30c2f655e7
fix(admin-frontend): 修复节点权限组保存与协议默认值
...
统一将节点编辑和批量修改的 group_ids、route_ids
序列化为字符串 ID,避免保存权限组后订阅侧无法命中节点
后端新增 whereGroupId 兼容历史字符串与数字 JSON 值,
并补齐 TUIC 版本、ALPN 选项及 AnyTLS 默认 Padding 配置
docs: 新增 HelloAGENTS 通用与工作流避坑指南
2026-04-27 23:03:57 +08:00
c64badfc23
feat(admin-frontend): 补齐活跃筛选与支付快照能力
...
新增用户管理“活跃状态”高级筛选,并在后端支持
activity_status 复合规则,支持按活跃与非活跃筛选用户。
补齐订单支付成功快照落库与后台展示,保存支付渠道、
支付方法、实付金额和支付 IP,并在订单详情中优先展示。
同时增强节点页在线/离线筛选与批量删除、仪表盘快捷入口,
并修复已关闭工单再次回复后自动重开的统一语义。
附带同步测试、迁移、CI 工作流命名及知识库记录
2026-04-25 00:59:08 +08:00
9ce345eb76
merge: sync upstream/master preserving local changes
2026-04-23 22:27:18 +08:00
2efef9e8ee
fix(security): prevent payment gateway credentials leakage via OrderResource
2026-04-23 10:26:35 +08:00
c0b6ee1763
refactor: core plugins to plugins-core
2026-04-18 23:31:59 +08:00
fe62542b7c
fix: unify Trojan server_name/allow_insecure to tls_settings across all protocols
2026-04-18 21:00:21 +08:00
360684245e
fix: ticket reply_status semantics, N+1 query, and admin reply auto-reopen
2026-04-18 16:40:21 +08:00
9ba946621e
feat: email template management with DB override, modern mail redesign
2026-04-18 15:41:23 +08:00
521d4e3ac5
fix: dedup device IPs, reset stale online_count on disconnect and scheduled cleanup ( #886 )
2026-04-18 02:57:55 +08:00
cd5e00bbfb
Merge remote-tracking branch 'upstream/master'
...
# Conflicts:
# public/assets/admin
2026-04-18 00:35:04 +08:00
d9833fab47
fix(plugin): improve plugin install and uninstall migration handling
2026-04-17 23:11:03 +08:00
e297b5fe9f
feat: machine mode, ECH subscriptions, batch ops & security hardening
2026-04-17 03:02:53 +08:00
abd64ed20c
Merge remote-tracking branch 'upstream/master'
...
# Conflicts:
# app/Services/UserOnlineService.php
# public/assets/admin
2026-04-16 16:59:21 +08:00
121511523f
Fix: CVE-2026-39912 - Magic link token leak in loginWithMailLink ( #873 )
...
The loginWithMailLink endpoint returns the magic login link in the
HTTP response body, allowing unauthenticated account takeover.
The fix returns true instead of the link. The email delivery is
the authentication factor.
Bug inherited from V2Board commit bdb10bed (2022-06-27).
2026-04-10 02:44:20 +08:00
58ef46f754
fix: stop sending VLESS decryption when encryption is disabled
2026-04-08 11:05:55 +08:00
5f1afe4bdc
feat: add Vless Encryption support
2026-03-30 17:03:37 +08:00
a58d66d72e
feat: node traffic limit & batch operations
...
- Traffic monitoring with transfer_enable limit
- Batch delete nodes
- Reset traffic (single/batch)
2026-03-30 02:50:56 +08:00
3744ebcd5a
Revert "fix: escape Telegram Markdown special characters ( fix #450 )"
...
This reverts commit 23294c1f93
2026-03-29 17:48:49 +08:00
23294c1f93
fix: escape Telegram Markdown special characters ( fix #450 )
2026-03-28 09:10:54 +08:00
7fbd1bb92d
feat: implement email case-insensitive queries ( fix #318 )
2026-03-28 07:09:21 +08:00
3c3639613e
fix: use ServerService::getServer() for node lookup in WebSocket
2026-03-26 03:51:58 +08:00
74b5ef0b27
fix: resolve device sync issues and refactor WebSocket server
2026-03-26 03:33:01 +08:00
420521d90a
refactor: restructure device limit system
2026-03-25 17:50:16 +08:00
73a37a07dd
feat: ws notify nodes when user traffic is exhausted
2026-03-25 01:44:55 +08:00
7dacb69275
feat: Trojan Reality support and protocol distribution optimizations
2026-03-23 14:56:41 +08:00
ae8a913f9b
merge: sync upstream/master from cedar2025/Xboard
...
合并上游 cedar2025/Xboard 的 master,并按交互决策保留本地改动。
2026-03-19 21:04:27 +08:00
421844895e
fix(payment): validate and filter unavailable methods
...
Filter user-visible payment methods to only include supported
providers and fail fast when a payment record or plugin cannot be
resolved.
This prevents invalid payment options from being returned by the
API and avoids constructing an undefined fallback payment class.
2026-03-19 20:29:26 +08:00
64e6d8148e
feat: Add admin bulk-mail placeholder variables and template rendering
2026-03-19 05:02:16 +08:00
47983dec40
fix(runtime): force app_url/force_https per-request via middlewar
2026-03-19 04:22:17 +08:00
b55091a066
feat: Refactor uTLS & Multiplex Support, Node Status Push Optimization
...
- Server/ServerSave/Server.php: Unified utls and multiplex schema, validation, and defaults for vmess/vless/trojan/mieru protocols, enabling more flexible protocol configuration.
- Protocols (SingBox/ClashMeta/Shadowrocket/Stash/General): All protocol generators now support utls (client-fingerprint/fp) and multiplex options. Removed getRandFingerprint, replaced with getTlsFingerprint supporting random/custom fingerprints.
- Helper.php: Refactored TLS fingerprint utility to support object/string/random input.
- ServerService: Abstracted updateMetrics method to unify HTTP/WS node status caching logic.
- NodeWebSocketServer: Improved node connection, status push, and full sync logic; adjusted log levels; clarified push logic.
- ServerController: Reused ServerService for node metrics handling, reducing code duplication.
- Docs: Improved aapanel installation docs, added fix for empty admin dashboard.
2026-03-16 23:09:56 +08:00
010275b09e
feat: introduce WebSocket sync for XBoard nodes
...
- Implement Workerman-based `xboard:ws-server` for real-time node synchronization.
- Support custom routes, outbounds, and certificate configurations via JSON.
- Optimize scheduled tasks with `lazyById` to minimize memory footprint.
- Enhance reactivity using Observers for `Plan`, `Server`, and `ServerRoute`.
- Expand protocol support for `httpupgrade`, `h2`, and `mieru`.
2026-03-15 09:49:11 +08:00
562064712d
fix(register): handle invalid invite code as API error ( #792 )
2026-03-11 02:09:25 +08:00
01bcf43ae8
fix: apply device_limit from plan when assigning via gift card ( #630 )
2026-03-09 06:51:10 +08:00
2e0b10e643
fix: return dynamic rate instead of base rate in user server list ( #709 )
2026-03-09 06:47:30 +08:00
cf552f6e5d
Merge pull request #734 from kelly5454/master
...
fix: Type error when redeeming gift card
2026-03-09 04:56:14 +08:00
4f84034814
• 你这个现象我已经定位并修了,核心原因是节点匹配和设备映射都有歧义。
...
已修改:
- 节点识别优先用 id,只有找不到才回退 code,避免子节点被匹配成父节点
ServerService.php (/E:/code/php/Xboard-new/app/Services/ServerService.php#L101)
- 在线设备解析补全 node_key/node_id,并按真实节点键归类
UserOnlineService.php (/E:/code/php/Xboard-new/app/Services/UserOnlineService.php#L43)
- 用户端流量日志设备映射改为按 node_key 精确匹配
StatController.php (/E:/code/php/Xboard-new/app/Http/Controllers/V1/User/StatController.php#L43)
- 管理端同样改为按 node_key 映射
StatController.php (/E:/code/php/Xboard-new/app/Http/Controllers/V2/Admin/StatController.php#L270)
说明:
- 这次不涉及数据库结构变更,不需要 migrate。
- 对管理后台现有统计接口兼容,不会破坏原有 u/d/record_at/server_rate 显示。
- 旧的历史日志如果之前已经按父节点入库,不会自动改名;新流量会按修复后的逻辑记录。
2026-02-26 05:13:19 +08:00
809860b8db
修改仓库地址
2026-02-22 03:57:06 +08:00
17a7c63aec
修改邮件部分
2026-02-22 03:22:14 +08:00
95e8e7bca7
feat: add v2node support
2025-11-22 20:33:38 +08:00
8d0e33ba23
fix: preserve theme config when upgrading theme
2025-11-07 19:25:40 +08:00
3754f7da0d
fix: exchange gift card type error
2025-10-30 21:08:39 +08:00
e3c746d314
feat(plugin): auto-decode JSON config values by type in PluginManager
2025-10-20 18:56:44 +08:00
f83bdfc9ad
fix: avoid getCurrentCommit on cache hit
2025-09-26 19:04:17 +08:00
bf1234a9c2
fix(plugin): remove stale plugin records when files missing; adjust logging
2025-09-23 14:59:22 +08:00
58a374bde9
fix
2025-09-16 18:44:44 +08:00
abf541df72
fix: improve date calculation for month-end reset schedules
2025-08-31 20:30:02 +08:00
a8e2452dcc
fix(order): correct renewal handling for onetime plan
...
fixes onetime plan renewal logic
2025-08-29 23:24:48 +08:00
8e0384c833
feat: optimize server.user.get hook definition
2025-08-29 19:21:49 +08:00
724dd54822
fix: support resources/views directory for plugin views
2025-08-23 15:26:09 +08:00
a666557781
fix(auth): handle null redirect in quick login url
2025-08-21 18:57:19 +08:00
yinjianm