From e56bdc8e8188adfefa95fc5721e02ff09f9be9c1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 22 Dec 2025 14:57:49 +0000
Subject: [PATCH] Apply code review suggestions: improve clarity and simplify
 logic

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
---
 back/loaders/express.ts | 17 ++++++++++-------
 src/utils/http.tsx      |  3 ++-
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/back/loaders/express.ts b/back/loaders/express.ts
index 12f28342..9dbd9520 100644
--- a/back/loaders/express.ts
+++ b/back/loaders/express.ts
@@ -22,21 +22,22 @@ export default ({ app }: { app: Application }) => {
   app.use(bodyParser.urlencoded({ limit: '50mb', extended: true }));
 
   const frontendPath = path.join(config.rootPath, 'static/dist');
-  if (config.baseUrl) {
-    app.use(config.baseUrl, express.static(frontendPath));
-  } else {
-    app.use(express.static(frontendPath));
-  }
+  // Serve frontend static files at baseUrl (or root if baseUrl is empty)
+  app.use(config.baseUrl || '/', express.static(frontendPath));
 
   // Create base-URL-aware whitelist for JWT
   // When baseUrl is empty, paths remain as-is (e.g., '/api/user/login')
   // When baseUrl is set, paths are prefixed (e.g., '/qinglong/api/user/login')
   const jwtWhitelist = config.apiWhiteList.map(path => `${config.baseUrl}${path}`);
+  
+  // Helper to escape special regex characters
+  const escapeRegex = (str: string) => str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  
   // Exclude non-API/non-open paths from JWT requirement
   // When baseUrl is set: exclude paths that don't start with baseUrl/api/ or baseUrl/open/
   // When baseUrl is empty: exclude paths that don't start with /api/ or /open/
   const jwtExcludePattern = config.baseUrl
-    ? `^(?!${config.baseUrl.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}/(api|open)/)`
+    ? `^(?!${escapeRegex(config.baseUrl)}/(api|open)/)`
     : '^(?!/(api|open)/)';
   const jwtExcludeRegex = new RegExp(jwtExcludePattern);
 
@@ -87,7 +88,9 @@ export default ({ app }: { app: Application }) => {
     }
 
     // req.path already includes the full path with baseUrl
-    // e.g., when baseUrl=/qinglong and request is /qinglong/api/user/login, req.path=/qinglong/api/user/login
+    // Previous logic used req.baseUrl (Express mount path) which is empty in our case
+    // since middleware is not mounted on a sub-router
+    // e.g., when request is /qinglong/api/user/login, req.path=/qinglong/api/user/login
     const originPath = req.path;
     if (
       !headerToken &&
diff --git a/src/utils/http.tsx b/src/utils/http.tsx
index 13be8dc6..b7cc783c 100644
--- a/src/utils/http.tsx
+++ b/src/utils/http.tsx
@@ -93,7 +93,8 @@ const apiWhiteListBase = [
 ];
 
 // Only modify paths if baseUrl is set and not the default '/'
-// Frontend baseUrl always ends with '/', so we remove leading '/' from paths
+// Note: Frontend baseUrl always ends with '/' (from serverEnv.ts normalization)
+// so we remove the leading '/' from paths before concatenation
 const apiWhiteList = config.baseUrl && config.baseUrl !== '/'
   ? apiWhiteListBase.map(path => `${config.baseUrl}${path.substring(1)}`)
   : apiWhiteListBase;