From ee8fb688393beca8c30989ed86ad66a38ee8515a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 1 Mar 2026 09:39:35 +0000
Subject: [PATCH] Fix auth bypass: normalize URL path to lowercase before
 JWT/auth checks

Co-authored-by: whyour <22700758+whyour@users.noreply.github.com>
---
 back/loaders/express.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/back/loaders/express.ts b/back/loaders/express.ts
index 63065a21..684e61e3 100644
--- a/back/loaders/express.ts
+++ b/back/loaders/express.ts
@@ -22,6 +22,14 @@ export default ({ app }: { app: Application }) => {
     app.use(rewrite(`${config.baseUrl}/*`, '/$1'));
   }
   
+  // Normalize URL path to lowercase to prevent authentication bypass via mixed-case paths
+  // e.g. /API/system/command-run should not bypass JWT checks designed for /api/...
+  // The regex only matches the path portion (stops at ? or #), preserving query strings.
+  app.use((req: Request, res: Response, next: NextFunction) => {
+    req.url = req.url.replace(/^[^?#]*/, (p) => p.toLowerCase());
+    next();
+  });
+
   app.get(`${config.api.prefix}/env.js`, serveEnv);
   app.use(`${config.api.prefix}/static`, express.static(config.uploadPath));