mdl, dbName) {
  131. return false
  132. }
  133. }
  134. for _, idx := range stmt.Schema.ParseIndexes() {
  135. if !migrator.HasIndex(mdl, idx.Name) {
  136. return false
  137. }
  138. }
  139. return true
  140. }
  141. func dropLegacyForeignKeys() error {
  142. if !IsPostgres() {
  143. return nil
  144. }
  145. if err := db.Exec("ALTER TABLE client_traffics DROP CONSTRAINT IF EXISTS fk_inbounds_client_stats").Error; err != nil {
  146. log.Printf("Error dropping legacy foreign key fk_inbounds_client_stats: %v", err)
  147. return err
  148. }
  149. return nil
  150. }
  151. func migrateHostVerifyPeerCertByNameColumn() error {
  152. if !db.Migrator().HasColumn(&model.Host{}, "verify_peer_cert_by_name") {
  153. return nil
  154. }
  155. if IsPostgres() {
  156. var dataType string
  157. if err := db.Raw(
  158. `SELECT data_type FROM information_schema.columns WHERE table_name = 'hosts' AND column_name = 'verify_peer_cert_by_name'`,
  159. ).Scan(&dataType).Error; err != nil {
  160. return err
  161. }
  162. if dataType != "boolean" {
  163. return nil
  164. }
  165. if err := db.Exec(`ALTER TABLE hosts ALTER COLUMN verify_peer_cert_by_name DROP DEFAULT`).Error; err != nil {
  166. return err
  167. }
  168. return db.Exec(`ALTER TABLE hosts ALTER COLUMN verify_peer_cert_by_name TYPE text USING ''`).Error
  169. }
  170. return db.Exec(`UPDATE hosts SET verify_peer_cert_by_name = '' WHERE verify_peer_cert_by_name IS NULL OR typeof(verify_peer_cert_by_name) <> 'text'`).Error
  171. }
  172. func seedHostsFromExternalProxy() error {
  173. var history []string
  174. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  175. return err
  176. }
  177. if slices.Contains(history, "HostsFromExternalProxy") {
  178. return nil
  179. }
  180. var inbounds []model.Inbound
  181. if err := db.Find(&inbounds).Error; err != nil {
  182. return err
  183. }
  184. return db.Transaction(func(tx *gorm.DB) error {
  185. for _, inbound := range inbounds {
  186. if _, err := CreateHostsFromExternalProxy(tx, inbound.Id, inbound.StreamSettings); err != nil {
  187. return err
  188. }
  189. }
  190. return tx.Create(&model.HistoryOfSeeders{SeederName: "HostsFromExternalProxy"}).Error
  191. })
  192. }
  193. func seedWireguardPeersToClients() error {
  194. var history []string
  195. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  196. return err
  197. }
  198. if slices.Contains(history, "WireguardPeersToClients") {
  199. return nil
  200. }
  201. var inbounds []model.Inbound
  202. if err := db.Where("protocol = ?", string(model.WireGuard)).Find(&inbounds).Error; err != nil {
  203. return err
  204. }
  205. return db.Transaction(func(tx *gorm.DB) error {
  206. usedEmails := map[string]struct{}{}
  207. var existingEmails []string
  208. if err := tx.Model(&model.ClientRecord{}).Pluck("email", &existingEmails).Error; err != nil {
  209. return err
  210. }
  211. for _, e := range existingEmails {
  212. usedEmails[e] = struct{}{}
  213. }
  214. for _, inbound := range inbounds {
  215. if strings.TrimSpace(inbound.Settings) == "" {
  216. continue
  217. }
  218. var settings map[string]any
  219. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  220. log.Printf("WireguardPeersToClients: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  221. continue
  222. }
  223. peers, ok := settings["peers"].([]any)
  224. if !ok || len(peers) == 0 {
  225. continue
  226. }
  227. var linkCount int64
  228. if err := tx.Model(&model.ClientInbound{}).Where("inbound_id = ?", inbound.Id).Count(&linkCount).Error; err != nil {
  229. return err
  230. }
  231. if linkCount > 0 {
  232. continue
  233. }
  234. clientObjs := make([]any, 0, len(peers))
  235. for i, raw := range peers {
  236. obj, ok := raw.(map[string]any)
  237. if !ok {
  238. continue
  239. }
  240. email := wireguardPeerEmail(inbound.Remark, obj, i, usedEmails)
  241. usedEmails[email] = struct{}{}
  242. obj["email"] = email
  243. if sub, _ := obj["subId"].(string); strings.TrimSpace(sub) == "" {
  244. obj["subId"] = random.NumLower(16)
  245. }
  246. if _, ok := obj["enable"]; !ok {
  247. obj["enable"] = true
  248. }
  249. blob, err := json.Marshal(obj)
  250. if err != nil {
  251. continue
  252. }
  253. var c model.Client
  254. if err := json.Unmarshal(blob, &c); err != nil {
  255. log.Printf("WireguardPeersToClients: skip peer in inbound %d: %v", inbound.Id, err)
  256. continue
  257. }
  258. c.Email = email
  259. incoming := c.ToRecord()
  260. var row model.ClientRecord
  261. err = tx.Where("email = ?", email).First(&row).Error
  262. if errors.Is(err, gorm.ErrRecordNotFound) {
  263. if err := tx.Create(incoming).Error; err != nil {
  264. return err
  265. }
  266. row = *incoming
  267. } else if err != nil {
  268. return err
  269. } else {
  270. model.MergeClientRecord(&row, incoming)
  271. if err := tx.Save(&row).Error; err != nil {
  272. return err
  273. }
  274. }
  275. link := model.ClientInbound{ClientId: row.Id, InboundId: inbound.Id}
  276. if err := tx.Where("client_id = ? AND inbound_id = ?", row.Id, inbound.Id).
  277. FirstOrCreate(&link).Error; err != nil {
  278. return err
  279. }
  280. clientObjs = append(clientObjs, obj)
  281. }
  282. delete(settings, "peers")
  283. settings["clients"] = clientObjs
  284. newSettings, err := json.Marshal(settings)
  285. if err != nil {
  286. return err
  287. }
  288. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  289. Update("settings", string(newSettings)).Error; err != nil {
  290. return err
  291. }
  292. }
  293. return tx.Create(&model.HistoryOfSeeders{SeederName: "WireguardPeersToClients"}).Error
  294. })
  295. }
  296. func wireguardPeerEmail(remark string, peer map[string]any, index int, used map[string]struct{}) string {
  297. base := strings.TrimSpace(remark)
  298. if base == "" {
  299. base = "wg"
  300. }
  301. suffix := strconv.Itoa(index + 1)
  302. if c, ok := peer["comment"].(string); ok && strings.TrimSpace(c) != "" {
  303. suffix = strings.TrimSpace(c)
  304. }
  305. email := strings.ReplaceAll(base+"-"+suffix, " ", "-")
  306. candidate := email
  307. for n := 2; ; n++ {
  308. if _, taken := used[candidate]; !taken {
  309. return candidate
  310. }
  311. candidate = email + "-" + strconv.Itoa(n)
  312. }
  313. }
  314. // seedMtprotoSecretsToClients converts each legacy single-secret mtproto inbound
  315. // into a one-client inbound so MTProto joins the shared multi-client model: the
  316. // inbound-level secret becomes the first client's FakeTLS secret, and a
  317. // ClientRecord + client_inbounds link are created so per-client traffic, limits,
  318. // and share links work exactly like every other protocol. One-time, self-gated
  319. // on the "MtprotoSecretsToClients" seeder row. Mirrors seedWireguardPeersToClients.
  320. func seedMtprotoSecretsToClients() error {
  321. var history []string
  322. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  323. return err
  324. }
  325. if slices.Contains(history, "MtprotoSecretsToClients") {
  326. return nil
  327. }
  328. var inbounds []model.Inbound
  329. if err := db.Where("protocol = ?", string(model.MTProto)).Find(&inbounds).Error; err != nil {
  330. return err
  331. }
  332. return db.Transaction(func(tx *gorm.DB) error {
  333. usedEmails := map[string]struct{}{}
  334. var existingEmails []string
  335. if err := tx.Model(&model.ClientRecord{}).Pluck("email", &existingEmails).Error; err != nil {
  336. return err
  337. }
  338. for _, e := range existingEmails {
  339. usedEmails[e] = struct{}{}
  340. }
  341. for _, inbound := range inbounds {
  342. if strings.TrimSpace(inbound.Settings) == "" {
  343. continue
  344. }
  345. var settings map[string]any
  346. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  347. log.Printf("MtprotoSecretsToClients: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  348. continue
  349. }
  350. if clients, ok := settings["clients"].([]any); ok && len(clients) > 0 {
  351. continue
  352. }
  353. var linkCount int64
  354. if err := tx.Model(&model.ClientInbound{}).Where("inbound_id = ?", inbound.Id).Count(&linkCount).Error; err != nil {
  355. return err
  356. }
  357. if linkCount > 0 {
  358. continue
  359. }
  360. secret, _ := settings["secret"].(string)
  361. secret = strings.TrimSpace(secret)
  362. if secret == "" {
  363. domain, _ := settings["fakeTlsDomain"].(string)
  364. secret = model.GenerateFakeTLSSecret(strings.TrimSpace(domain))
  365. }
  366. email := mtprotoInboundClientEmail(inbound.Remark, usedEmails)
  367. usedEmails[email] = struct{}{}
  368. obj := map[string]any{
  369. "email": email,
  370. "secret": secret,
  371. "enable": true,
  372. "subId": random.NumLower(16),
  373. }
  374. c := model.Client{Email: email, Secret: secret, Enable: true, SubID: obj["subId"].(string)}
  375. incoming := c.ToRecord()
  376. var row model.ClientRecord
  377. err := tx.Where("email = ?", email).First(&row).Error
  378. if errors.Is(err, gorm.ErrRecordNotFound) {
  379. if err := tx.Create(incoming).Error; err != nil {
  380. return err
  381. }
  382. row = *incoming
  383. } else if err != nil {
  384. return err
  385. } else {
  386. model.MergeClientRecord(&row, incoming)
  387. if err := tx.Save(&row).Error; err != nil {
  388. return err
  389. }
  390. }
  391. link := model.ClientInbound{ClientId: row.Id, InboundId: inbound.Id}
  392. if err := tx.Where("client_id = ? AND inbound_id = ?", row.Id, inbound.Id).
  393. FirstOrCreate(&link).Error; err != nil {
  394. return err
  395. }
  396. delete(settings, "secret")
  397. settings["clients"] = []any{obj}
  398. newSettings, err := json.Marshal(settings)
  399. if err != nil {
  400. return err
  401. }
  402. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  403. Update("settings", string(newSettings)).Error; err != nil {
  404. return err
  405. }
  406. }
  407. return tx.Create(&model.HistoryOfSeeders{SeederName: "MtprotoSecretsToClients"}).Error
  408. })
  409. }
  410. // stripMtprotoInboundSecrets removes the vestigial inbound-level `secret` from
  411. // every mtproto inbound. seedMtprotoSecretsToClients already drops it while
  412. // converting legacy single-secret inbounds, but inbounds that already had clients
  413. // kept the dead field, and the old HealMtprotoSecret regenerated it on every
  414. // save. mtg and every share link read only per-client secrets, so the
  415. // inbound-level value is dead data that once leaked into stale, unusable links.
  416. // One-time, self-gated on the "StripMtprotoInboundSecrets" seeder row.
  417. func stripMtprotoInboundSecrets() error {
  418. var history []string
  419. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  420. return err
  421. }
  422. if slices.Contains(history, "StripMtprotoInboundSecrets") {
  423. return nil
  424. }
  425. var inbounds []model.Inbound
  426. if err := db.Where("protocol = ?", string(model.MTProto)).Find(&inbounds).Error; err != nil {
  427. return err
  428. }
  429. return db.Transaction(func(tx *gorm.DB) error {
  430. for _, inbound := range inbounds {
  431. stripped, ok := model.StripMtprotoInboundSecret(inbound.Settings)
  432. if !ok {
  433. continue
  434. }
  435. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  436. Update("settings", stripped).Error; err != nil {
  437. return err
  438. }
  439. }
  440. return tx.Create(&model.HistoryOfSeeders{SeederName: "StripMtprotoInboundSecrets"}).Error
  441. })
  442. }
  443. // mtprotoInboundClientEmail derives a stable, unique client email for a migrated
  444. // mtproto inbound from its remark.
  445. func mtprotoInboundClientEmail(remark string, used map[string]struct{}) string {
  446. base := strings.TrimSpace(remark)
  447. if base == "" {
  448. base = "mtproto"
  449. }
  450. email := strings.ReplaceAll(base, " ", "-")
  451. candidate := email
  452. for n := 2; ; n++ {
  453. if _, taken := used[candidate]; !taken {
  454. return candidate
  455. }
  456. candidate = email + "-" + strconv.Itoa(n)
  457. }
  458. }
  459. // CreateHostsFromExternalProxy parses a legacy streamSettings.externalProxy array
  460. // and inserts one Host row per entry on tx, returning the number of rows created.
  461. // It is the shared core of both the one-time seedHostsFromExternalProxy startup
  462. // migration and the inbound-import path: an inbound exported from a build that
  463. // predated the hosts table carries its external proxies inline in
  464. // streamSettings.externalProxy, and the startup migration is gated off after its
  465. // first run, so a freshly imported inbound must be converted here instead. Blank
  466. // or malformed streamSettings, or one without externalProxy entries, is a no-op.
  467. func CreateHostsFromExternalProxy(tx *gorm.DB, inboundId int, streamSettings string) (int, error) {
  468. if strings.TrimSpace(streamSettings) == "" {
  469. return 0, nil
  470. }
  471. var stream map[string]any
  472. if err := json.Unmarshal([]byte(streamSettings), &stream); err != nil {
  473. return 0, nil
  474. }
  475. eps, ok := stream["externalProxy"].([]any)
  476. if !ok || len(eps) == 0 {
  477. return 0, nil
  478. }
  479. created := 0
  480. for i, raw := range eps {
  481. ep, ok := raw.(map[string]any)
  482. if !ok {
  483. continue
  484. }
  485. if err := tx.Create(externalProxyEntryToHost(inboundId, i, ep)).Error; err != nil {
  486. return created, err
  487. }
  488. created++
  489. }
  490. return created, nil
  491. }
  492. func externalProxyEntryToHost(inboundId, index int, ep map[string]any) *model.Host {
  493. security, _ := ep["forceTls"].(string)
  494. switch security {
  495. case "same", "tls", "none":
  496. default:
  497. security = "same"
  498. }
  499. dest, _ := ep["dest"].(string)
  500. port := 0
  501. if p, ok := ep["port"].(float64); ok {
  502. port = int(p)
  503. }
  504. remark, _ := ep["remark"].(string)
  505. if strings.TrimSpace(remark) == "" {
  506. remark = "imported " + strconv.Itoa(index+1)
  507. }
  508. if len(remark) > 256 {
  509. remark = remark[:256]
  510. }
  511. sni, _ := ep["sni"].(string)
  512. fingerprint, _ := ep["fingerprint"].(string)
  513. ech, _ := ep["echConfigList"].(string)
  514. return &model.Host{
  515. InboundId: inboundId,
  516. SortOrder: index,
  517. Remark: remark,
  518. Address: dest,
  519. Port: port,
  520. Security: security,
  521. Sni: sni,
  522. Fingerprint: fingerprint,
  523. Alpn: anyToNonEmptyStrings(ep["alpn"]),
  524. PinnedPeerCertSha256: anyToNonEmptyStrings(ep["pinnedPeerCertSha256"]),
  525. EchConfigList: ech,
  526. }
  527. }
  528. func anyToNonEmptyStrings(v any) []string {
  529. switch t := v.(type) {
  530. case []any:
  531. out := make([]string, 0, len(t))
  532. for _, e := range t {
  533. if s, ok := e.(string); ok && s != "" {
  534. out = append(out, s)
  535. }
  536. }
  537. return out
  538. case []string:
  539. out := make([]string, 0, len(t))
  540. for _, s := range t {
  541. if s != "" {
  542. out = append(out, s)
  543. }
  544. }
  545. return out
  546. default:
  547. return nil
  548. }
  549. }
  550. func pruneOrphanedHosts() error {
  551. res := db.Exec("DELETE FROM hosts WHERE inbound_id NOT IN (SELECT id FROM inbounds)")
  552. if res.Error != nil {
  553. log.Printf("Error pruning orphaned hosts rows: %v", res.Error)
  554. return res.Error
  555. }
  556. if res.RowsAffected > 0 {
  557. log.Printf("Pruned %d orphaned hosts row(s)", res.RowsAffected)
  558. }
  559. return nil
  560. }
  561. func pruneOrphanedClientInbounds() error {
  562. res := db.Exec("DELETE FROM client_inbounds WHERE inbound_id NOT IN (SELECT id FROM inbounds)")
  563. if res.Error != nil {
  564. log.Printf("Error pruning orphaned client_inbounds rows: %v", res.Error)
  565. return res.Error
  566. }
  567. if res.RowsAffected > 0 {
  568. log.Printf("Pruned %d orphaned client_inbounds row(s)", res.RowsAffected)
  569. }
  570. return nil
  571. }
  572. // migrateLegacySocksInboundsToMixed renames legacy socks inbounds to mixed.
  573. // The protocol enum dropped socks in favor of mixed (identical settings shape,
  574. // same behavior plus HTTP on the shared port), so rows predating the rename
  575. // fail model validation — most visibly when pushed to a node, where one legacy
  576. // inbound stalled the entire node's config and traffic sync (#5685).
  577. func migrateLegacySocksInboundsToMixed() error {
  578. res := db.Exec("UPDATE inbounds SET protocol = 'mixed' WHERE protocol = 'socks'")
  579. if res.Error != nil {
  580. log.Printf("Error migrating legacy socks inbounds to mixed: %v", res.Error)
  581. return res.Error
  582. }
  583. if res.RowsAffected > 0 {
  584. log.Printf("Migrated %d legacy socks inbound(s) to mixed", res.RowsAffected)
  585. }
  586. return nil
  587. }
  588. // normalizeInboundSubSortIndex lifts sub_sort_index values below the 1-based
  589. // minimum (rows written by builds that defaulted the column to 0, or by nodes
  590. // predating the field) so they cannot sort ahead of explicitly ranked inbounds.
  591. func normalizeInboundSubSortIndex() error {
  592. res := db.Exec("UPDATE inbounds SET sub_sort_index = 1 WHERE sub_sort_index < 1")
  593. if res.Error != nil {
  594. log.Printf("Error normalizing inbound sub_sort_index: %v", res.Error)
  595. return res.Error
  596. }
  597. if res.RowsAffected > 0 {
  598. log.Printf("Normalized sub_sort_index on %d inbound(s)", res.RowsAffected)
  599. }
  600. return nil
  601. }
  602. // repairOverflowedTrafficCounters heals traffic counters that historic
  603. // compounding bugs pushed past int64: on SQLite an overflowing INTEGER is
  604. // silently promoted to REAL, after which the column no longer scans into the
  605. // Go int64 field and every reader of the table fails (#5762). REAL cells are
  606. // cast back to INTEGER (SQLite caps the cast at math.MaxInt64), then values
  607. // are clamped into [0, TrafficMax] on both backends so the next delta cannot
  608. // overflow again.
  609. func repairOverflowedTrafficCounters() error {
  610. targets := []struct {
  611. table string
  612. columns []string
  613. }{
  614. {"client_traffics", []string{"up", "down"}},
  615. {"inbounds", []string{"up", "down"}},
  616. {"outbound_traffics", []string{"up", "down", "total"}},
  617. {"node_client_traffics", []string{"up", "down"}},
  618. }
  619. for _, target := range targets {
  620. for _, col := range target.columns {
  621. statements := []string{
  622. fmt.Sprintf("UPDATE %s SET %s = %d WHERE %s > %d", target.table, col, TrafficMax, col, TrafficMax),
  623. fmt.Sprintf("UPDATE %s SET %s = 0 WHERE %s < 0", target.table, col, col),
  624. }
  625. if !IsPostgres() {
  626. statements = append([]string{
  627. fmt.Sprintf("UPDATE %s SET %s = CAST(%s AS INTEGER) WHERE typeof(%s) = 'real'", target.table, col, col, col),
  628. }, statements...)
  629. }
  630. var repaired int64
  631. for _, statement := range statements {
  632. res := db.Exec(statement)
  633. if res.Error != nil {
  634. log.Printf("Error repairing %s.%s: %v", target.table, col, res.Error)
  635. return res.Error
  636. }
  637. repaired += res.RowsAffected
  638. }
  639. if repaired > 0 {
  640. log.Printf("Repaired %d overflowed %s.%s value(s)", repaired, target.table, col)
  641. }
  642. }
  643. }
  644. return nil
  645. }
  646. // dedupeInboundSettingsClients collapses duplicate same-email entries inside
  647. // every inbound's settings.clients array, keeping the first occurrence.
  648. // Retried or raced multi-node client adds on older builds appended the same
  649. // client several times (#5770), which the client lists then rendered as
  650. // phantom duplicates. Runs on every start (idempotent, writes only changed
  651. // rows) because a restored backup or a not-yet-upgraded node's snapshot can
  652. // reintroduce duplicates.
  653. func dedupeInboundSettingsClients() error {
  654. var inbounds []model.Inbound
  655. if err := db.Find(&inbounds).Error; err != nil {
  656. return err
  657. }
  658. repaired := int64(0)
  659. for _, inbound := range inbounds {
  660. if strings.TrimSpace(inbound.Settings) == "" {
  661. continue
  662. }
  663. var settings map[string]any
  664. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  665. continue
  666. }
  667. clients, _ := settings["clients"].([]any)
  668. if len(clients) < 2 {
  669. continue
  670. }
  671. seen := make(map[string]struct{}, len(clients))
  672. kept := make([]any, 0, len(clients))
  673. for _, c := range clients {
  674. if cm, ok := c.(map[string]any); ok {
  675. if email, _ := cm["email"].(string); email != "" {
  676. key := strings.ToLower(email)
  677. if _, dup := seen[key]; dup {
  678. continue
  679. }
  680. seen[key] = struct{}{}
  681. }
  682. }
  683. kept = append(kept, c)
  684. }
  685. if len(kept) == len(clients) {
  686. continue
  687. }
  688. settings["clients"] = kept
  689. newSettings, err := json.MarshalIndent(settings, "", " ")
  690. if err != nil {
  691. log.Printf("dedupeInboundSettingsClients: skip inbound %d (marshal failed): %v", inbound.Id, err)
  692. continue
  693. }
  694. if err := db.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  695. Update("settings", string(newSettings)).Error; err != nil {
  696. return err
  697. }
  698. repaired++
  699. }
  700. if repaired > 0 {
  701. log.Printf("Removed duplicate client entries from %d inbound(s)", repaired)
  702. }
  703. return nil
  704. }
  705. func isIgnorableDuplicateColumnErr(err error, mdl any) bool {
  706. if err == nil {
  707. return false
  708. }
  709. errMsg := strings.ToLower(err.Error())
  710. const sqlitePrefix = "duplicate column name:"
  711. if _, after, ok := strings.Cut(errMsg, sqlitePrefix); ok {
  712. col := strings.TrimSpace(after)
  713. col = strings.Trim(col, "`\"[]")
  714. return col != "" && db != nil && db.Migrator().HasColumn(mdl, col)
  715. }
  716. if strings.Contains(errMsg, "already exists") && strings.Contains(errMsg, "column ") {
  717. if _, after, ok := strings.Cut(errMsg, "column \""); ok {
  718. rest := after
  719. if e := strings.Index(rest, "\""); e > 0 {
  720. col := rest[:e]
  721. return col != "" && db != nil && db.Migrator().HasColumn(mdl, col)
  722. }
  723. }
  724. }
  725. return false
  726. }
  727. func initUser() error {
  728. empty, err := isTableEmpty("users")
  729. if err != nil {
  730. log.Printf("Error checking if users table is empty: %v", err)
  731. return err
  732. }
  733. if empty {
  734. hashedPassword, err := crypto.HashPasswordAsBcrypt(defaultPassword)
  735. if err != nil {
  736. log.Printf("Error hashing default password: %v", err)
  737. return err
  738. }
  739. user := &model.User{
  740. Username: defaultUsername,
  741. Password: hashedPassword,
  742. }
  743. return db.Create(user).Error
  744. }
  745. return nil
  746. }
  747. func runSeeders(isUsersEmpty bool) error {
  748. empty, err := isTableEmpty("history_of_seeders")
  749. if err != nil {
  750. log.Printf("Error checking if users table is empty: %v", err)
  751. return err
  752. }
  753. if empty && isUsersEmpty {
  754. seeders := []string{"UserPasswordHash", "ClientsTable", "InboundClientsArrayFix", "InboundClientTgIdFix", "InboundClientSubIdFix", "FreedomFinalRulesReverseFix", "ApiTokensHash", "LegacyProxySettingsCleanup", "WireguardPeersToClients", "MtprotoSecretsToClients"}
  755. for _, name := range seeders {
  756. if err := db.Create(&model.HistoryOfSeeders{SeederName: name}).Error; err != nil {
  757. return err
  758. }
  759. }
  760. return seedApiTokens()
  761. }
  762. var seedersHistory []string
  763. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &seedersHistory).Error; err != nil {
  764. log.Printf("Error fetching seeder history: %v", err)
  765. return err
  766. }
  767. if !slices.Contains(seedersHistory, "UserPasswordHash") && !isUsersEmpty {
  768. var users []model.User
  769. if err := db.Find(&users).Error; err != nil {
  770. log.Printf("Error fetching users for password migration: %v", err)
  771. return err
  772. }
  773. for _, user := range users {
  774. if crypto.IsHashed(user.Password) {
  775. continue
  776. }
  777. hashedPassword, err := crypto.HashPasswordAsBcrypt(user.Password)
  778. if err != nil {
  779. log.Printf("Error hashing password for user '%s': %v", user.Username, err)
  780. return err
  781. }
  782. if err := db.Model(&user).Update("password", hashedPassword).Error; err != nil {
  783. log.Printf("Error updating password for user '%s': %v", user.Username, err)
  784. return err
  785. }
  786. }
  787. hashSeeder := &model.HistoryOfSeeders{
  788. SeederName: "UserPasswordHash",
  789. }
  790. if err := db.Create(hashSeeder).Error; err != nil {
  791. return err
  792. }
  793. }
  794. if !slices.Contains(seedersHistory, "ApiTokensTable") {
  795. if err := seedApiTokens(); err != nil {
  796. return err
  797. }
  798. }
  799. if !slices.Contains(seedersHistory, "ApiTokensHash") {
  800. if err := hashExistingApiTokens(); err != nil {
  801. return err
  802. }
  803. }
  804. if !slices.Contains(seedersHistory, "ClientsTable") {
  805. if err := seedClientsFromInboundJSON(); err != nil {
  806. return err
  807. }
  808. }
  809. if !slices.Contains(seedersHistory, "InboundClientsArrayFix") {
  810. if err := normalizeInboundClientsArray(); err != nil {
  811. return err
  812. }
  813. }
  814. if !slices.Contains(seedersHistory, "InboundClientTgIdFix") {
  815. if err := normalizeInboundClientTgId(); err != nil {
  816. return err
  817. }
  818. }
  819. if !slices.Contains(seedersHistory, "InboundClientSubIdFix") {
  820. if err := normalizeInboundClientSubId(); err != nil {
  821. return err
  822. }
  823. }
  824. if !slices.Contains(seedersHistory, "FreedomFinalRulesReverseFix") {
  825. if err := normalizeFreedomFinalRules(); err != nil {
  826. return err
  827. }
  828. }
  829. if !slices.Contains(seedersHistory, "LegacyProxySettingsCleanup") {
  830. if err := clearLegacyProxySettings(); err != nil {
  831. return err
  832. }
  833. }
  834. if err := seedHostsFromExternalProxy(); err != nil {
  835. return err
  836. }
  837. if err := resetIpLimitsWithoutFail2ban(); err != nil {
  838. return err
  839. }
  840. if err := seedWireguardPeersToClients(); err != nil {
  841. return err
  842. }
  843. if err := seedHostGroupIds(); err != nil {
  844. return err
  845. }
  846. // Self-gated on the "MtprotoSecretsToClients" row.
  847. if err := seedMtprotoSecretsToClients(); err != nil {
  848. return err
  849. }
  850. // Self-gated on the "StripMtprotoInboundSecrets" row. Must run after the
  851. // seeder above so legacy single-secret inbounds are first converted to a
  852. // client (which preserves the secret) before the inbound-level copy is
  853. // dropped from every mtproto inbound.
  854. if err := stripMtprotoInboundSecrets(); err != nil {
  855. return err
  856. }
  857. // Idempotent, not seeder-gated: bad values can re-enter via a restored
  858. // backup, so re-check on every start.
  859. return normalizeSettingPaths()
  860. }
  861. func seedHostGroupIds() error {
  862. var history []string
  863. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  864. return err
  865. }
  866. if slices.Contains(history, "HostGroupIds") {
  867. return nil
  868. }
  869. var hosts []*model.Host
  870. if err := db.Where("group_id = '' OR group_id IS NULL").Find(&hosts).Error; err != nil {
  871. return err
  872. }
  873. if len(hosts) > 0 {
  874. err := db.Transaction(func(tx *gorm.DB) error {
  875. for _, h := range hosts {
  876. h.GroupId = random.NumLower(16)
  877. if err := tx.Model(h).Update("group_id", h.GroupId).Error; err != nil {
  878. return err
  879. }
  880. }
  881. return nil
  882. })
  883. if err != nil {
  884. return err
  885. }
  886. }
  887. return db.Create(&model.HistoryOfSeeders{SeederName: "HostGroupIds"}).Error
  888. }
  889. func resetIpLimitsWithoutFail2ban() error {
  890. var history []string
  891. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  892. return err
  893. }
  894. if slices.Contains(history, "ResetIpLimitNoFail2ban") {
  895. return nil
  896. }
  897. if fail2banCanEnforce() {
  898. return db.Create(&model.HistoryOfSeeders{SeederName: "ResetIpLimitNoFail2ban"}).Error
  899. }
  900. var inbounds []model.Inbound
  901. if err := db.Find(&inbounds).Error; err != nil {
  902. return err
  903. }
  904. return db.Transaction(func(tx *gorm.DB) error {
  905. for _, inbound := range inbounds {
  906. if strings.TrimSpace(inbound.Settings) == "" {
  907. continue
  908. }
  909. var settings map[string]any
  910. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  911. log.Printf("ResetIpLimitNoFail2ban: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  912. continue
  913. }
  914. clients, ok := settings["clients"].([]any)
  915. if !ok {
  916. continue
  917. }
  918. mutated := false
  919. for i, raw := range clients {
  920. obj, ok := raw.(map[string]any)
  921. if !ok {
  922. continue
  923. }
  924. v, present := obj["limitIp"]
  925. if !present {
  926. continue
  927. }
  928. if n, isNum := v.(float64); isNum && n == 0 {
  929. continue
  930. }
  931. obj["limitIp"] = 0
  932. clients[i] = obj
  933. mutated = true
  934. }
  935. if !mutated {
  936. continue
  937. }
  938. settings["clients"] = clients
  939. newSettings, err := json.MarshalIndent(settings, "", " ")
  940. if err != nil {
  941. log.Printf("ResetIpLimitNoFail2ban: skip inbound %d (marshal failed): %v", inbound.Id, err)
  942. continue
  943. }
  944. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  945. Update("settings", string(newSettings)).Error; err != nil {
  946. return err
  947. }
  948. }
  949. if err := tx.Model(&model.ClientRecord{}).Where("limit_ip <> ?", 0).
  950. Update("limit_ip", 0).Error; err != nil {
  951. return err
  952. }
  953. return tx.Create(&model.HistoryOfSeeders{SeederName: "ResetIpLimitNoFail2ban"}).Error
  954. })
  955. }
  956. func fail2banCanEnforce() bool {
  957. if v, ok := os.LookupEnv("XUI_ENABLE_FAIL2BAN"); ok && v != "true" {
  958. return false
  959. }
  960. if runtime.GOOS == "windows" {
  961. return false
  962. }
  963. return exec.CommandContext(context.Background(), "fail2ban-client", "-h").Run() == nil
  964. }
  965. func clearLegacyProxySettings() error {
  966. return db.Transaction(func(tx *gorm.DB) error {
  967. if err := tx.Where("key IN ?", []string{"panelProxy", "tgBotProxy"}).
  968. Delete(&model.Setting{}).Error; err != nil {
  969. return err
  970. }
  971. return tx.Create(&model.HistoryOfSeeders{SeederName: "LegacyProxySettingsCleanup"}).Error
  972. })
  973. }
  974. func normalizeSettingPaths() error {
  975. pathKeys := []string{"webBasePath", "subPath", "subJsonPath", "subClashPath"}
  976. var rows []model.Setting
  977. if err := db.Where("key IN ?", pathKeys).Find(&rows).Error; err != nil {
  978. return err
  979. }
  980. for _, row := range rows {
  981. fixed := row.Value
  982. if !strings.HasPrefix(fixed, "/") {
  983. fixed = "/" + fixed
  984. }
  985. if !strings.HasSuffix(fixed, "/") {
  986. fixed += "/"
  987. }
  988. if fixed == row.Value {
  989. continue
  990. }
  991. if err := db.Model(&model.Setting{}).Where("id = ?", row.Id).
  992. Update("value", fixed).Error; err != nil {
  993. return err
  994. }
  995. }
  996. return nil
  997. }
  998. func normalizeInboundClientTgId() error {
  999. var inbounds []model.Inbound
  1000. if err := db.Find(&inbounds).Error; err != nil {
  1001. return err
  1002. }
  1003. return db.Transaction(func(tx *gorm.DB) error {
  1004. for _, inbound := range inbounds {
  1005. if strings.TrimSpace(inbound.Settings) == "" {
  1006. continue
  1007. }
  1008. var settings map[string]any
  1009. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1010. log.Printf("InboundClientTgIdFix: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1011. continue
  1012. }
  1013. clients, ok := settings["clients"].([]any)
  1014. if !ok {
  1015. continue
  1016. }
  1017. mutated := false
  1018. for i, raw := range clients {
  1019. obj, ok := raw.(map[string]any)
  1020. if !ok {
  1021. continue
  1022. }
  1023. tgRaw, present := obj["tgId"]
  1024. if !present {
  1025. continue
  1026. }
  1027. v, isFloat := tgRaw.(float64)
  1028. if isFloat && !math.IsNaN(v) && !math.IsInf(v, 0) && v == math.Trunc(v) {
  1029. continue
  1030. }
  1031. obj["tgId"] = int64(0)
  1032. clients[i] = obj
  1033. mutated = true
  1034. }
  1035. if !mutated {
  1036. continue
  1037. }
  1038. settings["clients"] = clients
  1039. newSettings, err := json.MarshalIndent(settings, "", " ")
  1040. if err != nil {
  1041. log.Printf("InboundClientTgIdFix: skip inbound %d (marshal failed): %v", inbound.Id, err)
  1042. continue
  1043. }
  1044. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  1045. Update("settings", string(newSettings)).Error; err != nil {
  1046. return err
  1047. }
  1048. }
  1049. return tx.Create(&model.HistoryOfSeeders{SeederName: "InboundClientTgIdFix"}).Error
  1050. })
  1051. }
  1052. func normalizeInboundClientSubId() error {
  1053. var inbounds []model.Inbound
  1054. if err := db.Find(&inbounds).Error; err != nil {
  1055. return err
  1056. }
  1057. return db.Transaction(func(tx *gorm.DB) error {
  1058. for _, inbound := range inbounds {
  1059. if strings.TrimSpace(inbound.Settings) == "" {
  1060. continue
  1061. }
  1062. var settings map[string]any
  1063. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1064. log.Printf("InboundClientSubIdFix: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1065. continue
  1066. }
  1067. clients, ok := settings["clients"].([]any)
  1068. if !ok {
  1069. continue
  1070. }
  1071. mutated := false
  1072. for i, raw := range clients {
  1073. obj, ok := raw.(map[string]any)
  1074. if !ok {
  1075. continue
  1076. }
  1077. existing, _ := obj["subId"].(string)
  1078. if strings.TrimSpace(existing) != "" {
  1079. continue
  1080. }
  1081. obj["subId"] = random.NumLower(16)
  1082. clients[i] = obj
  1083. mutated = true
  1084. }
  1085. if !mutated {
  1086. continue
  1087. }
  1088. settings["clients"] = clients
  1089. newSettings, err := json.MarshalIndent(settings, "", " ")
  1090. if err != nil {
  1091. log.Printf("InboundClientSubIdFix: skip inbound %d (marshal failed): %v", inbound.Id, err)
  1092. continue
  1093. }
  1094. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  1095. Update("settings", string(newSettings)).Error; err != nil {
  1096. return err
  1097. }
  1098. }
  1099. return tx.Create(&model.HistoryOfSeeders{SeederName: "InboundClientSubIdFix"}).Error
  1100. })
  1101. }
  1102. func normalizeInboundClientsArray() error {
  1103. var inbounds []model.Inbound
  1104. if err := db.Find(&inbounds).Error; err != nil {
  1105. return err
  1106. }
  1107. return db.Transaction(func(tx *gorm.DB) error {
  1108. for _, inbound := range inbounds {
  1109. if strings.TrimSpace(inbound.Settings) == "" {
  1110. continue
  1111. }
  1112. var settings map[string]any
  1113. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1114. log.Printf("InboundClientsArrayFix: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1115. continue
  1116. }
  1117. raw, exists := settings["clients"]
  1118. if !exists || raw != nil {
  1119. continue
  1120. }
  1121. settings["clients"] = []any{}
  1122. newSettings, err := json.MarshalIndent(settings, "", " ")
  1123. if err != nil {
  1124. log.Printf("InboundClientsArrayFix: skip inbound %d (marshal failed): %v", inbound.Id, err)
  1125. continue
  1126. }
  1127. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  1128. Update("settings", string(newSettings)).Error; err != nil {
  1129. return err
  1130. }
  1131. }
  1132. return tx.Create(&model.HistoryOfSeeders{SeederName: "InboundClientsArrayFix"}).Error
  1133. })
  1134. }
  1135. func normalizeFreedomFinalRules() error {
  1136. var setting model.Setting
  1137. err := db.Model(model.Setting{}).Where("key = ?", "xrayTemplateConfig").First(&setting).Error
  1138. if errors.Is(err, gorm.ErrRecordNotFound) {
  1139. return db.Create(&model.HistoryOfSeeders{SeederName: "FreedomFinalRulesReverseFix"}).Error
  1140. }
  1141. if err != nil {
  1142. return err
  1143. }
  1144. updated, changed, rErr := rewriteFreedomFinalRules(setting.Value)
  1145. if rErr != nil {
  1146. log.Printf("FreedomFinalRulesReverseFix: skip (invalid xrayTemplateConfig json): %v", rErr)
  1147. return db.Create(&model.HistoryOfSeeders{SeederName: "FreedomFinalRulesReverseFix"}).Error
  1148. }
  1149. return db.Transaction(func(tx *gorm.DB) error {
  1150. if changed {
  1151. if err := tx.Model(&model.Setting{}).Where("key = ?", "xrayTemplateConfig").
  1152. Update("value", updated).Error; err != nil {
  1153. return err
  1154. }
  1155. }
  1156. return tx.Create(&model.HistoryOfSeeders{SeederName: "FreedomFinalRulesReverseFix"}).Error
  1157. })
  1158. }
  1159. func rewriteFreedomFinalRules(raw string) (string, bool, error) {
  1160. if strings.TrimSpace(raw) == "" {
  1161. return raw, false, nil
  1162. }
  1163. var cfg map[string]any
  1164. if err := json.Unmarshal([]byte(raw), &cfg); err != nil {
  1165. return raw, false, err
  1166. }
  1167. outbounds, ok := cfg["outbounds"].([]any)
  1168. if !ok {
  1169. return raw, false, nil
  1170. }
  1171. changed := false
  1172. for _, ob := range outbounds {
  1173. obj, ok := ob.(map[string]any)
  1174. if !ok {
  1175. continue
  1176. }
  1177. if proto, _ := obj["protocol"].(string); proto != "freedom" {
  1178. continue
  1179. }
  1180. settings, ok := obj["settings"].(map[string]any)
  1181. if !ok {
  1182. continue
  1183. }
  1184. if !isLegacyPrivateOnlyFinalRules(settings["finalRules"]) {
  1185. continue
  1186. }
  1187. settings["finalRules"] = []any{map[string]any{"action": "allow"}}
  1188. changed = true
  1189. }
  1190. if !changed {
  1191. return raw, false, nil
  1192. }
  1193. out, err := json.MarshalIndent(cfg, "", " ")
  1194. if err != nil {
  1195. return raw, false, err
  1196. }
  1197. return string(out), true, nil
  1198. }
  1199. func isLegacyPrivateOnlyFinalRules(v any) bool {
  1200. rules, ok := v.([]any)
  1201. if !ok || len(rules) != 1 {
  1202. return false
  1203. }
  1204. rule, ok := rules[0].(map[string]any)
  1205. if !ok {
  1206. return false
  1207. }
  1208. if action, _ := rule["action"].(string); action != "allow" {
  1209. return false
  1210. }
  1211. ips, ok := rule["ip"].([]any)
  1212. if !ok || len(ips) != 1 {
  1213. return false
  1214. }
  1215. if s, _ := ips[0].(string); s != "geoip:private" {
  1216. return false
  1217. }
  1218. for k := range rule {
  1219. if k != "action" && k != "ip" {
  1220. return false
  1221. }
  1222. }
  1223. return true
  1224. }
  1225. func normalizeClientJSONFields(obj map[string]any) {
  1226. normalizeInt := func(key string) {
  1227. raw, exists := obj[key]
  1228. if !exists {
  1229. return
  1230. }
  1231. s, ok := raw.(string)
  1232. if !ok {
  1233. return
  1234. }
  1235. trimmed := strings.ReplaceAll(strings.TrimSpace(s), " ", "")
  1236. if trimmed == "" {
  1237. delete(obj, key)
  1238. return
  1239. }
  1240. if n, err := strconv.ParseInt(trimmed, 10, 64); err == nil {
  1241. obj[key] = n
  1242. } else {
  1243. delete(obj, key)
  1244. }
  1245. }
  1246. for _, k := range []string{"tgId", "limitIp", "totalGB", "expiryTime", "reset", "created_at", "updated_at"} {
  1247. normalizeInt(k)
  1248. }
  1249. }
  1250. func seedClientsFromInboundJSON() error {
  1251. var inbounds []model.Inbound
  1252. if err := db.Find(&inbounds).Error; err != nil {
  1253. return err
  1254. }
  1255. return db.Transaction(func(tx *gorm.DB) error {
  1256. byEmail := map[string]*model.ClientRecord{}
  1257. var existing []model.ClientRecord
  1258. if err := tx.Find(&existing).Error; err != nil {
  1259. return err
  1260. }
  1261. for i := range existing {
  1262. byEmail[existing[i].Email] = &existing[i]
  1263. }
  1264. for _, inbound := range inbounds {
  1265. if strings.TrimSpace(inbound.Settings) == "" {
  1266. continue
  1267. }
  1268. var settings map[string]any
  1269. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1270. log.Printf("ClientsTable seed: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1271. continue
  1272. }
  1273. rawList, ok := settings["clients"].([]any)
  1274. if !ok {
  1275. continue
  1276. }
  1277. for _, raw := range rawList {
  1278. obj, ok := raw.(map[string]any)
  1279. if !ok {
  1280. continue
  1281. }
  1282. normalizeClientJSONFields(obj)
  1283. blob, err := json.Marshal(obj)
  1284. if err != nil {
  1285. continue
  1286. }
  1287. var c model.Client
  1288. if err := json.Unmarshal(blob, &c); err != nil {
  1289. log.Printf("ClientsTable seed: skip client in inbound %d (unmarshal failed): %v; payload=%s",
  1290. inbound.Id, err, string(blob))
  1291. continue
  1292. }
  1293. email := strings.TrimSpace(c.Email)
  1294. if email == "" {
  1295. continue
  1296. }
  1297. incoming := c.ToRecord()
  1298. row, dup := byEmail[email]
  1299. if !dup {
  1300. if err := tx.Create(incoming).Error; err != nil {
  1301. return err
  1302. }
  1303. byEmail[email] = incoming
  1304. row = incoming
  1305. } else {
  1306. conflicts := model.MergeClientRecord(row, incoming)
  1307. for _, x := range conflicts {
  1308. log.Printf("client merge: email=%s conflict on %s old=%v new=%v kept=%v",
  1309. email, x.Field, x.Old, x.New, x.Kept)
  1310. }
  1311. if err := tx.Save(row).Error; err != nil {
  1312. return err
  1313. }
  1314. }
  1315. link := model.ClientInbound{
  1316. ClientId: row.Id,
  1317. InboundId: inbound.Id,
  1318. FlowOverride: c.Flow,
  1319. }
  1320. if err := tx.Where("client_id = ? AND inbound_id = ?", row.Id, inbound.Id).
  1321. FirstOrCreate(&link).Error; err != nil {
  1322. return err
  1323. }
  1324. }
  1325. }
  1326. return tx.Create(&model.HistoryOfSeeders{SeederName: "ClientsTable"}).Error
  1327. })
  1328. }
  1329. func seedApiTokens() error {
  1330. empty, err := isTableEmpty("api_tokens")
  1331. if err != nil {
  1332. return err
  1333. }
  1334. if empty {
  1335. var legacy model.Setting
  1336. err := db.Model(model.Setting{}).Where("key = ?", "apiToken").First(&legacy).Error
  1337. if err == nil && legacy.Value != "" {
  1338. row := &model.ApiToken{
  1339. Name: "default",
  1340. Token: legacy.Value,
  1341. Enabled: true,
  1342. }
  1343. if err := db.Create(row).Error; err != nil {
  1344. log.Printf("Error migrating legacy apiToken: %v", err)
  1345. return err
  1346. }
  1347. }
  1348. }
  1349. return db.Create(&model.HistoryOfSeeders{SeederName: "ApiTokensTable"}).Error
  1350. }
  1351. func hashExistingApiTokens() error {
  1352. var rows []*model.ApiToken
  1353. if err := db.Find(&rows).Error; err != nil {
  1354. return err
  1355. }
  1356. for _, r := range rows {
  1357. if crypto.IsSHA256Hex(r.Token) {
  1358. continue
  1359. }
  1360. hashed := crypto.HashTokenSHA256(r.Token)
  1361. if err := db.Model(model.ApiToken{}).Where("id = ?", r.Id).Update("token", hashed).Error; err != nil {
  1362. log.Printf("Error hashing api token %d: %v", r.Id, err)
  1363. return err
  1364. }
  1365. }
  1366. return db.Create(&model.HistoryOfSeeders{SeederName: "ApiTokensHash"}).Error
  1367. }
  1368. func isTableEmpty(tableName string) (bool, error) {
  1369. var count int64
  1370. err := db.Table(tableName).Count(&count).Error
  1371. return count == 0, err
  1372. }
  1373. func InitDB(dbPath string) error {
  1374. var gormLogger logger.Interface
  1375. if config.IsDebug() {
  1376. gormLogger = logger.New(
  1377. log.New(os.Stdout, "\r\n", log.LstdFlags),
  1378. logger.Config{
  1379. SlowThreshold: time.Second,
  1380. LogLevel: logger.Info,
  1381. IgnoreRecordNotFoundError: true,
  1382. Colorful: true,
  1383. },
  1384. )
  1385. } else {
  1386. gormLogger = logger.Discard
  1387. }
  1388. c := &gorm.Config{Logger: gormLogger, DisableForeignKeyConstraintWhenMigrating: true}
  1389. var err error
  1390. switch config.GetDBKind() {
  1391. case "postgres":
  1392. dsn := config.GetDBDSN()
  1393. if dsn == "" {
  1394. return errors.New("XUI_DB_TYPE=postgres but XUI_DB_DSN is empty")
  1395. }
  1396. db, err = gorm.Open(postgres.Open(dsn), c)
  1397. if err != nil {
  1398. return err
  1399. }
  1400. default:
  1401. dir := path.Dir(dbPath)
  1402. if err = os.MkdirAll(dir, 0o755); err != nil {
  1403. return err
  1404. }
  1405. sync := sqliteSynchronous()
  1406. dsn := dbPath + "?_journal_mode=DELETE&_busy_timeout=10000&_synchronous=" + sync + "&_txlock=immediate"
  1407. db, err = gorm.Open(sqlite.Open(dsn), c)
  1408. if err != nil {
  1409. return err
  1410. }
  1411. sqlDB, err := db.DB()
  1412. if err != nil {
  1413. return err
  1414. }
  1415. pragmas := []string{
  1416. "PRAGMA journal_mode=DELETE",
  1417. "PRAGMA busy_timeout=10000",
  1418. "PRAGMA synchronous=" + sync,
  1419. fmt.Sprintf("PRAGMA cache_size=-%d", envInt("XUI_DB_CACHE_MB", 32)*1024),
  1420. fmt.Sprintf("PRAGMA mmap_size=%d", int64(envInt("XUI_DB_MMAP_MB", 256))*1024*1024),
  1421. "PRAGMA temp_store=MEMORY",
  1422. }
  1423. for _, p := range pragmas {
  1424. if _, err := sqlDB.ExecContext(context.Background(), p); err != nil {
  1425. return err
  1426. }
  1427. }
  1428. }
  1429. sqlDB, err := db.DB()
  1430. if err != nil {
  1431. return err
  1432. }
  1433. var maxOpen, maxIdle int
  1434. switch config.GetDBKind() {
  1435. case "postgres":
  1436. maxOpen = envInt("XUI_DB_MAX_OPEN_CONNS", 25)
  1437. maxIdle = envInt("XUI_DB_MAX_IDLE_CONNS", 25)
  1438. default:
  1439. maxOpen = envInt("XUI_DB_MAX_OPEN_CONNS", 8)
  1440. maxIdle = envInt("XUI_DB_MAX_IDLE_CONNS", 4)
  1441. }
  1442. sqlDB.SetMaxOpenConns(maxOpen)
  1443. sqlDB.SetMaxIdleConns(maxIdle)
  1444. sqlDB.SetConnMaxLifetime(time.Hour)
  1445. sqlDB.SetConnMaxIdleTime(30 * time.Minute)
  1446. if err := initModels(); err != nil {
  1447. return err
  1448. }
  1449. isUsersEmpty, err := isTableEmpty("users")
  1450. if err != nil {
  1451. return err
  1452. }
  1453. if err := initUser(); err != nil {
  1454. return err
  1455. }
  1456. return runSeeders(isUsersEmpty)
  1457. }
  1458. func normalizeApiTokenCreatedAtSeconds() error {
  1459. return db.Model(&model.ApiToken{}).
  1460. Where("created_at >= ?", model.ApiTokenUnixMillisecondsThreshold).
  1461. UpdateColumn("created_at", gorm.Expr("created_at / ?", 1000)).Error
  1462. }
  1463. func sqliteSynchronous() string {
  1464. switch strings.ToUpper(strings.TrimSpace(os.Getenv("XUI_DB_SYNCHRONOUS"))) {
  1465. case "OFF":
  1466. return "OFF"
  1467. case "NORMAL":
  1468. return "NORMAL"
  1469. case "EXTRA":
  1470. return "EXTRA"
  1471. default:
  1472. return "FULL"
  1473. }
  1474. }
  1475. func envInt(key string, def int) int {
  1476. v := strings.TrimSpace(os.Getenv(key))
  1477. if v == "" {
  1478. return def
  1479. }
  1480. n, err := strconv.Atoi(v)
  1481. if err != nil || n <= 0 {
  1482. return def
  1483. }
  1484. return n
  1485. }
  1486. func CloseDB() error {
  1487. if db != nil {
  1488. sqlDB, err := db.DB()
  1489. if err != nil {
  1490. return err
  1491. }
  1492. return sqlDB.Close()
  1493. }
  1494. return nil
  1495. }
  1496. func GetDB() *gorm.DB {
  1497. return db
  1498. }
  1499. func IsNotFound(err error) bool {
  1500. return errors.Is(err, gorm.ErrRecordNotFound)
  1501. }
  1502. func IsSQLiteDB(file io.ReaderAt) (bool, error) {
  1503. signature := []byte("SQLite format 3\x00")
  1504. buf := make([]byte, len(signature))
  1505. _, err := file.ReadAt(buf, 0)
  1506. if err != nil {
  1507. return false, err
  1508. }
  1509. return bytes.Equal(buf, signature), nil
  1510. }
  1511. func Checkpoint() error {
  1512. if IsPostgres() {
  1513. return nil
  1514. }
  1515. return db.Exec("PRAGMA wal_checkpoint;").Error
  1516. }
  1517. func ValidateSQLiteDB(dbPath string) error {
  1518. if _, err := os.Stat(dbPath); err != nil {
  1519. return err
  1520. }
  1521. gdb, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{Logger: logger.Discard})
  1522. if err != nil {
  1523. return err
  1524. }
  1525. sqlDB, err := gdb.DB()
  1526. if err != nil {
  1527. return err
  1528. }
  1529. defer sqlDB.Close()
  1530. var res string
  1531. if err := gdb.Raw("PRAGMA integrity_check;").Scan(&res).Error; err != nil {
  1532. return err
  1533. }
  1534. if res != "ok" {
  1535. return errors.New("sqlite integrity check failed: " + res)
  1536. }
  1537. return nil
  1538. }