From 6bec52dca158481258315ba0fc2f11206df7b719 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Sun, 1 Mar 2026 18:02:21 +0800
Subject: [PATCH] Fix /open/user/init auth bypass allowing credential reset on
 initialized systems (#2941)

* Initial plan

* fix: add /open/user/init paths to init guard to prevent auth bypass

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
Co-authored-by: whyour <imwhyour@gmail.com>
---
 back/loaders/express.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/back/loaders/express.ts b/back/loaders/express.ts
index 2807ece0..b5bf221b 100644
--- a/back/loaders/express.ts
+++ b/back/loaders/express.ts
@@ -120,7 +120,14 @@ export default ({ app }: { app: Application }) => {
 
   app.use(async (req, res, next) => {
     const pathLower = req.path.toLowerCase();
-    if (!['/api/user/init', '/api/user/notification/init'].includes(pathLower)) {
+    if (
+      ![
+        '/api/user/init',
+        '/api/user/notification/init',
+        '/open/user/init',
+        '/open/user/notification/init',
+      ].includes(req.path)
+    ) {
       return next();
     }
     const authInfo =