Address code review feedback: fix JWT regex and path construction

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

back/loaders/express.ts

@@ -30,8 +30,13 @@ export default ({ app }: { app: Application }) => {
 
   // Create base-URL-aware whitelist for JWT
   const jwtWhitelist = config.apiWhiteList.map(path => `${config.baseUrl}${path}`);
-  // Allow all paths that don't contain /api/ or /open/ to skip JWT
-  const jwtExcludeRegex = /^\/(?!.*\/(api|open)\/)/;
+  // Exclude non-API/non-open paths from JWT requirement
+  // When baseUrl is set: exclude paths that don't start with baseUrl/api/ or baseUrl/open/
+  // When baseUrl is empty: exclude paths that don't start with /api/ or /open/
+  const jwtExcludePattern = config.baseUrl
+    ? `^(?!${config.baseUrl.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}/(api|open)/)`
+    : '^(?!/(api|open)/)';
+  const jwtExcludeRegex = new RegExp(jwtExcludePattern);
 
   app.use(
     expressjwt({
@@ -79,7 +84,7 @@ export default ({ app }: { app: Application }) => {
       }
     }
 
-    const originPath = `${req.baseUrl}${req.path === '/' ? '' : req.path}`;
+    const originPath = `${config.baseUrl}${req.path === '/' ? '' : req.path}`;
     if (
       !headerToken &&
       originPath &&

src/utils/http.tsx

@@ -92,7 +92,10 @@ const apiWhiteListBase = [
   '/api/user/notification/init',
 ];
 
-const apiWhiteList = apiWhiteListBase.map(path => `${config.baseUrl}${path.replace(/^\//, '')}`);
+const apiWhiteList = config.baseUrl 
+  ? apiWhiteListBase.map(path => `${config.baseUrl}${path.replace(/^\//, '')}`)
+  : apiWhiteListBase;
+
 
 _request.interceptors.request.use((_config) => {
   const token = localStorage.getItem(config.authKey);