db.go 48 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785
  1. package database
  2. import (
  3. "bytes"
  4. "context"
  5. "encoding/json"
  6. "errors"
  7. "fmt"
  8. "io"
  9. "log"
  10. "math"
  11. "os"
  12. "os/exec"
  13. "path"
  14. "runtime"
  15. "slices"
  16. "strconv"
  17. "strings"
  18. "time"
  19. "github.com/mhsanaei/3x-ui/v3/internal/config"
  20. "github.com/mhsanaei/3x-ui/v3/internal/database/model"
  21. "github.com/mhsanaei/3x-ui/v3/internal/util/crypto"
  22. "github.com/mhsanaei/3x-ui/v3/internal/util/random"
  23. "github.com/mhsanaei/3x-ui/v3/internal/xray"
  24. "gorm.io/driver/postgres"
  25. "gorm.io/driver/sqlite"
  26. "gorm.io/gorm"
  27. "gorm.io/gorm/logger"
  28. )
  29. var db *gorm.DB
  30. const (
  31. DialectSQLite = "sqlite"
  32. DialectPostgres = "postgres"
  33. )
  34. func IsPostgres() bool {
  35. if db == nil {
  36. return config.GetDBKind() == "postgres"
  37. }
  38. return db.Name() == "postgres"
  39. }
  40. func Dialect() string {
  41. if db == nil {
  42. return ""
  43. }
  44. return db.Name()
  45. }
  46. const (
  47. defaultUsername = "admin"
  48. defaultPassword = "admin"
  49. )
  50. func initModels() error {
  51. models := []any{
  52. &model.User{},
  53. &model.Inbound{},
  54. &model.OutboundTraffics{},
  55. &model.Setting{},
  56. &model.InboundClientIps{},
  57. &xray.ClientTraffic{},
  58. &model.HistoryOfSeeders{},
  59. &model.Node{},
  60. &model.ApiToken{},
  61. &model.ClientRecord{},
  62. &model.ClientInbound{},
  63. &model.ClientExternalLink{},
  64. &model.ClientGroup{},
  65. &model.InboundFallback{},
  66. &model.Host{},
  67. &model.NodeClientTraffic{},
  68. &model.NodeClientIp{},
  69. &model.ClientGlobalTraffic{},
  70. &model.OutboundSubscription{},
  71. }
  72. for _, mdl := range models {
  73. if IsPostgres() && postgresModelSettled(mdl) {
  74. continue
  75. }
  76. if err := db.AutoMigrate(mdl); err != nil {
  77. if isIgnorableDuplicateColumnErr(err, mdl) {
  78. log.Printf("Ignoring duplicate column during auto migration for %T: %v", mdl, err)
  79. continue
  80. }
  81. log.Printf("Error auto migrating model: %v", err)
  82. return err
  83. }
  84. }
  85. if err := dropLegacyInboundPortUnique(); err != nil {
  86. return err
  87. }
  88. if err := migrateHostVerifyPeerCertByNameColumn(); err != nil {
  89. return err
  90. }
  91. if err := normalizeApiTokenCreatedAtSeconds(); err != nil {
  92. return err
  93. }
  94. if err := dropLegacyForeignKeys(); err != nil {
  95. return err
  96. }
  97. if err := pruneOrphanedClientInbounds(); err != nil {
  98. return err
  99. }
  100. if err := pruneOrphanedHosts(); err != nil {
  101. return err
  102. }
  103. if err := normalizeInboundSubSortIndex(); err != nil {
  104. return err
  105. }
  106. if err := repairOverflowedTrafficCounters(); err != nil {
  107. return err
  108. }
  109. if err := dedupeInboundSettingsClients(); err != nil {
  110. return err
  111. }
  112. if err := migrateLegacySocksInboundsToMixed(); err != nil {
  113. return err
  114. }
  115. if IsPostgres() {
  116. if err := resyncPostgresSequences(db, models); err != nil {
  117. log.Printf("Error resyncing postgres sequences: %v", err)
  118. return err
  119. }
  120. }
  121. return nil
  122. }
  123. func postgresModelSettled(mdl any) bool {
  124. migrator := db.Migrator()
  125. if !migrator.HasTable(mdl) {
  126. return false
  127. }
  128. stmt := &gorm.Statement{DB: db}
  129. if err := stmt.Parse(mdl); err != nil || stmt.Schema == nil {
  130. return false
  131. }
  132. for _, dbName := range stmt.Schema.DBNames {
  133. if !migrator.HasColumn(mdl, dbName) {
  134. return false
  135. }
  136. }
  137. for _, idx := range stmt.Schema.ParseIndexes() {
  138. if !migrator.HasIndex(mdl, idx.Name) {
  139. return false
  140. }
  141. }
  142. return true
  143. }
  144. func dropLegacyForeignKeys() error {
  145. if !IsPostgres() {
  146. return nil
  147. }
  148. if err := db.Exec("ALTER TABLE client_traffics DROP CONSTRAINT IF EXISTS fk_inbounds_client_stats").Error; err != nil {
  149. log.Printf("Error dropping legacy foreign key fk_inbounds_client_stats: %v", err)
  150. return err
  151. }
  152. return nil
  153. }
  154. type sqliteIndexListRow struct {
  155. Name string `gorm:"column:name"`
  156. Unique int `gorm:"column:unique"`
  157. Origin string `gorm:"column:origin"`
  158. }
  159. func sqliteUniquePortIndexes() (autoIndexes, explicitIndexes []string, err error) {
  160. var list []sqliteIndexListRow
  161. if err = db.Raw(`PRAGMA index_list('inbounds')`).Scan(&list).Error; err != nil {
  162. return nil, nil, err
  163. }
  164. for _, idx := range list {
  165. if idx.Unique != 1 {
  166. continue
  167. }
  168. var cols []struct {
  169. Name string `gorm:"column:name"`
  170. }
  171. if err = db.Raw(`PRAGMA index_info("` + idx.Name + `")`).Scan(&cols).Error; err != nil {
  172. return nil, nil, err
  173. }
  174. if len(cols) != 1 || cols[0].Name != "port" {
  175. continue
  176. }
  177. if idx.Origin == "c" {
  178. explicitIndexes = append(explicitIndexes, idx.Name)
  179. } else {
  180. autoIndexes = append(autoIndexes, idx.Name)
  181. }
  182. }
  183. return autoIndexes, explicitIndexes, nil
  184. }
  185. // dropLegacyInboundPortUnique removes the pre-multi-node UNIQUE on inbounds.port,
  186. // which AutoMigrate never drops and which blocks cross-node port reuse on old SQLite DBs.
  187. func dropLegacyInboundPortUnique() error {
  188. if IsPostgres() {
  189. return nil
  190. }
  191. autoIndexes, explicitIndexes, err := sqliteUniquePortIndexes()
  192. if err != nil {
  193. return err
  194. }
  195. for _, name := range explicitIndexes {
  196. if err := db.Exec(`DROP INDEX IF EXISTS "` + name + `"`).Error; err != nil {
  197. return err
  198. }
  199. }
  200. if len(autoIndexes) == 0 {
  201. return nil
  202. }
  203. log.Printf("Rebuilding inbounds table to drop the legacy UNIQUE constraint on port")
  204. return rebuildInboundsWithoutInlineUniquePort()
  205. }
  206. func sqliteTableColumns(tx *gorm.DB, table string) ([]string, error) {
  207. var rows []struct {
  208. Name string `gorm:"column:name"`
  209. }
  210. if err := tx.Raw(`PRAGMA table_info("` + table + `")`).Scan(&rows).Error; err != nil {
  211. return nil, err
  212. }
  213. cols := make([]string, 0, len(rows))
  214. for _, r := range rows {
  215. cols = append(cols, r.Name)
  216. }
  217. return cols, nil
  218. }
  219. func rebuildInboundsWithoutInlineUniquePort() error {
  220. return db.Transaction(func(tx *gorm.DB) error {
  221. var list []sqliteIndexListRow
  222. if err := tx.Raw(`PRAGMA index_list('inbounds')`).Scan(&list).Error; err != nil {
  223. return err
  224. }
  225. for _, idx := range list {
  226. if idx.Origin != "c" {
  227. continue
  228. }
  229. if err := tx.Exec(`DROP INDEX IF EXISTS "` + idx.Name + `"`).Error; err != nil {
  230. return err
  231. }
  232. }
  233. if err := tx.Exec(`ALTER TABLE inbounds RENAME TO inbounds_legacy_rebuild`).Error; err != nil {
  234. return err
  235. }
  236. if err := tx.Migrator().CreateTable(&model.Inbound{}); err != nil {
  237. return err
  238. }
  239. newCols, err := sqliteTableColumns(tx, "inbounds")
  240. if err != nil {
  241. return err
  242. }
  243. oldCols, err := sqliteTableColumns(tx, "inbounds_legacy_rebuild")
  244. if err != nil {
  245. return err
  246. }
  247. oldSet := make(map[string]struct{}, len(oldCols))
  248. for _, c := range oldCols {
  249. oldSet[c] = struct{}{}
  250. }
  251. shared := make([]string, 0, len(newCols))
  252. for _, c := range newCols {
  253. if _, ok := oldSet[c]; ok {
  254. shared = append(shared, `"`+c+`"`)
  255. }
  256. }
  257. colList := strings.Join(shared, ", ")
  258. if err := tx.Exec(`INSERT INTO inbounds (` + colList + `) SELECT ` + colList + ` FROM inbounds_legacy_rebuild`).Error; err != nil {
  259. return err
  260. }
  261. return tx.Exec(`DROP TABLE inbounds_legacy_rebuild`).Error
  262. })
  263. }
  264. func migrateHostVerifyPeerCertByNameColumn() error {
  265. if !db.Migrator().HasColumn(&model.Host{}, "verify_peer_cert_by_name") {
  266. return nil
  267. }
  268. if IsPostgres() {
  269. var dataType string
  270. if err := db.Raw(
  271. `SELECT data_type FROM information_schema.columns WHERE table_name = 'hosts' AND column_name = 'verify_peer_cert_by_name'`,
  272. ).Scan(&dataType).Error; err != nil {
  273. return err
  274. }
  275. if dataType != "boolean" {
  276. return nil
  277. }
  278. if err := db.Exec(`ALTER TABLE hosts ALTER COLUMN verify_peer_cert_by_name DROP DEFAULT`).Error; err != nil {
  279. return err
  280. }
  281. return db.Exec(`ALTER TABLE hosts ALTER COLUMN verify_peer_cert_by_name TYPE text USING ''`).Error
  282. }
  283. return db.Exec(`UPDATE hosts SET verify_peer_cert_by_name = '' WHERE verify_peer_cert_by_name IS NULL OR typeof(verify_peer_cert_by_name) <> 'text'`).Error
  284. }
  285. func seedHostsFromExternalProxy() error {
  286. var history []string
  287. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  288. return err
  289. }
  290. if slices.Contains(history, "HostsFromExternalProxy") {
  291. return nil
  292. }
  293. var inbounds []model.Inbound
  294. if err := db.Find(&inbounds).Error; err != nil {
  295. return err
  296. }
  297. return db.Transaction(func(tx *gorm.DB) error {
  298. for _, inbound := range inbounds {
  299. if _, err := CreateHostsFromExternalProxy(tx, inbound.Id, inbound.StreamSettings); err != nil {
  300. return err
  301. }
  302. }
  303. return tx.Create(&model.HistoryOfSeeders{SeederName: "HostsFromExternalProxy"}).Error
  304. })
  305. }
  306. func seedWireguardPeersToClients() error {
  307. var history []string
  308. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  309. return err
  310. }
  311. if slices.Contains(history, "WireguardPeersToClients") {
  312. return nil
  313. }
  314. var inbounds []model.Inbound
  315. if err := db.Where("protocol = ?", string(model.WireGuard)).Find(&inbounds).Error; err != nil {
  316. return err
  317. }
  318. return db.Transaction(func(tx *gorm.DB) error {
  319. usedEmails := map[string]struct{}{}
  320. var existingEmails []string
  321. if err := tx.Model(&model.ClientRecord{}).Pluck("email", &existingEmails).Error; err != nil {
  322. return err
  323. }
  324. for _, e := range existingEmails {
  325. usedEmails[e] = struct{}{}
  326. }
  327. for _, inbound := range inbounds {
  328. if strings.TrimSpace(inbound.Settings) == "" {
  329. continue
  330. }
  331. var settings map[string]any
  332. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  333. log.Printf("WireguardPeersToClients: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  334. continue
  335. }
  336. peers, ok := settings["peers"].([]any)
  337. if !ok || len(peers) == 0 {
  338. continue
  339. }
  340. var linkCount int64
  341. if err := tx.Model(&model.ClientInbound{}).Where("inbound_id = ?", inbound.Id).Count(&linkCount).Error; err != nil {
  342. return err
  343. }
  344. if linkCount > 0 {
  345. continue
  346. }
  347. clientObjs := make([]any, 0, len(peers))
  348. for i, raw := range peers {
  349. obj, ok := raw.(map[string]any)
  350. if !ok {
  351. continue
  352. }
  353. email := wireguardPeerEmail(inbound.Remark, obj, i, usedEmails)
  354. usedEmails[email] = struct{}{}
  355. obj["email"] = email
  356. if sub, _ := obj["subId"].(string); strings.TrimSpace(sub) == "" {
  357. obj["subId"] = random.NumLower(16)
  358. }
  359. if _, ok := obj["enable"]; !ok {
  360. obj["enable"] = true
  361. }
  362. blob, err := json.Marshal(obj)
  363. if err != nil {
  364. continue
  365. }
  366. var c model.Client
  367. if err := json.Unmarshal(blob, &c); err != nil {
  368. log.Printf("WireguardPeersToClients: skip peer in inbound %d: %v", inbound.Id, err)
  369. continue
  370. }
  371. c.Email = email
  372. incoming := c.ToRecord()
  373. var row model.ClientRecord
  374. err = tx.Where("email = ?", email).First(&row).Error
  375. if errors.Is(err, gorm.ErrRecordNotFound) {
  376. if err := tx.Create(incoming).Error; err != nil {
  377. return err
  378. }
  379. row = *incoming
  380. } else if err != nil {
  381. return err
  382. } else {
  383. model.MergeClientRecord(&row, incoming)
  384. if err := tx.Save(&row).Error; err != nil {
  385. return err
  386. }
  387. }
  388. link := model.ClientInbound{ClientId: row.Id, InboundId: inbound.Id}
  389. if err := tx.Where("client_id = ? AND inbound_id = ?", row.Id, inbound.Id).
  390. FirstOrCreate(&link).Error; err != nil {
  391. return err
  392. }
  393. clientObjs = append(clientObjs, obj)
  394. }
  395. delete(settings, "peers")
  396. settings["clients"] = clientObjs
  397. newSettings, err := json.Marshal(settings)
  398. if err != nil {
  399. return err
  400. }
  401. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  402. Update("settings", string(newSettings)).Error; err != nil {
  403. return err
  404. }
  405. }
  406. return tx.Create(&model.HistoryOfSeeders{SeederName: "WireguardPeersToClients"}).Error
  407. })
  408. }
  409. func wireguardPeerEmail(remark string, peer map[string]any, index int, used map[string]struct{}) string {
  410. base := strings.TrimSpace(remark)
  411. if base == "" {
  412. base = "wg"
  413. }
  414. suffix := strconv.Itoa(index + 1)
  415. if c, ok := peer["comment"].(string); ok && strings.TrimSpace(c) != "" {
  416. suffix = strings.TrimSpace(c)
  417. }
  418. email := strings.ReplaceAll(base+"-"+suffix, " ", "-")
  419. candidate := email
  420. for n := 2; ; n++ {
  421. if _, taken := used[candidate]; !taken {
  422. return candidate
  423. }
  424. candidate = email + "-" + strconv.Itoa(n)
  425. }
  426. }
  427. // seedMtprotoSecretsToClients converts each legacy single-secret mtproto inbound
  428. // into a one-client inbound so MTProto joins the shared multi-client model: the
  429. // inbound-level secret becomes the first client's FakeTLS secret, and a
  430. // ClientRecord + client_inbounds link are created so per-client traffic, limits,
  431. // and share links work exactly like every other protocol. One-time, self-gated
  432. // on the "MtprotoSecretsToClients" seeder row. Mirrors seedWireguardPeersToClients.
  433. func seedMtprotoSecretsToClients() error {
  434. var history []string
  435. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  436. return err
  437. }
  438. if slices.Contains(history, "MtprotoSecretsToClients") {
  439. return nil
  440. }
  441. var inbounds []model.Inbound
  442. if err := db.Where("protocol = ?", string(model.MTProto)).Find(&inbounds).Error; err != nil {
  443. return err
  444. }
  445. return db.Transaction(func(tx *gorm.DB) error {
  446. usedEmails := map[string]struct{}{}
  447. var existingEmails []string
  448. if err := tx.Model(&model.ClientRecord{}).Pluck("email", &existingEmails).Error; err != nil {
  449. return err
  450. }
  451. for _, e := range existingEmails {
  452. usedEmails[e] = struct{}{}
  453. }
  454. for _, inbound := range inbounds {
  455. if strings.TrimSpace(inbound.Settings) == "" {
  456. continue
  457. }
  458. var settings map[string]any
  459. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  460. log.Printf("MtprotoSecretsToClients: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  461. continue
  462. }
  463. if clients, ok := settings["clients"].([]any); ok && len(clients) > 0 {
  464. continue
  465. }
  466. var linkCount int64
  467. if err := tx.Model(&model.ClientInbound{}).Where("inbound_id = ?", inbound.Id).Count(&linkCount).Error; err != nil {
  468. return err
  469. }
  470. if linkCount > 0 {
  471. continue
  472. }
  473. secret, _ := settings["secret"].(string)
  474. secret = strings.TrimSpace(secret)
  475. if secret == "" {
  476. domain, _ := settings["fakeTlsDomain"].(string)
  477. secret = model.GenerateFakeTLSSecret(strings.TrimSpace(domain))
  478. }
  479. email := mtprotoInboundClientEmail(inbound.Remark, usedEmails)
  480. usedEmails[email] = struct{}{}
  481. obj := map[string]any{
  482. "email": email,
  483. "secret": secret,
  484. "enable": true,
  485. "subId": random.NumLower(16),
  486. }
  487. c := model.Client{Email: email, Secret: secret, Enable: true, SubID: obj["subId"].(string)}
  488. incoming := c.ToRecord()
  489. var row model.ClientRecord
  490. err := tx.Where("email = ?", email).First(&row).Error
  491. if errors.Is(err, gorm.ErrRecordNotFound) {
  492. if err := tx.Create(incoming).Error; err != nil {
  493. return err
  494. }
  495. row = *incoming
  496. } else if err != nil {
  497. return err
  498. } else {
  499. model.MergeClientRecord(&row, incoming)
  500. if err := tx.Save(&row).Error; err != nil {
  501. return err
  502. }
  503. }
  504. link := model.ClientInbound{ClientId: row.Id, InboundId: inbound.Id}
  505. if err := tx.Where("client_id = ? AND inbound_id = ?", row.Id, inbound.Id).
  506. FirstOrCreate(&link).Error; err != nil {
  507. return err
  508. }
  509. delete(settings, "secret")
  510. settings["clients"] = []any{obj}
  511. newSettings, err := json.Marshal(settings)
  512. if err != nil {
  513. return err
  514. }
  515. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  516. Update("settings", string(newSettings)).Error; err != nil {
  517. return err
  518. }
  519. }
  520. return tx.Create(&model.HistoryOfSeeders{SeederName: "MtprotoSecretsToClients"}).Error
  521. })
  522. }
  523. // stripMtprotoInboundSecrets removes the vestigial inbound-level `secret` from
  524. // every mtproto inbound. seedMtprotoSecretsToClients already drops it while
  525. // converting legacy single-secret inbounds, but inbounds that already had clients
  526. // kept the dead field, and the old HealMtprotoSecret regenerated it on every
  527. // save. mtg and every share link read only per-client secrets, so the
  528. // inbound-level value is dead data that once leaked into stale, unusable links.
  529. // One-time, self-gated on the "StripMtprotoInboundSecrets" seeder row.
  530. func stripMtprotoInboundSecrets() error {
  531. var history []string
  532. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  533. return err
  534. }
  535. if slices.Contains(history, "StripMtprotoInboundSecrets") {
  536. return nil
  537. }
  538. var inbounds []model.Inbound
  539. if err := db.Where("protocol = ?", string(model.MTProto)).Find(&inbounds).Error; err != nil {
  540. return err
  541. }
  542. return db.Transaction(func(tx *gorm.DB) error {
  543. for _, inbound := range inbounds {
  544. stripped, ok := model.StripMtprotoInboundSecret(inbound.Settings)
  545. if !ok {
  546. continue
  547. }
  548. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  549. Update("settings", stripped).Error; err != nil {
  550. return err
  551. }
  552. }
  553. return tx.Create(&model.HistoryOfSeeders{SeederName: "StripMtprotoInboundSecrets"}).Error
  554. })
  555. }
  556. // mtprotoInboundClientEmail derives a stable, unique client email for a migrated
  557. // mtproto inbound from its remark.
  558. func mtprotoInboundClientEmail(remark string, used map[string]struct{}) string {
  559. base := strings.TrimSpace(remark)
  560. if base == "" {
  561. base = "mtproto"
  562. }
  563. email := strings.ReplaceAll(base, " ", "-")
  564. candidate := email
  565. for n := 2; ; n++ {
  566. if _, taken := used[candidate]; !taken {
  567. return candidate
  568. }
  569. candidate = email + "-" + strconv.Itoa(n)
  570. }
  571. }
  572. // CreateHostsFromExternalProxy parses a legacy streamSettings.externalProxy array
  573. // and inserts one Host row per entry on tx, returning the number of rows created.
  574. // It is the shared core of both the one-time seedHostsFromExternalProxy startup
  575. // migration and the inbound-import path: an inbound exported from a build that
  576. // predated the hosts table carries its external proxies inline in
  577. // streamSettings.externalProxy, and the startup migration is gated off after its
  578. // first run, so a freshly imported inbound must be converted here instead. Blank
  579. // or malformed streamSettings, or one without externalProxy entries, is a no-op.
  580. func CreateHostsFromExternalProxy(tx *gorm.DB, inboundId int, streamSettings string) (int, error) {
  581. if strings.TrimSpace(streamSettings) == "" {
  582. return 0, nil
  583. }
  584. var stream map[string]any
  585. if err := json.Unmarshal([]byte(streamSettings), &stream); err != nil {
  586. return 0, nil
  587. }
  588. eps, ok := stream["externalProxy"].([]any)
  589. if !ok || len(eps) == 0 {
  590. return 0, nil
  591. }
  592. created := 0
  593. for i, raw := range eps {
  594. ep, ok := raw.(map[string]any)
  595. if !ok {
  596. continue
  597. }
  598. if err := tx.Create(externalProxyEntryToHost(inboundId, i, ep)).Error; err != nil {
  599. return created, err
  600. }
  601. created++
  602. }
  603. return created, nil
  604. }
  605. func externalProxyEntryToHost(inboundId, index int, ep map[string]any) *model.Host {
  606. security, _ := ep["forceTls"].(string)
  607. switch security {
  608. case "same", "tls", "none":
  609. default:
  610. security = "same"
  611. }
  612. dest, _ := ep["dest"].(string)
  613. port := 0
  614. if p, ok := ep["port"].(float64); ok {
  615. port = int(p)
  616. }
  617. remark, _ := ep["remark"].(string)
  618. if strings.TrimSpace(remark) == "" {
  619. remark = "imported " + strconv.Itoa(index+1)
  620. }
  621. if len(remark) > 256 {
  622. remark = remark[:256]
  623. }
  624. sni, _ := ep["sni"].(string)
  625. fingerprint, _ := ep["fingerprint"].(string)
  626. ech, _ := ep["echConfigList"].(string)
  627. return &model.Host{
  628. InboundId: inboundId,
  629. SortOrder: index,
  630. Remark: remark,
  631. Address: dest,
  632. Port: port,
  633. Security: security,
  634. Sni: sni,
  635. Fingerprint: fingerprint,
  636. Alpn: anyToNonEmptyStrings(ep["alpn"]),
  637. PinnedPeerCertSha256: anyToNonEmptyStrings(ep["pinnedPeerCertSha256"]),
  638. EchConfigList: ech,
  639. }
  640. }
  641. func anyToNonEmptyStrings(v any) []string {
  642. switch t := v.(type) {
  643. case []any:
  644. out := make([]string, 0, len(t))
  645. for _, e := range t {
  646. if s, ok := e.(string); ok && s != "" {
  647. out = append(out, s)
  648. }
  649. }
  650. return out
  651. case []string:
  652. out := make([]string, 0, len(t))
  653. for _, s := range t {
  654. if s != "" {
  655. out = append(out, s)
  656. }
  657. }
  658. return out
  659. default:
  660. return nil
  661. }
  662. }
  663. func pruneOrphanedHosts() error {
  664. res := db.Exec("DELETE FROM hosts WHERE inbound_id NOT IN (SELECT id FROM inbounds)")
  665. if res.Error != nil {
  666. log.Printf("Error pruning orphaned hosts rows: %v", res.Error)
  667. return res.Error
  668. }
  669. if res.RowsAffected > 0 {
  670. log.Printf("Pruned %d orphaned hosts row(s)", res.RowsAffected)
  671. }
  672. return nil
  673. }
  674. func pruneOrphanedClientInbounds() error {
  675. res := db.Exec("DELETE FROM client_inbounds WHERE inbound_id NOT IN (SELECT id FROM inbounds)")
  676. if res.Error != nil {
  677. log.Printf("Error pruning orphaned client_inbounds rows: %v", res.Error)
  678. return res.Error
  679. }
  680. if res.RowsAffected > 0 {
  681. log.Printf("Pruned %d orphaned client_inbounds row(s)", res.RowsAffected)
  682. }
  683. return nil
  684. }
  685. // migrateLegacySocksInboundsToMixed renames legacy socks inbounds to mixed.
  686. // The protocol enum dropped socks in favor of mixed (identical settings shape,
  687. // same behavior plus HTTP on the shared port), so rows predating the rename
  688. // fail model validation — most visibly when pushed to a node, where one legacy
  689. // inbound stalled the entire node's config and traffic sync (#5685).
  690. func migrateLegacySocksInboundsToMixed() error {
  691. res := db.Exec("UPDATE inbounds SET protocol = 'mixed' WHERE protocol = 'socks'")
  692. if res.Error != nil {
  693. log.Printf("Error migrating legacy socks inbounds to mixed: %v", res.Error)
  694. return res.Error
  695. }
  696. if res.RowsAffected > 0 {
  697. log.Printf("Migrated %d legacy socks inbound(s) to mixed", res.RowsAffected)
  698. }
  699. return nil
  700. }
  701. // normalizeInboundSubSortIndex lifts sub_sort_index values below the 1-based
  702. // minimum (rows written by builds that defaulted the column to 0, or by nodes
  703. // predating the field) so they cannot sort ahead of explicitly ranked inbounds.
  704. func normalizeInboundSubSortIndex() error {
  705. res := db.Exec("UPDATE inbounds SET sub_sort_index = 1 WHERE sub_sort_index < 1")
  706. if res.Error != nil {
  707. log.Printf("Error normalizing inbound sub_sort_index: %v", res.Error)
  708. return res.Error
  709. }
  710. if res.RowsAffected > 0 {
  711. log.Printf("Normalized sub_sort_index on %d inbound(s)", res.RowsAffected)
  712. }
  713. return nil
  714. }
  715. // repairOverflowedTrafficCounters heals traffic counters that historic
  716. // compounding bugs pushed past int64: on SQLite an overflowing INTEGER is
  717. // silently promoted to REAL, after which the column no longer scans into the
  718. // Go int64 field and every reader of the table fails (#5762). REAL cells are
  719. // cast back to INTEGER (SQLite caps the cast at math.MaxInt64), then values
  720. // are clamped into [0, TrafficMax] on both backends so the next delta cannot
  721. // overflow again.
  722. func repairOverflowedTrafficCounters() error {
  723. targets := []struct {
  724. table string
  725. columns []string
  726. }{
  727. {"client_traffics", []string{"up", "down"}},
  728. {"inbounds", []string{"up", "down"}},
  729. {"outbound_traffics", []string{"up", "down", "total"}},
  730. {"node_client_traffics", []string{"up", "down"}},
  731. }
  732. for _, target := range targets {
  733. for _, col := range target.columns {
  734. statements := []string{
  735. fmt.Sprintf("UPDATE %s SET %s = %d WHERE %s > %d", target.table, col, TrafficMax, col, TrafficMax),
  736. fmt.Sprintf("UPDATE %s SET %s = 0 WHERE %s < 0", target.table, col, col),
  737. }
  738. if !IsPostgres() {
  739. statements = append([]string{
  740. fmt.Sprintf("UPDATE %s SET %s = CAST(%s AS INTEGER) WHERE typeof(%s) = 'real'", target.table, col, col, col),
  741. }, statements...)
  742. }
  743. var repaired int64
  744. for _, statement := range statements {
  745. res := db.Exec(statement)
  746. if res.Error != nil {
  747. log.Printf("Error repairing %s.%s: %v", target.table, col, res.Error)
  748. return res.Error
  749. }
  750. repaired += res.RowsAffected
  751. }
  752. if repaired > 0 {
  753. log.Printf("Repaired %d overflowed %s.%s value(s)", repaired, target.table, col)
  754. }
  755. }
  756. }
  757. return nil
  758. }
  759. // dedupeInboundSettingsClients collapses duplicate same-email entries inside
  760. // every inbound's settings.clients array, keeping the first occurrence.
  761. // Retried or raced multi-node client adds on older builds appended the same
  762. // client several times (#5770), which the client lists then rendered as
  763. // phantom duplicates. Runs on every start (idempotent, writes only changed
  764. // rows) because a restored backup or a not-yet-upgraded node's snapshot can
  765. // reintroduce duplicates.
  766. func dedupeInboundSettingsClients() error {
  767. var inbounds []model.Inbound
  768. if err := db.Find(&inbounds).Error; err != nil {
  769. return err
  770. }
  771. repaired := int64(0)
  772. for _, inbound := range inbounds {
  773. if strings.TrimSpace(inbound.Settings) == "" {
  774. continue
  775. }
  776. var settings map[string]any
  777. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  778. continue
  779. }
  780. clients, _ := settings["clients"].([]any)
  781. if len(clients) < 2 {
  782. continue
  783. }
  784. seen := make(map[string]struct{}, len(clients))
  785. kept := make([]any, 0, len(clients))
  786. for _, c := range clients {
  787. if cm, ok := c.(map[string]any); ok {
  788. if email, _ := cm["email"].(string); email != "" {
  789. key := strings.ToLower(email)
  790. if _, dup := seen[key]; dup {
  791. continue
  792. }
  793. seen[key] = struct{}{}
  794. }
  795. }
  796. kept = append(kept, c)
  797. }
  798. if len(kept) == len(clients) {
  799. continue
  800. }
  801. settings["clients"] = kept
  802. newSettings, err := json.MarshalIndent(settings, "", " ")
  803. if err != nil {
  804. log.Printf("dedupeInboundSettingsClients: skip inbound %d (marshal failed): %v", inbound.Id, err)
  805. continue
  806. }
  807. if err := db.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  808. Update("settings", string(newSettings)).Error; err != nil {
  809. return err
  810. }
  811. repaired++
  812. }
  813. if repaired > 0 {
  814. log.Printf("Removed duplicate client entries from %d inbound(s)", repaired)
  815. }
  816. return nil
  817. }
  818. func isIgnorableDuplicateColumnErr(err error, mdl any) bool {
  819. if err == nil {
  820. return false
  821. }
  822. errMsg := strings.ToLower(err.Error())
  823. const sqlitePrefix = "duplicate column name:"
  824. if _, after, ok := strings.Cut(errMsg, sqlitePrefix); ok {
  825. col := strings.TrimSpace(after)
  826. col = strings.Trim(col, "`\"[]")
  827. return col != "" && db != nil && db.Migrator().HasColumn(mdl, col)
  828. }
  829. if strings.Contains(errMsg, "already exists") && strings.Contains(errMsg, "column ") {
  830. if _, after, ok := strings.Cut(errMsg, "column \""); ok {
  831. rest := after
  832. if e := strings.Index(rest, "\""); e > 0 {
  833. col := rest[:e]
  834. return col != "" && db != nil && db.Migrator().HasColumn(mdl, col)
  835. }
  836. }
  837. }
  838. return false
  839. }
  840. func initUser() error {
  841. empty, err := isTableEmpty("users")
  842. if err != nil {
  843. log.Printf("Error checking if users table is empty: %v", err)
  844. return err
  845. }
  846. if empty {
  847. hashedPassword, err := crypto.HashPasswordAsBcrypt(defaultPassword)
  848. if err != nil {
  849. log.Printf("Error hashing default password: %v", err)
  850. return err
  851. }
  852. user := &model.User{
  853. Username: defaultUsername,
  854. Password: hashedPassword,
  855. }
  856. return db.Create(user).Error
  857. }
  858. return nil
  859. }
  860. func runSeeders(isUsersEmpty bool) error {
  861. empty, err := isTableEmpty("history_of_seeders")
  862. if err != nil {
  863. log.Printf("Error checking if users table is empty: %v", err)
  864. return err
  865. }
  866. if empty && isUsersEmpty {
  867. seeders := []string{"UserPasswordHash", "ClientsTable", "InboundClientsArrayFix", "InboundClientTgIdFix", "InboundClientSubIdFix", "FreedomFinalRulesReverseFix", "ApiTokensHash", "LegacyProxySettingsCleanup", "WireguardPeersToClients", "MtprotoSecretsToClients"}
  868. for _, name := range seeders {
  869. if err := db.Create(&model.HistoryOfSeeders{SeederName: name}).Error; err != nil {
  870. return err
  871. }
  872. }
  873. return seedApiTokens()
  874. }
  875. var seedersHistory []string
  876. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &seedersHistory).Error; err != nil {
  877. log.Printf("Error fetching seeder history: %v", err)
  878. return err
  879. }
  880. if !slices.Contains(seedersHistory, "UserPasswordHash") && !isUsersEmpty {
  881. var users []model.User
  882. if err := db.Find(&users).Error; err != nil {
  883. log.Printf("Error fetching users for password migration: %v", err)
  884. return err
  885. }
  886. for _, user := range users {
  887. if crypto.IsHashed(user.Password) {
  888. continue
  889. }
  890. hashedPassword, err := crypto.HashPasswordAsBcrypt(user.Password)
  891. if err != nil {
  892. log.Printf("Error hashing password for user '%s': %v", user.Username, err)
  893. return err
  894. }
  895. if err := db.Model(&user).Update("password", hashedPassword).Error; err != nil {
  896. log.Printf("Error updating password for user '%s': %v", user.Username, err)
  897. return err
  898. }
  899. }
  900. hashSeeder := &model.HistoryOfSeeders{
  901. SeederName: "UserPasswordHash",
  902. }
  903. if err := db.Create(hashSeeder).Error; err != nil {
  904. return err
  905. }
  906. }
  907. if !slices.Contains(seedersHistory, "ApiTokensTable") {
  908. if err := seedApiTokens(); err != nil {
  909. return err
  910. }
  911. }
  912. if !slices.Contains(seedersHistory, "ApiTokensHash") {
  913. if err := hashExistingApiTokens(); err != nil {
  914. return err
  915. }
  916. }
  917. if !slices.Contains(seedersHistory, "ClientsTable") {
  918. if err := seedClientsFromInboundJSON(); err != nil {
  919. return err
  920. }
  921. }
  922. if !slices.Contains(seedersHistory, "InboundClientsArrayFix") {
  923. if err := normalizeInboundClientsArray(); err != nil {
  924. return err
  925. }
  926. }
  927. if !slices.Contains(seedersHistory, "InboundClientTgIdFix") {
  928. if err := normalizeInboundClientTgId(); err != nil {
  929. return err
  930. }
  931. }
  932. if !slices.Contains(seedersHistory, "InboundClientSubIdFix") {
  933. if err := normalizeInboundClientSubId(); err != nil {
  934. return err
  935. }
  936. }
  937. if !slices.Contains(seedersHistory, "FreedomFinalRulesReverseFix") {
  938. if err := normalizeFreedomFinalRules(); err != nil {
  939. return err
  940. }
  941. }
  942. if !slices.Contains(seedersHistory, "LegacyProxySettingsCleanup") {
  943. if err := clearLegacyProxySettings(); err != nil {
  944. return err
  945. }
  946. }
  947. if err := seedHostsFromExternalProxy(); err != nil {
  948. return err
  949. }
  950. if err := resetIpLimitsWithoutFail2ban(); err != nil {
  951. return err
  952. }
  953. if err := seedWireguardPeersToClients(); err != nil {
  954. return err
  955. }
  956. if err := seedHostGroupIds(); err != nil {
  957. return err
  958. }
  959. // Self-gated on the "MtprotoSecretsToClients" row.
  960. if err := seedMtprotoSecretsToClients(); err != nil {
  961. return err
  962. }
  963. // Self-gated on the "StripMtprotoInboundSecrets" row. Must run after the
  964. // seeder above so legacy single-secret inbounds are first converted to a
  965. // client (which preserves the secret) before the inbound-level copy is
  966. // dropped from every mtproto inbound.
  967. if err := stripMtprotoInboundSecrets(); err != nil {
  968. return err
  969. }
  970. // Idempotent, not seeder-gated: bad values can re-enter via a restored
  971. // backup, so re-check on every start.
  972. return normalizeSettingPaths()
  973. }
  974. func seedHostGroupIds() error {
  975. var history []string
  976. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  977. return err
  978. }
  979. if slices.Contains(history, "HostGroupIds") {
  980. return nil
  981. }
  982. var hosts []*model.Host
  983. if err := db.Where("group_id = '' OR group_id IS NULL").Find(&hosts).Error; err != nil {
  984. return err
  985. }
  986. if len(hosts) > 0 {
  987. err := db.Transaction(func(tx *gorm.DB) error {
  988. for _, h := range hosts {
  989. h.GroupId = random.NumLower(16)
  990. if err := tx.Model(h).Update("group_id", h.GroupId).Error; err != nil {
  991. return err
  992. }
  993. }
  994. return nil
  995. })
  996. if err != nil {
  997. return err
  998. }
  999. }
  1000. return db.Create(&model.HistoryOfSeeders{SeederName: "HostGroupIds"}).Error
  1001. }
  1002. func resetIpLimitsWithoutFail2ban() error {
  1003. var history []string
  1004. if err := db.Model(&model.HistoryOfSeeders{}).Pluck("seeder_name", &history).Error; err != nil {
  1005. return err
  1006. }
  1007. if slices.Contains(history, "ResetIpLimitNoFail2ban") {
  1008. return nil
  1009. }
  1010. if fail2banCanEnforce() {
  1011. return db.Create(&model.HistoryOfSeeders{SeederName: "ResetIpLimitNoFail2ban"}).Error
  1012. }
  1013. var inbounds []model.Inbound
  1014. if err := db.Find(&inbounds).Error; err != nil {
  1015. return err
  1016. }
  1017. return db.Transaction(func(tx *gorm.DB) error {
  1018. for _, inbound := range inbounds {
  1019. if strings.TrimSpace(inbound.Settings) == "" {
  1020. continue
  1021. }
  1022. var settings map[string]any
  1023. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1024. log.Printf("ResetIpLimitNoFail2ban: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1025. continue
  1026. }
  1027. clients, ok := settings["clients"].([]any)
  1028. if !ok {
  1029. continue
  1030. }
  1031. mutated := false
  1032. for i, raw := range clients {
  1033. obj, ok := raw.(map[string]any)
  1034. if !ok {
  1035. continue
  1036. }
  1037. v, present := obj["limitIp"]
  1038. if !present {
  1039. continue
  1040. }
  1041. if n, isNum := v.(float64); isNum && n == 0 {
  1042. continue
  1043. }
  1044. obj["limitIp"] = 0
  1045. clients[i] = obj
  1046. mutated = true
  1047. }
  1048. if !mutated {
  1049. continue
  1050. }
  1051. settings["clients"] = clients
  1052. newSettings, err := json.MarshalIndent(settings, "", " ")
  1053. if err != nil {
  1054. log.Printf("ResetIpLimitNoFail2ban: skip inbound %d (marshal failed): %v", inbound.Id, err)
  1055. continue
  1056. }
  1057. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  1058. Update("settings", string(newSettings)).Error; err != nil {
  1059. return err
  1060. }
  1061. }
  1062. if err := tx.Model(&model.ClientRecord{}).Where("limit_ip <> ?", 0).
  1063. Update("limit_ip", 0).Error; err != nil {
  1064. return err
  1065. }
  1066. return tx.Create(&model.HistoryOfSeeders{SeederName: "ResetIpLimitNoFail2ban"}).Error
  1067. })
  1068. }
  1069. func fail2banCanEnforce() bool {
  1070. if v, ok := os.LookupEnv("XUI_ENABLE_FAIL2BAN"); ok && v != "true" {
  1071. return false
  1072. }
  1073. if runtime.GOOS == "windows" {
  1074. return false
  1075. }
  1076. return exec.CommandContext(context.Background(), "fail2ban-client", "-h").Run() == nil
  1077. }
  1078. func clearLegacyProxySettings() error {
  1079. return db.Transaction(func(tx *gorm.DB) error {
  1080. if err := tx.Where("key IN ?", []string{"panelProxy", "tgBotProxy"}).
  1081. Delete(&model.Setting{}).Error; err != nil {
  1082. return err
  1083. }
  1084. return tx.Create(&model.HistoryOfSeeders{SeederName: "LegacyProxySettingsCleanup"}).Error
  1085. })
  1086. }
  1087. func normalizeSettingPaths() error {
  1088. pathKeys := []string{"webBasePath", "subPath", "subJsonPath", "subClashPath"}
  1089. var rows []model.Setting
  1090. if err := db.Where("key IN ?", pathKeys).Find(&rows).Error; err != nil {
  1091. return err
  1092. }
  1093. for _, row := range rows {
  1094. fixed := row.Value
  1095. if !strings.HasPrefix(fixed, "/") {
  1096. fixed = "/" + fixed
  1097. }
  1098. if !strings.HasSuffix(fixed, "/") {
  1099. fixed += "/"
  1100. }
  1101. if fixed == row.Value {
  1102. continue
  1103. }
  1104. if err := db.Model(&model.Setting{}).Where("id = ?", row.Id).
  1105. Update("value", fixed).Error; err != nil {
  1106. return err
  1107. }
  1108. }
  1109. return nil
  1110. }
  1111. func normalizeInboundClientTgId() error {
  1112. var inbounds []model.Inbound
  1113. if err := db.Find(&inbounds).Error; err != nil {
  1114. return err
  1115. }
  1116. return db.Transaction(func(tx *gorm.DB) error {
  1117. for _, inbound := range inbounds {
  1118. if strings.TrimSpace(inbound.Settings) == "" {
  1119. continue
  1120. }
  1121. var settings map[string]any
  1122. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1123. log.Printf("InboundClientTgIdFix: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1124. continue
  1125. }
  1126. clients, ok := settings["clients"].([]any)
  1127. if !ok {
  1128. continue
  1129. }
  1130. mutated := false
  1131. for i, raw := range clients {
  1132. obj, ok := raw.(map[string]any)
  1133. if !ok {
  1134. continue
  1135. }
  1136. tgRaw, present := obj["tgId"]
  1137. if !present {
  1138. continue
  1139. }
  1140. v, isFloat := tgRaw.(float64)
  1141. if isFloat && !math.IsNaN(v) && !math.IsInf(v, 0) && v == math.Trunc(v) {
  1142. continue
  1143. }
  1144. obj["tgId"] = int64(0)
  1145. clients[i] = obj
  1146. mutated = true
  1147. }
  1148. if !mutated {
  1149. continue
  1150. }
  1151. settings["clients"] = clients
  1152. newSettings, err := json.MarshalIndent(settings, "", " ")
  1153. if err != nil {
  1154. log.Printf("InboundClientTgIdFix: skip inbound %d (marshal failed): %v", inbound.Id, err)
  1155. continue
  1156. }
  1157. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  1158. Update("settings", string(newSettings)).Error; err != nil {
  1159. return err
  1160. }
  1161. }
  1162. return tx.Create(&model.HistoryOfSeeders{SeederName: "InboundClientTgIdFix"}).Error
  1163. })
  1164. }
  1165. func normalizeInboundClientSubId() error {
  1166. var inbounds []model.Inbound
  1167. if err := db.Find(&inbounds).Error; err != nil {
  1168. return err
  1169. }
  1170. return db.Transaction(func(tx *gorm.DB) error {
  1171. for _, inbound := range inbounds {
  1172. if strings.TrimSpace(inbound.Settings) == "" {
  1173. continue
  1174. }
  1175. var settings map[string]any
  1176. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1177. log.Printf("InboundClientSubIdFix: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1178. continue
  1179. }
  1180. clients, ok := settings["clients"].([]any)
  1181. if !ok {
  1182. continue
  1183. }
  1184. mutated := false
  1185. for i, raw := range clients {
  1186. obj, ok := raw.(map[string]any)
  1187. if !ok {
  1188. continue
  1189. }
  1190. existing, _ := obj["subId"].(string)
  1191. if strings.TrimSpace(existing) != "" {
  1192. continue
  1193. }
  1194. obj["subId"] = random.NumLower(16)
  1195. clients[i] = obj
  1196. mutated = true
  1197. }
  1198. if !mutated {
  1199. continue
  1200. }
  1201. settings["clients"] = clients
  1202. newSettings, err := json.MarshalIndent(settings, "", " ")
  1203. if err != nil {
  1204. log.Printf("InboundClientSubIdFix: skip inbound %d (marshal failed): %v", inbound.Id, err)
  1205. continue
  1206. }
  1207. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  1208. Update("settings", string(newSettings)).Error; err != nil {
  1209. return err
  1210. }
  1211. }
  1212. return tx.Create(&model.HistoryOfSeeders{SeederName: "InboundClientSubIdFix"}).Error
  1213. })
  1214. }
  1215. func normalizeInboundClientsArray() error {
  1216. var inbounds []model.Inbound
  1217. if err := db.Find(&inbounds).Error; err != nil {
  1218. return err
  1219. }
  1220. return db.Transaction(func(tx *gorm.DB) error {
  1221. for _, inbound := range inbounds {
  1222. if strings.TrimSpace(inbound.Settings) == "" {
  1223. continue
  1224. }
  1225. var settings map[string]any
  1226. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1227. log.Printf("InboundClientsArrayFix: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1228. continue
  1229. }
  1230. raw, exists := settings["clients"]
  1231. if !exists || raw != nil {
  1232. continue
  1233. }
  1234. settings["clients"] = []any{}
  1235. newSettings, err := json.MarshalIndent(settings, "", " ")
  1236. if err != nil {
  1237. log.Printf("InboundClientsArrayFix: skip inbound %d (marshal failed): %v", inbound.Id, err)
  1238. continue
  1239. }
  1240. if err := tx.Model(&model.Inbound{}).Where("id = ?", inbound.Id).
  1241. Update("settings", string(newSettings)).Error; err != nil {
  1242. return err
  1243. }
  1244. }
  1245. return tx.Create(&model.HistoryOfSeeders{SeederName: "InboundClientsArrayFix"}).Error
  1246. })
  1247. }
  1248. func normalizeFreedomFinalRules() error {
  1249. var setting model.Setting
  1250. err := db.Model(model.Setting{}).Where("key = ?", "xrayTemplateConfig").First(&setting).Error
  1251. if errors.Is(err, gorm.ErrRecordNotFound) {
  1252. return db.Create(&model.HistoryOfSeeders{SeederName: "FreedomFinalRulesReverseFix"}).Error
  1253. }
  1254. if err != nil {
  1255. return err
  1256. }
  1257. updated, changed, rErr := rewriteFreedomFinalRules(setting.Value)
  1258. if rErr != nil {
  1259. log.Printf("FreedomFinalRulesReverseFix: skip (invalid xrayTemplateConfig json): %v", rErr)
  1260. return db.Create(&model.HistoryOfSeeders{SeederName: "FreedomFinalRulesReverseFix"}).Error
  1261. }
  1262. return db.Transaction(func(tx *gorm.DB) error {
  1263. if changed {
  1264. if err := tx.Model(&model.Setting{}).Where("key = ?", "xrayTemplateConfig").
  1265. Update("value", updated).Error; err != nil {
  1266. return err
  1267. }
  1268. }
  1269. return tx.Create(&model.HistoryOfSeeders{SeederName: "FreedomFinalRulesReverseFix"}).Error
  1270. })
  1271. }
  1272. func rewriteFreedomFinalRules(raw string) (string, bool, error) {
  1273. if strings.TrimSpace(raw) == "" {
  1274. return raw, false, nil
  1275. }
  1276. var cfg map[string]any
  1277. if err := json.Unmarshal([]byte(raw), &cfg); err != nil {
  1278. return raw, false, err
  1279. }
  1280. outbounds, ok := cfg["outbounds"].([]any)
  1281. if !ok {
  1282. return raw, false, nil
  1283. }
  1284. changed := false
  1285. for _, ob := range outbounds {
  1286. obj, ok := ob.(map[string]any)
  1287. if !ok {
  1288. continue
  1289. }
  1290. if proto, _ := obj["protocol"].(string); proto != "freedom" {
  1291. continue
  1292. }
  1293. settings, ok := obj["settings"].(map[string]any)
  1294. if !ok {
  1295. continue
  1296. }
  1297. if !isLegacyPrivateOnlyFinalRules(settings["finalRules"]) {
  1298. continue
  1299. }
  1300. settings["finalRules"] = []any{map[string]any{"action": "allow"}}
  1301. changed = true
  1302. }
  1303. if !changed {
  1304. return raw, false, nil
  1305. }
  1306. out, err := json.MarshalIndent(cfg, "", " ")
  1307. if err != nil {
  1308. return raw, false, err
  1309. }
  1310. return string(out), true, nil
  1311. }
  1312. func isLegacyPrivateOnlyFinalRules(v any) bool {
  1313. rules, ok := v.([]any)
  1314. if !ok || len(rules) != 1 {
  1315. return false
  1316. }
  1317. rule, ok := rules[0].(map[string]any)
  1318. if !ok {
  1319. return false
  1320. }
  1321. if action, _ := rule["action"].(string); action != "allow" {
  1322. return false
  1323. }
  1324. ips, ok := rule["ip"].([]any)
  1325. if !ok || len(ips) != 1 {
  1326. return false
  1327. }
  1328. if s, _ := ips[0].(string); s != "geoip:private" {
  1329. return false
  1330. }
  1331. for k := range rule {
  1332. if k != "action" && k != "ip" {
  1333. return false
  1334. }
  1335. }
  1336. return true
  1337. }
  1338. func normalizeClientJSONFields(obj map[string]any) {
  1339. normalizeInt := func(key string) {
  1340. raw, exists := obj[key]
  1341. if !exists {
  1342. return
  1343. }
  1344. s, ok := raw.(string)
  1345. if !ok {
  1346. return
  1347. }
  1348. trimmed := strings.ReplaceAll(strings.TrimSpace(s), " ", "")
  1349. if trimmed == "" {
  1350. delete(obj, key)
  1351. return
  1352. }
  1353. if n, err := strconv.ParseInt(trimmed, 10, 64); err == nil {
  1354. obj[key] = n
  1355. } else {
  1356. delete(obj, key)
  1357. }
  1358. }
  1359. for _, k := range []string{"tgId", "limitIp", "totalGB", "expiryTime", "reset", "created_at", "updated_at"} {
  1360. normalizeInt(k)
  1361. }
  1362. }
  1363. func seedClientsFromInboundJSON() error {
  1364. var inbounds []model.Inbound
  1365. if err := db.Find(&inbounds).Error; err != nil {
  1366. return err
  1367. }
  1368. return db.Transaction(func(tx *gorm.DB) error {
  1369. byEmail := map[string]*model.ClientRecord{}
  1370. var existing []model.ClientRecord
  1371. if err := tx.Find(&existing).Error; err != nil {
  1372. return err
  1373. }
  1374. for i := range existing {
  1375. byEmail[existing[i].Email] = &existing[i]
  1376. }
  1377. for _, inbound := range inbounds {
  1378. if strings.TrimSpace(inbound.Settings) == "" {
  1379. continue
  1380. }
  1381. var settings map[string]any
  1382. if err := json.Unmarshal([]byte(inbound.Settings), &settings); err != nil {
  1383. log.Printf("ClientsTable seed: skip inbound %d (invalid settings json): %v", inbound.Id, err)
  1384. continue
  1385. }
  1386. rawList, ok := settings["clients"].([]any)
  1387. if !ok {
  1388. continue
  1389. }
  1390. for _, raw := range rawList {
  1391. obj, ok := raw.(map[string]any)
  1392. if !ok {
  1393. continue
  1394. }
  1395. normalizeClientJSONFields(obj)
  1396. blob, err := json.Marshal(obj)
  1397. if err != nil {
  1398. continue
  1399. }
  1400. var c model.Client
  1401. if err := json.Unmarshal(blob, &c); err != nil {
  1402. log.Printf("ClientsTable seed: skip client in inbound %d (unmarshal failed): %v; payload=%s",
  1403. inbound.Id, err, string(blob))
  1404. continue
  1405. }
  1406. email := strings.TrimSpace(c.Email)
  1407. if email == "" {
  1408. continue
  1409. }
  1410. incoming := c.ToRecord()
  1411. row, dup := byEmail[email]
  1412. if !dup {
  1413. if err := tx.Create(incoming).Error; err != nil {
  1414. return err
  1415. }
  1416. byEmail[email] = incoming
  1417. row = incoming
  1418. } else {
  1419. conflicts := model.MergeClientRecord(row, incoming)
  1420. for _, x := range conflicts {
  1421. log.Printf("client merge: email=%s conflict on %s old=%v new=%v kept=%v",
  1422. email, x.Field, x.Old, x.New, x.Kept)
  1423. }
  1424. if err := tx.Save(row).Error; err != nil {
  1425. return err
  1426. }
  1427. }
  1428. link := model.ClientInbound{
  1429. ClientId: row.Id,
  1430. InboundId: inbound.Id,
  1431. FlowOverride: c.Flow,
  1432. }
  1433. if err := tx.Where("client_id = ? AND inbound_id = ?", row.Id, inbound.Id).
  1434. FirstOrCreate(&link).Error; err != nil {
  1435. return err
  1436. }
  1437. }
  1438. }
  1439. return tx.Create(&model.HistoryOfSeeders{SeederName: "ClientsTable"}).Error
  1440. })
  1441. }
  1442. func seedApiTokens() error {
  1443. empty, err := isTableEmpty("api_tokens")
  1444. if err != nil {
  1445. return err
  1446. }
  1447. if empty {
  1448. var legacy model.Setting
  1449. err := db.Model(model.Setting{}).Where("key = ?", "apiToken").First(&legacy).Error
  1450. if err == nil && legacy.Value != "" {
  1451. row := &model.ApiToken{
  1452. Name: "default",
  1453. Token: legacy.Value,
  1454. Enabled: true,
  1455. }
  1456. if err := db.Create(row).Error; err != nil {
  1457. log.Printf("Error migrating legacy apiToken: %v", err)
  1458. return err
  1459. }
  1460. }
  1461. }
  1462. return db.Create(&model.HistoryOfSeeders{SeederName: "ApiTokensTable"}).Error
  1463. }
  1464. func hashExistingApiTokens() error {
  1465. var rows []*model.ApiToken
  1466. if err := db.Find(&rows).Error; err != nil {
  1467. return err
  1468. }
  1469. for _, r := range rows {
  1470. if crypto.IsSHA256Hex(r.Token) {
  1471. continue
  1472. }
  1473. hashed := crypto.HashTokenSHA256(r.Token)
  1474. if err := db.Model(model.ApiToken{}).Where("id = ?", r.Id).Update("token", hashed).Error; err != nil {
  1475. log.Printf("Error hashing api token %d: %v", r.Id, err)
  1476. return err
  1477. }
  1478. }
  1479. return db.Create(&model.HistoryOfSeeders{SeederName: "ApiTokensHash"}).Error
  1480. }
  1481. func isTableEmpty(tableName string) (bool, error) {
  1482. var count int64
  1483. err := db.Table(tableName).Count(&count).Error
  1484. return count == 0, err
  1485. }
  1486. func InitDB(dbPath string) error {
  1487. var gormLogger logger.Interface
  1488. if config.IsDebug() {
  1489. gormLogger = logger.New(
  1490. log.New(os.Stdout, "\r\n", log.LstdFlags),
  1491. logger.Config{
  1492. SlowThreshold: time.Second,
  1493. LogLevel: logger.Info,
  1494. IgnoreRecordNotFoundError: true,
  1495. Colorful: true,
  1496. },
  1497. )
  1498. } else {
  1499. gormLogger = logger.Discard
  1500. }
  1501. c := &gorm.Config{Logger: gormLogger, DisableForeignKeyConstraintWhenMigrating: true}
  1502. var err error
  1503. switch config.GetDBKind() {
  1504. case "postgres":
  1505. dsn := config.GetDBDSN()
  1506. if dsn == "" {
  1507. return errors.New("XUI_DB_TYPE=postgres but XUI_DB_DSN is empty")
  1508. }
  1509. db, err = gorm.Open(postgres.Open(dsn), c)
  1510. if err != nil {
  1511. return err
  1512. }
  1513. default:
  1514. dir := path.Dir(dbPath)
  1515. if err = os.MkdirAll(dir, 0o755); err != nil {
  1516. return err
  1517. }
  1518. sync := sqliteSynchronous()
  1519. dsn := dbPath + "?_journal_mode=DELETE&_busy_timeout=10000&_synchronous=" + sync + "&_txlock=immediate"
  1520. db, err = gorm.Open(sqlite.Open(dsn), c)
  1521. if err != nil {
  1522. return err
  1523. }
  1524. sqlDB, err := db.DB()
  1525. if err != nil {
  1526. return err
  1527. }
  1528. pragmas := []string{
  1529. "PRAGMA journal_mode=DELETE",
  1530. "PRAGMA busy_timeout=10000",
  1531. "PRAGMA synchronous=" + sync,
  1532. fmt.Sprintf("PRAGMA cache_size=-%d", envInt("XUI_DB_CACHE_MB", 32)*1024),
  1533. fmt.Sprintf("PRAGMA mmap_size=%d", int64(envInt("XUI_DB_MMAP_MB", 256))*1024*1024),
  1534. "PRAGMA temp_store=MEMORY",
  1535. }
  1536. for _, p := range pragmas {
  1537. if _, err := sqlDB.ExecContext(context.Background(), p); err != nil {
  1538. return err
  1539. }
  1540. }
  1541. }
  1542. sqlDB, err := db.DB()
  1543. if err != nil {
  1544. return err
  1545. }
  1546. var maxOpen, maxIdle int
  1547. switch config.GetDBKind() {
  1548. case "postgres":
  1549. maxOpen = envInt("XUI_DB_MAX_OPEN_CONNS", 25)
  1550. maxIdle = envInt("XUI_DB_MAX_IDLE_CONNS", 25)
  1551. default:
  1552. maxOpen = envInt("XUI_DB_MAX_OPEN_CONNS", 8)
  1553. maxIdle = envInt("XUI_DB_MAX_IDLE_CONNS", 4)
  1554. }
  1555. sqlDB.SetMaxOpenConns(maxOpen)
  1556. sqlDB.SetMaxIdleConns(maxIdle)
  1557. sqlDB.SetConnMaxLifetime(time.Hour)
  1558. sqlDB.SetConnMaxIdleTime(30 * time.Minute)
  1559. if err := initModels(); err != nil {
  1560. return err
  1561. }
  1562. isUsersEmpty, err := isTableEmpty("users")
  1563. if err != nil {
  1564. return err
  1565. }
  1566. if err := initUser(); err != nil {
  1567. return err
  1568. }
  1569. return runSeeders(isUsersEmpty)
  1570. }
  1571. func normalizeApiTokenCreatedAtSeconds() error {
  1572. return db.Model(&model.ApiToken{}).
  1573. Where("created_at >= ?", model.ApiTokenUnixMillisecondsThreshold).
  1574. UpdateColumn("created_at", gorm.Expr("created_at / ?", 1000)).Error
  1575. }
  1576. func sqliteSynchronous() string {
  1577. switch strings.ToUpper(strings.TrimSpace(os.Getenv("XUI_DB_SYNCHRONOUS"))) {
  1578. case "OFF":
  1579. return "OFF"
  1580. case "NORMAL":
  1581. return "NORMAL"
  1582. case "EXTRA":
  1583. return "EXTRA"
  1584. default:
  1585. return "FULL"
  1586. }
  1587. }
  1588. func envInt(key string, def int) int {
  1589. v := strings.TrimSpace(os.Getenv(key))
  1590. if v == "" {
  1591. return def
  1592. }
  1593. n, err := strconv.Atoi(v)
  1594. if err != nil || n <= 0 {
  1595. return def
  1596. }
  1597. return n
  1598. }
  1599. func CloseDB() error {
  1600. if db != nil {
  1601. sqlDB, err := db.DB()
  1602. if err != nil {
  1603. return err
  1604. }
  1605. return sqlDB.Close()
  1606. }
  1607. return nil
  1608. }
  1609. func GetDB() *gorm.DB {
  1610. return db
  1611. }
  1612. func IsNotFound(err error) bool {
  1613. return errors.Is(err, gorm.ErrRecordNotFound)
  1614. }
  1615. func IsSQLiteDB(file io.ReaderAt) (bool, error) {
  1616. signature := []byte("SQLite format 3\x00")
  1617. buf := make([]byte, len(signature))
  1618. _, err := file.ReadAt(buf, 0)
  1619. if err != nil {
  1620. return false, err
  1621. }
  1622. return bytes.Equal(buf, signature), nil
  1623. }
  1624. func Checkpoint() error {
  1625. if IsPostgres() {
  1626. return nil
  1627. }
  1628. return db.Exec("PRAGMA wal_checkpoint;").Error
  1629. }
  1630. func ValidateSQLiteDB(dbPath string) error {
  1631. if _, err := os.Stat(dbPath); err != nil {
  1632. return err
  1633. }
  1634. gdb, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{Logger: logger.Discard})
  1635. if err != nil {
  1636. return err
  1637. }
  1638. sqlDB, err := gdb.DB()
  1639. if err != nil {
  1640. return err
  1641. }
  1642. defer sqlDB.Close()
  1643. var res string
  1644. if err := gdb.Raw("PRAGMA integrity_check;").Scan(&res).Error; err != nil {
  1645. return err
  1646. }
  1647. if res != "ok" {
  1648. return errors.New("sqlite integrity check failed: " + res)
  1649. }
  1650. return nil
  1651. }