禁用常用入口

imzyb · imzyb · commit eb60cdd654e3 · 2026-02-24T19:36:19.000+08:00
diff --git a/functions/modules/api-handler.js b/functions/modules/api-handler.js
@@ -243,6 +243,19 @@ export async function handleSettingsGet(env) {
 export async function handleSettingsSave(request, env) {
     try {
         const newSettings = await request.json();
+
+        // 校验 customLoginPath 是否为系统保留路径
+        if (newSettings.customLoginPath) {
+            const reservedPaths = ['settings', 'login', 'groups', 'nodes', 'subscriptions', 'dashboard', 'api', 'explore'];
+            const pathSegment = newSettings.customLoginPath.replace(/^\/+/, '').split('/')[0].toLowerCase();
+            if (reservedPaths.includes(pathSegment)) {
+                return createJsonResponse({
+                    success: false,
+                    message: `"/${pathSegment}" 是系统保留路径，不可用作自定义登录路径`
+                }, 400);
+            }
+        }
+
         const storageAdapter = await getStorageAdapter(env);
         const oldSettings = await storageAdapter.get(KV_KEY_SETTINGS) || {};
         const finalSettings = { ...oldSettings, ...newSettings };
diff --git a/src/components/settings/sections/BasicSettings.vue b/src/components/settings/sections/BasicSettings.vue
@@ -17,7 +17,10 @@ import { useToastStore } from '../../../stores/toast';
 
 const { showToast } = useToastStore();
 
-// 监听自定义登录路径，禁止特殊字符和空格
+// 系统保留路径列表，这些路径会与前端路由或后端 API 冲突
+const RESERVED_PATHS = ['settings', 'login', 'groups', 'nodes', 'subscriptions', 'dashboard', 'api', 'explore'];
+
+// 监听自定义登录路径，禁止特殊字符、空格和保留路径
 watch(() => props.settings.customLoginPath, (val) => {
   if (!val) return;
   
@@ -27,6 +30,14 @@ watch(() => props.settings.customLoginPath, (val) => {
   if (sanitized !== val) {
     props.settings.customLoginPath = sanitized;
     showToast('路径仅允许字母、数字、下划线、中划线', 'warning');
+    return;
+  }
+
+  // 检查是否为保留路径（去除前后斜杠后比较首段）
+  const pathSegment = sanitized.replace(/^\/+/, '').split('/')[0].toLowerCase();
+  if (RESERVED_PATHS.includes(pathSegment)) {
+    props.settings.customLoginPath = '';
+    showToast(`"/${pathSegment}" 是系统保留路径，不可用作自定义登录路径`, 'error');
   }
 });
 
@@ -212,6 +223,9 @@ watch(() => props.settings.customLoginPath, (val) => {
              <p class="text-xs text-gray-500 dark:text-gray-400 mt-1">
                设置后，只有访问此路径才能进入登录页面。默认路径 <code>/login</code> 将失效（除非未设置）。
              </p>
+             <p class="text-xs text-amber-600 dark:text-amber-400 mt-1">
+               ⚠️ 不可使用系统保留路径：/settings, /login, /groups, /nodes, /subscriptions, /dashboard
+             </p>
           </div>
 
             <div v-show="disguiseConfig.enabled"
