middleware: allow public admin entry/static paths in CombinedAdminAuth to avoid blocking login page

Author: zy84338719

internal/handlers/setup.go

@@ -182,6 +182,9 @@ var OnDatabaseInitialized func(daoManager *repository.RepositoryManager)
 // initInProgress 用于防止并发初始化
 var initInProgress int32 = 0
 
+// onDBInitCalled 防止重复调用 OnDatabaseInitialized（多次 POST /setup 导致重复注册路由）
+var onDBInitCalled int32 = 0
+
 // InitializeNoDB 用于在没有 daoManager 的情况下处理 /setup/initialize 请求
 // 它会：验证请求、使用配置管理器初始化数据库、创建 daoManager、创建管理员用户，最后触发 OnDatabaseInitialized 回调
 func InitializeNoDB(manager *config.ConfigManager) gin.HandlerFunc {
@@ -394,13 +397,18 @@ func InitializeNoDB(manager *config.ConfigManager) gin.HandlerFunc {
 
 		// 触发回调以让主程序挂载其余路由并启动后台任务
 		if OnDatabaseInitialized != nil {
-			OnDatabaseInitialized(daoManager)
+			// 只允许调用一次，避免重复注册路由导致 gin panic
+			if atomic.CompareAndSwapInt32(&onDBInitCalled, 0, 1) {
+				OnDatabaseInitialized(daoManager)
+			} else {
+				log.Printf("[InitializeNoDB] OnDatabaseInitialized 已调用，跳过重复挂载")
+			}
 		}
 
 		common.SuccessWithMessage(c, "系统初始化成功", map[string]interface{}{
-			"message":        "系统初始化完成",
-			"admin_username": req.Admin.Username,
-			"database_type":  req.Database.Type,
+			"message":       "系统初始化完成",
+			"username":      req.Admin.Username,
+			"database_type": req.Database.Type,
 		})
 	}
 }
@@ -467,7 +475,7 @@ func (h *SetupHandler) Initialize(c *gin.Context) {
 	}
 
 	common.SuccessWithMessage(c, "系统初始化成功", map[string]interface{}{
-		"message":        "系统初始化完成",
-		"admin_username": req.Admin.Username,
+		"message":  "系统初始化完成",
+		"username": req.Admin.Username,
 	})
 }

internal/middleware/combined_auth.go

@@ -15,6 +15,17 @@ func CombinedAdminAuth(manager *config.ConfigManager, userService interface {
 	ValidateToken(string) (interface{}, error)
 }) gin.HandlerFunc {
 	return func(c *gin.Context) {
+		// Allow public access to admin front-end entry and static assets
+		// This prevents accidental interception of requests for the login page
+		// when an invalid/stale Authorization header is present.
+		p := c.Request.URL.Path
+		if p == "/admin/" || p == "/admin" ||
+			strings.HasPrefix(p, "/admin/css/") || strings.HasPrefix(p, "/admin/js/") ||
+			strings.HasPrefix(p, "/admin/assets/") || strings.HasPrefix(p, "/admin/templates/") ||
+			strings.HasPrefix(p, "/admin/components/") {
+			c.Next()
+			return
+		}
 		// 先尝试JWT用户认证
 		authHeader := c.GetHeader("Authorization")
 		if authHeader != "" {

internal/routes/admin.go

@@ -54,142 +54,135 @@ func SetupAdminRoutes(
 
 	}
 
+	// 将管理后台静态资源与前端入口注册为公开路由，允许未认证用户加载登录页面和相关静态资源
+	// 注意：API 路由仍然放在受保护的 authGroup 中
+	themeDir := "./" + cfg.ThemesSelect
+
+	// css
+	adminGroup.GET("/css/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "admin", "css", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// HEAD for css
+	adminGroup.HEAD("/css/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "admin", "css", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// js
+	adminGroup.GET("/js/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "admin", "js", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// HEAD for js
+	adminGroup.HEAD("/js/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "admin", "js", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// templates
+	adminGroup.GET("/templates/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "admin", "templates", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// HEAD for templates
+	adminGroup.HEAD("/templates/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "admin", "templates", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// assets and components
+	adminGroup.GET("/assets/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "assets", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// HEAD for assets
+	adminGroup.HEAD("/assets/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "assets", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	adminGroup.GET("/components/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "components", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// HEAD for components
+	adminGroup.HEAD("/components/*filepath", func(c *gin.Context) {
+		fp := c.Param("filepath")
+		p := filepath.Join(themeDir, "components", fp)
+		if _, err := os.Stat(p); err != nil {
+			c.Status(404)
+			return
+		}
+		c.File(p)
+	})
+
+	// 管理前端入口公开：允许未认证用户加载登录页面
+	adminGroup.GET("/", func(c *gin.Context) {
+		static.ServeAdminPage(c, cfg)
+	})
+	// HEAD for admin entry
+	adminGroup.HEAD("/", func(c *gin.Context) {
+		static.ServeAdminPage(c, cfg)
+	})
+
 	// 使用复用的中间件实现（JWT 用户认证并要求 admin 角色）
 	combinedAuthMiddleware := middleware.CombinedAdminAuth(cfg, userService)
 
 	// 需要管理员认证的API路由组
 	authGroup := adminGroup.Group("")
 	authGroup.Use(combinedAuthMiddleware)
 	{
-		// 显式为管理后台静态资源注册受保护的 GET 处理器，确保这些静态文件也需要管理员认证
-		themeDir := "./" + cfg.ThemesSelect
-
-		// css
-		authGroup.GET("/css/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "admin", "css", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// HEAD for css (ensure middleware runs for HEAD as well)
-		authGroup.HEAD("/css/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "admin", "css", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// js
-		authGroup.GET("/js/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "admin", "js", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// HEAD for js
-		authGroup.HEAD("/js/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "admin", "js", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// templates
-		authGroup.GET("/templates/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "admin", "templates", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// HEAD for templates
-		authGroup.HEAD("/templates/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "admin", "templates", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// assets and components
-		authGroup.GET("/assets/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "assets", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// HEAD for assets
-		authGroup.HEAD("/assets/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "assets", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-		authGroup.GET("/components/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "components", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// HEAD for components
-		authGroup.HEAD("/components/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "components", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-		authGroup.GET("/components/*filepath", func(c *gin.Context) {
-			fp := c.Param("filepath")
-			p := filepath.Join(themeDir, "components", fp)
-			if _, err := os.Stat(p); err != nil {
-				c.Status(404)
-				return
-			}
-			c.File(p)
-		})
-
-		// 管理前端入口受保护：仅管理员可访问 /admin/
-		authGroup.GET("/", func(c *gin.Context) {
-			static.ServeAdminPage(c, cfg)
-		})
-		// HEAD for admin entry
-		authGroup.HEAD("/", func(c *gin.Context) {
-			static.ServeAdminPage(c, cfg)
-		})
-
 		// 仪表板和统计
 		authGroup.GET("/dashboard", adminHandler.Dashboard)
 		authGroup.GET("/stats", adminHandler.GetStats)

internal/routes/setup.go

@@ -15,6 +15,9 @@ import (
 	"github.com/zy84338719/filecodebox/internal/static"
 	"github.com/zy84338719/filecodebox/internal/storage"
 
+	"sync"
+	"sync/atomic"
+
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
 )
@@ -168,6 +171,22 @@ func RegisterDynamicRoutes(
 	daoManager *repository.RepositoryManager,
 	storageManager *storage.StorageManager,
 ) {
+	// 序列化注册，防止并发导致的重复注册 panic
+	dynamicRegisterMu.Lock()
+	defer dynamicRegisterMu.Unlock()
+
+	// 使用原子标志防止重复调用
+	if registerDynamicOnce() {
+		logrus.Info("动态路由已注册（atomic），跳过 RegisterDynamicRoutes")
+		return
+	}
+	// 如果动态路由已经注册（例如 /share/text/ 已存在），则跳过注册以防止重复注册导致 panic
+	for _, r := range router.Routes() {
+		if r.Method == "POST" && r.Path == "/share/text/" {
+			logrus.Info("动态路由已存在，跳过 RegisterDynamicRoutes")
+			return
+		}
+	}
 	// 创建具体的存储服务
 	storageService := storage.NewConcreteStorageService(manager)
 
@@ -195,6 +214,21 @@ func RegisterDynamicRoutes(
 	// System init routes are no longer needed after DB init
 }
 
+// package-level atomic to ensure RegisterDynamicRoutes runs only once
+var dynamicRoutesRegistered int32 = 0
+
+func registerDynamicOnce() bool {
+	// 如果已经设置，则返回 true
+	if atomic.LoadInt32(&dynamicRoutesRegistered) == 1 {
+		return true
+	}
+	// 尝试设置为 1
+	return !atomic.CompareAndSwapInt32(&dynamicRoutesRegistered, 0, 1)
+}
+
+// mutex to serialize dynamic route registration
+var dynamicRegisterMu sync.Mutex
+
 // SetupAllRoutes 设置所有路由（使用已初始化的处理器）
 func SetupAllRoutes(
 	router *gin.Engine,

internal/routes/share.go

@@ -17,6 +17,12 @@ func SetupShareRoutes(
 		ValidateToken(string) (interface{}, error)
 	},
 ) {
+	// 幂等检查：如果 /share/text/ 已注册则跳过（防止重复注册导致 gin panic）
+	for _, r := range router.Routes() {
+		if r.Method == "POST" && r.Path == "/share/text/" {
+			return
+		}
+	}
 	// 分享相关路由
 	shareGroup := router.Group("/share")
 	shareGroup.Use(middleware.ShareAuth(cfg))