From e40554a7d53190d0b0f7d886c262685335f9aac8 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Wed, 13 May 2026 13:45:31 +0200 Subject: [PATCH] fix(inbound): require email when adding or updating a client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AddInboundClient and UpdateInboundClient previously accepted an empty Email field for every protocol except shadowsocks (where email doubles as the client ID). Empty emails break downstream features that key off email — IP-limit logging, traffic stats, client-online tracking, subscription remarks. Reject empty/whitespace-only emails at the service layer so the API surface (POST /panel/api/inbounds/addClient and /updateClient/:id) returns a clear error instead of persisting an unidentifiable client. Also drop the stale `len(Email) > 0` guard in UpdateInboundClient that became dead code once empty emails are rejected. --- web/service/inbound.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/web/service/inbound.go b/web/service/inbound.go index cb4f402b..e0c80d69 100644 --- a/web/service/inbound.go +++ b/web/service/inbound.go @@ -849,6 +849,9 @@ func (s *InboundService) AddInboundClient(data *model.Inbound) (bool, error) { // Secure client ID for _, client := range clients { + if strings.TrimSpace(client.Email) == "" { + return false, common.NewError("client email is required") + } switch oldInbound.Protocol { case "trojan": if client.Password == "" { @@ -1317,8 +1320,11 @@ func (s *InboundService) UpdateInboundClient(data *model.Inbound, clientId strin if newClientId == "" || clientIndex == -1 { return false, common.NewError("empty client ID") } + if strings.TrimSpace(clients[0].Email) == "" { + return false, common.NewError("client email is required") + } - if len(clients[0].Email) > 0 && clients[0].Email != oldEmail { + if clients[0].Email != oldEmail { existEmail, err := s.checkEmailsExistForClients(clients) if err != nil { return false, err