From 8adde831847af95c0627e1b732f84ffb4fade81e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 1 Mar 2026 09:37:23 +0000
Subject: [PATCH] fix: add /open/user/init paths to init guard to prevent auth
 bypass

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
---
 back/loaders/express.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/back/loaders/express.ts b/back/loaders/express.ts
index 63065a21..78e3e7d4 100644
--- a/back/loaders/express.ts
+++ b/back/loaders/express.ts
@@ -98,7 +98,14 @@ export default ({ app }: { app: Application }) => {
   });
 
   app.use(async (req, res, next) => {
-    if (!['/api/user/init', '/api/user/notification/init'].includes(req.path)) {
+    if (
+      ![
+        '/api/user/init',
+        '/api/user/notification/init',
+        '/open/user/init',
+        '/open/user/notification/init',
+      ].includes(req.path)
+    ) {
       return next();
     }
     const authInfo =