Fix: Auto-enable clients with renewed subscriptions and Feature: Subscription Token Protection (As an example of implementation)

[Kagashini]

Problem
When a client's subscription expires, the system automatically disables the client (enable = false). However, when the subscription is renewed (by updating the expiry date or increasing the volume limit), the client remains disabled and continues to show "Error!" when trying to access the subscription configuration.

Root Cause
The original logic checked if the client was disabled and returned an error before checking whether the subscription had been renewed. This meant that even after renewing a subscription, clients would remain in a disabled state indefinitely.

Solution
Reordered the validation logic to:
First check if the client is disabled
If disabled, verify if the subscription is now valid (not expired AND not over volume limit)
If valid, automatically re-enable the client in the database
Then perform the standard expiry and volume checks

Changes Made
Modified sub/jsonService.go - getData() function
Modified sub/subService.go - GetSubs() function

Benefits
✅ Clients with renewed subscriptions are automatically re-enabled on their next request
✅ Works with unlimited subscriptions (expiry = 0)
✅ Works with unlimited traffic (volume = 0)
✅ No manual intervention required after renewing subscriptions
✅ Backward compatible with existing functionality

Testing
Tested with:
Expired subscription → renewed → client auto-enabled ✅
Exceeded volume limit → increased limit → client auto-enabled ✅
Unlimited subscription (expiry = 0) → always enabled ✅
Unlimited traffic (volume = 0) → always enabled ✅

[Kagashini]

153cc05

Feature: Subscription Token Protection

Overview

This security enhancement adds an extra layer of protection to subscription endpoints by requiring clients to use time-limited tokens to access their subscription data.

Key Components

Database Changes

• Added two new fields to the clients table:
  • sub_token: Stores the subscription token for each client
  • sub_exp: Stores the expiration timestamp for the subscription token
• Created an index on sub_token for efficient lookups

Token Management

• Automatic token generation when clients are created
• Periodic token refresh (24-hour expiration cycle)
• Secure token generation using cryptographic random functions
• Special handling for re-enabled clients (generates fresh tokens)

Subscription Handler Security

• Enhanced subscription endpoint (/sub/:subid) with token validation
• Conditional access control based on the token protection setting:
  • When enabled: Only requests with valid tokens (/sub/:subid/:token) are accepted
  • When disabled: Both tokenized and non-tokenized URLs work for backward compatibility

Client Service Enhancements

• Methods to retrieve clients by subscription token
• Token validation with expiration checking
• Automatic token refresh functionality

Configuration

• Added subTokenProtection setting (defaults to "false")
• Integrated with existing settings service

Security Benefits

• Prevents unauthorized sharing of subscription links
• Provides time-limited access tokens that expire and refresh automatically
• Offers configurable protection that can be enabled/disabled as needed
• Maintains backward compatibility when protection is disabled

Implementation Approach

The implementation follows a non-breaking approach:

• Existing installations continue to work as before when the feature is disabled
• When enabled, clients must use tokenized URLs to access their subscriptions
• Tokens are automatically managed and refreshed without user intervention
• Re-enabled clients receive new tokens to ensure continued access

How It Works

1. When token protection is enabled, each client is assigned a unique subscription token
2. Clients must include this token in their subscription URL: https://yourdomain.com/sub/{client_name}/{token}
3. Without a valid token, subscription requests are rejected
4. Tokens are automatically refreshed periodically

Enabling Token Protection

To enable subscription token protection:

1. Go to Settings in the web panel
2. Find the "Subscription Token Protection" option
3. Toggle it to enabled
4. Save the settings

Token Management

Tokens are automatically managed by the system:

• New tokens are generated when clients are created
• Tokens are refreshed periodically
• Disabled clients receive new tokens when re-enabled
• Expired or volume-limited clients are automatically disabled

Frontend Compatibility Notice

The frontend has not been modified or tested with these changes. All modifications and testing have been done through the API only. Need to modify frontend to easy use.

[Kagashini]

The example problem: #928