From 0bae11def6b72ca38a080455e0a1b69646154a85 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 22 Dec 2025 14:51:49 +0000
Subject: [PATCH] Address code review feedback: fix JWT regex and path
 construction

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
---
 back/loaders/express.ts | 11 ++++++++---
 src/utils/http.tsx      |  5 ++++-
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/back/loaders/express.ts b/back/loaders/express.ts
index cf2b8546..1a933555 100644
--- a/back/loaders/express.ts
+++ b/back/loaders/express.ts
@@ -30,8 +30,13 @@ export default ({ app }: { app: Application }) => {
 
   // Create base-URL-aware whitelist for JWT
   const jwtWhitelist = config.apiWhiteList.map(path => `${config.baseUrl}${path}`);
-  // Allow all paths that don't contain /api/ or /open/ to skip JWT
-  const jwtExcludeRegex = /^\/(?!.*\/(api|open)\/)/;
+  // Exclude non-API/non-open paths from JWT requirement
+  // When baseUrl is set: exclude paths that don't start with baseUrl/api/ or baseUrl/open/
+  // When baseUrl is empty: exclude paths that don't start with /api/ or /open/
+  const jwtExcludePattern = config.baseUrl
+    ? `^(?!${config.baseUrl.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}/(api|open)/)`
+    : '^(?!/(api|open)/)';
+  const jwtExcludeRegex = new RegExp(jwtExcludePattern);
 
   app.use(
     expressjwt({
@@ -79,7 +84,7 @@ export default ({ app }: { app: Application }) => {
       }
     }
 
-    const originPath = `${req.baseUrl}${req.path === '/' ? '' : req.path}`;
+    const originPath = `${config.baseUrl}${req.path === '/' ? '' : req.path}`;
     if (
       !headerToken &&
       originPath &&
diff --git a/src/utils/http.tsx b/src/utils/http.tsx
index 2a4ff01f..d0d03063 100644
--- a/src/utils/http.tsx
+++ b/src/utils/http.tsx
@@ -92,7 +92,10 @@ const apiWhiteListBase = [
   '/api/user/notification/init',
 ];
 
-const apiWhiteList = apiWhiteListBase.map(path => `${config.baseUrl}${path.replace(/^\//, '')}`);
+const apiWhiteList = config.baseUrl 
+  ? apiWhiteListBase.map(path => `${config.baseUrl}${path.replace(/^\//, '')}`)
+  : apiWhiteListBase;
+
 
 _request.interceptors.request.use((_config) => {
   const token = localStorage.getItem(config.authKey);