API improve security: returns 404 for unauthenticated API requests

2 files changed, 14 insertions, 5 deletions

diff --git a/web/controller/api.go b/web/controller/api.go
index dbd3f28d..1a39f8ed 100644
--- a/web/controller/api.go
+++ b/web/controller/api.go
@@ -1,7 +1,10 @@
 package controller
 
 import (
+	"net/http"
+
 	"github.com/mhsanaei/3x-ui/v2/web/service"
+	"github.com/mhsanaei/3x-ui/v2/web/session"
 
 	"github.com/gin-gonic/gin"
 )
@@ -21,11 +24,21 @@ func NewAPIController(g *gin.RouterGroup) *APIController {
 	return a
 }
 
+// checkAPIAuth is a middleware that returns 404 for unauthenticated API requests
+// to hide the existence of API endpoints from unauthorized users
+func (a *APIController) checkAPIAuth(c *gin.Context) {
+	if !session.IsLogin(c) {
+		c.AbortWithStatus(http.StatusNotFound)
+		return
+	}
+	c.Next()
+}
+
 // initRouter sets up the API routes for inbounds, server, and other endpoints.
 func (a *APIController) initRouter(g *gin.RouterGroup) {
 	// Main API group
 	api := g.Group("/panel/api")
-	api.Use(a.checkLogin)
+	api.Use(a.checkAPIAuth)
 
 	// Inbounds API
 	inbounds := api.Group("/inbounds")
diff --git a/web/controller/xui.go b/web/controller/xui.go
index ba415ac9..51502900 100644
--- a/web/controller/xui.go
+++ b/web/controller/xui.go
@@ -8,8 +8,6 @@ import (
 type XUIController struct {
 	BaseController
 
-	inboundController     *InboundController
-	serverController      *ServerController
 	settingController     *SettingController
 	xraySettingController *XraySettingController
 }
@@ -31,8 +29,6 @@ func (a *XUIController) initRouter(g *gin.RouterGroup) {
 	g.GET("/settings", a.settings)
 	g.GET("/xray", a.xraySettings)
 
-	a.inboundController = NewInboundController(g)
-	a.serverController = NewServerController(g)
 	a.settingController = NewSettingController(g)
 	a.xraySettingController = NewXraySettingController(g)
 }