fix: 修复鉴权绕过修复中的两个 bug

1. 路径规范化中间件只检查 API/OPEN 前缀大小写而非整个路径
   避免误拦截 /api/scripts/MyScript.js 等含大写的合法请求
2. init 中间件改用 pathLower 进行比较，补全防御深度

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

back/loaders/express.ts

@@ -21,18 +21,17 @@ export default ({ app }: { app: Application }) => {
   
   // Security: Path normalization middleware to prevent case variation attacks
   app.use((req, res, next) => {
-    const originalPath = req.path;
-    const normalizedPath = originalPath.toLowerCase();
-    
-    // Block requests with case variations on protected paths
-    if (originalPath !== normalizedPath && 
-        (normalizedPath.startsWith('/api/') || normalizedPath.startsWith('/open/'))) {
+    // Only check the API/OPEN prefix for case variations, not the entire path.
+    // This blocks /API/..., /Api/..., /OPEN/..., /Open/... bypass attempts
+    // while allowing legitimate mixed-case paths like /api/scripts/MyScript.js
+    const pathLower = req.path.toLowerCase();
+    if ((pathLower.startsWith('/api/') && !req.path.startsWith('/api/')) ||
+        (pathLower.startsWith('/open/') && !req.path.startsWith('/open/'))) {
       return res.status(400).json({
         code: 400,
-        message: 'Invalid path format'
+        message: 'Invalid path format',
       });
     }
-    
     next();
   });
   
@@ -126,7 +125,7 @@ export default ({ app }: { app: Application }) => {
         '/api/user/notification/init',
         '/open/user/init',
         '/open/user/notification/init',
-      ].includes(req.path)
+      ].includes(pathLower)
     ) {
       return next();
     }