fix: config migration uses hardcoded field injection, no ostp --init; fix init template api fields

Cargo.lock

@@ -1086,7 +1086,7 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
 [[package]]
 name = "ostp"
-version = "0.2.38"
+version = "0.2.39"
 dependencies = [
  "anyhow",
  "base64",
@@ -1106,7 +1106,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-client"
-version = "0.2.38"
+version = "0.2.39"
 dependencies = [
  "anyhow",
  "base64",
@@ -1132,7 +1132,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-core"
-version = "0.2.38"
+version = "0.2.39"
 dependencies = [
  "anyhow",
  "bytes",
@@ -1163,7 +1163,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-server"
-version = "0.2.38"
+version = "0.2.39"
 dependencies = [
  "anyhow",
  "axum",
@@ -1193,7 +1193,7 @@ dependencies = [
 
 [[package]]
 name = "ostp-tun-helper"
-version = "0.2.38"
+version = "0.2.39"
 dependencies = [
  "anyhow",
  "chrono",

Cargo.toml

@@ -12,7 +12,7 @@ resolver = "2"
 [workspace.package]
 edition = "2021"
 license = "BSL 1.1"
-version = "0.2.38"
+version = "0.2.39"
 
 [workspace.dependencies]
 anyhow = "1.0"

ostp/src/main.rs

@@ -601,7 +601,6 @@ async fn run_app() -> Result<()> {
         let key = generate_secure_key("hex");
         let content = if is_server {
             let (priv_key, pub_key, sid) = generate_reality_keys();
-            let api_token = generate_secure_key("hex");
             format!(r#"{{
   // OSTP Server Configuration
   "mode": "server",
@@ -631,12 +630,15 @@ async fn run_app() -> Result<()> {
     ]
   }},
   
-  // Management REST API for third-party panels.
+  // Web control panel
   "api": {{
     "enabled": false,
-    "bind": "127.0.0.1:9090",
+    "bind": "0.0.0.0:9090",
-    // Set a strong token for authentication. Leave empty to disable auth.
+    // Secret URL path to hide panel from scanners (e.g. "mySecret123")
-    "token": "{}"
+    "webpath": "",
+    // Login credentials for web panel (password stored as SHA256 hash)
+    "username": "",
+    "password_hash": ""
   }},
   
   // Fallback TCP proxy: unrecognized connections are proxied to a web server (anti-DPI).
@@ -657,7 +659,7 @@ async fn run_app() -> Result<()> {
     "sni_list": ["www.microsoft.com"]
   }},
   "debug": false
-}}"#, key, api_token, priv_key, pub_key, sid)
+}}"#, key, priv_key, pub_key, sid)
         } else if mode_str == "relay" {
             r#"{
   // OSTP Relay Node Configuration

scripts/install.sh

@@ -150,62 +150,50 @@ if [ -f "$CONFIG_FILE" ]; then
 
     # ── Config migration: add new fields, preserve existing values ──
     echo "Checking for new config fields..."
-    CURRENT_MODE=$(python3 -c "
+    python3 << 'PYEOF'
 import json, sys
-with open('$CONFIG_FILE') as f:
+
+CONFIG = '/etc/ostp/config.json'
+
+with open(CONFIG) as f:
     raw = f.read()
-# strip // comments
 lines = [l for l in raw.split('\n') if not l.strip().startswith('//')]
-try:
+cfg = json.loads('\n'.join(lines))
-    d = json.loads('\n'.join(lines))
-    print(d.get('mode',''))
-except:
-    print('')
-" 2>/dev/null)
 
-    if [ -n "$CURRENT_MODE" ]; then
+changed = False
-        TEMP_TEMPLATE="/tmp/ostp_template_$$.json"
-        "$INSTALL_DIR/ostp" --init "$CURRENT_MODE" --config "$TEMP_TEMPLATE" 2>/dev/null
 
-        if [ -f "$TEMP_TEMPLATE" ]; then
+# Ensure api section has all modern fields
-            python3 << PYEOF
+if cfg.get('mode') == 'server':
-import json, sys
+    if 'api' not in cfg:
+        cfg['api'] = {}
+        changed = True
 
-def deep_merge(template, existing):
+    api_defaults = {
-    """Merge: existing wins for all present keys; template adds missing keys."""
+        'enabled': False,
-    if not isinstance(template, dict) or not isinstance(existing, dict):
+        'bind': '0.0.0.0:9090',
-        return existing
+        'webpath': '',
-    result = dict(template)  # start with template defaults
+        'username': '',
-    for k, v in existing.items():
+        'password_hash': '',
-        if k in result and isinstance(result[k], dict) and isinstance(v, dict):
+    }
-            result[k] = deep_merge(result[k], v)
+    for k, v in api_defaults.items():
+        if k not in cfg['api']:
+            cfg['api'][k] = v
+            changed = True
+            print(f'[migration] Added api.{k} = {json.dumps(v)}')
+
+    # Remove legacy "token" field if present
+    if 'token' in cfg['api']:
+        del cfg['api']['token']
+        changed = True
+        print('[migration] Removed legacy api.token field')
+
+if changed:
+    with open(CONFIG, 'w') as f:
+        json.dump(cfg, f, indent=2, ensure_ascii=False)
+    print('[ok] Config migrated: new fields added, existing data preserved.')
 else:
-            result[k] = v  # existing value always wins
+    print('[ok] Config is up to date, no migration needed.')
-    return result
-
-with open('$CONFIG_FILE') as f:
-    raw = f.read()
-lines = [l for l in raw.split('\n') if not l.strip().startswith('//')]
-existing = json.loads('\n'.join(lines))
-
-with open('$TEMP_TEMPLATE') as f:
-    raw2 = f.read()
-lines2 = [l for l in raw2.split('\n') if not l.strip().startswith('//')]
-template = json.loads('\n'.join(lines2))
-
-merged = deep_merge(template, existing)
-
-with open('$CONFIG_FILE', 'w') as f:
-    json.dump(merged, f, indent=2, ensure_ascii=False)
-print("[ok] Config migrated: new fields added, existing data preserved.")
 PYEOF
-            rm -f "$TEMP_TEMPLATE"
-        else
-            echo "[warn] Could not generate template for migration. Config unchanged."
-        fi
-    else
-        echo "[warn] Could not detect config mode. Config unchanged."
-    fi
 
     # Update systemd service to use new paths
     if [ -f "/etc/systemd/system/ostp.service" ]; then