From 78aca25722f571227d95ceb8a14e6b969151a1d1 Mon Sep 17 00:00:00 2001
From: mofeng <mofeng654321@hotmail.com>
Date: Thu, 29 Jan 2026 20:16:53 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E9=83=A8=E5=88=86?=
 =?UTF-8?q?=E8=B5=84=E6=BA=90=E6=9C=AA=E6=8E=88=E6=9D=83=E8=AE=BF=E9=97=AE?=
 =?UTF-8?q?=EF=BC=8C=E5=88=A0=E9=99=A4=E5=86=97=E4=BD=99=20Admin=20?=
 =?UTF-8?q?=E5=88=A4=E6=96=AD=E9=80=BB=E8=BE=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/auth/middleware.rs                    | 31 ++++++++++++-----------
 src/web/handlers/mod.rs                   |  2 --
 src/web/routes.rs                         | 13 +++-------
 web/src/api/index.ts                      |  2 +-
 web/src/components/ActionBar.vue          | 22 +++++++---------
 web/src/components/AudioConfigPopover.vue |  9 +++----
 web/src/components/HidConfigPopover.vue   | 11 +++-----
 web/src/components/VideoConfigPopover.vue | 13 +++-------
 web/src/stores/auth.ts                    | 12 ---------
 web/src/views/ConsoleView.vue             |  5 ++--
 10 files changed, 43 insertions(+), 77 deletions(-)

diff --git a/src/auth/middleware.rs b/src/auth/middleware.rs
index 2f8daee8..5bbbd2f0 100644
--- a/src/auth/middleware.rs
+++ b/src/auth/middleware.rs
@@ -40,20 +40,20 @@ pub async fn auth_middleware(
     mut request: Request,
     next: Next,
 ) -> Result<Response, StatusCode> {
+    let raw_path = request.uri().path();
+    // When this middleware is mounted under /api, Axum strips the prefix for the inner router.
+    // Normalize the path so checks work whether it is mounted or not.
+    let path = raw_path.strip_prefix("/api").unwrap_or(raw_path);
+
     // Check if system is initialized
     if !state.config.is_initialized() {
-        // Allow access to setup endpoints when not initialized
-        let path = request.uri().path();
-        if path.starts_with("/api/setup")
-            || path == "/api/info"
-            || path.starts_with("/") && !path.starts_with("/api/")
-        {
+        // Allow only setup-related endpoints when not initialized
+        if is_setup_public_endpoint(path) {
             return Ok(next.run(request).await);
         }
     }
 
     // Public endpoints that don't require auth
-    let path = request.uri().path();
     if is_public_endpoint(path) {
         return Ok(next.run(request).await);
     }
@@ -89,21 +89,14 @@ fn unauthorized_response(message: &str) -> Response {
 
 /// Check if endpoint is public (no auth required)
 fn is_public_endpoint(path: &str) -> bool {
-    // Note: paths here are relative to /api since middleware is applied before nest
+    // Note: paths here are relative to /api since middleware is applied within the nested router
     matches!(
         path,
         "/"
         | "/auth/login"
-        | "/info"
         | "/health"
         | "/setup"
         | "/setup/init"
-        // Also check with /api prefix for direct access
-        | "/api/auth/login"
-        | "/api/info"
-        | "/api/health"
-        | "/api/setup"
-        | "/api/setup/init"
     ) || path.starts_with("/assets/")
         || path.starts_with("/static/")
         || path.ends_with(".js")
@@ -112,3 +105,11 @@ fn is_public_endpoint(path: &str) -> bool {
         || path.ends_with(".png")
         || path.ends_with(".svg")
 }
+
+/// Setup-only endpoints allowed before initialization.
+fn is_setup_public_endpoint(path: &str) -> bool {
+    matches!(
+        path,
+        "/setup" | "/setup/init" | "/devices" | "/stream/codecs"
+    )
+}
diff --git a/src/web/handlers/mod.rs b/src/web/handlers/mod.rs
index 5e8eb036..77ddc52b 100644
--- a/src/web/handlers/mod.rs
+++ b/src/web/handlers/mod.rs
@@ -465,7 +465,6 @@ pub async fn logout(
 pub struct AuthCheckResponse {
     pub authenticated: bool,
     pub user: Option<String>,
-    pub is_admin: bool,
 }
 
 pub async fn auth_check(
@@ -481,7 +480,6 @@ pub async fn auth_check(
     Json(AuthCheckResponse {
         authenticated: true,
         user: username,
-        is_admin: true,
     })
 }
 
diff --git a/src/web/routes.rs b/src/web/routes.rs
index f8c6a91b..02e74bf5 100644
--- a/src/web/routes.rs
+++ b/src/web/routes.rs
@@ -32,7 +32,7 @@ pub fn create_router(state: Arc<AppState>) -> Router {
         .route("/setup", get(handlers::setup_status))
         .route("/setup/init", post(handlers::setup_init));
 
-    // User routes (authenticated users - both regular and admin)
+    // Authenticated routes (all logged-in users)
     let user_routes = Router::new()
         .route("/info", get(handlers::system_info))
         .route("/auth/logout", post(handlers::logout))
@@ -71,10 +71,6 @@ pub fn create_router(state: Arc<AppState>) -> Router {
         .route("/audio/devices", get(handlers::list_audio_devices))
         // Audio WebSocket endpoint
         .route("/ws/audio", any(audio_ws_handler))
-        ;
-
-    // Admin-only routes (require admin privileges)
-    let admin_routes = Router::new()
         // Configuration management (domain-separated endpoints)
         .route("/config", get(handlers::config::get_all_config))
         .route("/config", post(handlers::update_config))
@@ -199,11 +195,10 @@ pub fn create_router(state: Arc<AppState>) -> Router {
         .route("/terminal", get(handlers::terminal::terminal_index))
         .route("/terminal/", get(handlers::terminal::terminal_index))
         .route("/terminal/ws", get(handlers::terminal::terminal_ws))
-        .route("/terminal/{*path}", get(handlers::terminal::terminal_proxy))
-        ;
+        .route("/terminal/{*path}", get(handlers::terminal::terminal_proxy));
 
-    // Combine protected routes (user + admin)
-    let protected_routes = Router::new().merge(user_routes).merge(admin_routes);
+    // Protected routes (all authenticated users)
+    let protected_routes = user_routes;
 
     // Stream endpoints (accessible with auth, but typically embedded in pages)
     let stream_routes = Router::new()
diff --git a/web/src/api/index.ts b/web/src/api/index.ts
index 8ee2459e..5cc503ae 100644
--- a/web/src/api/index.ts
+++ b/web/src/api/index.ts
@@ -16,7 +16,7 @@ export const authApi = {
     request<{ success: boolean }>('/auth/logout', { method: 'POST' }),
 
   check: () =>
-    request<{ authenticated: boolean; user?: string; is_admin?: boolean }>('/auth/check'),
+    request<{ authenticated: boolean; user?: string }>('/auth/check'),
 
   changePassword: (currentPassword: string, newPassword: string) =>
     request<{ success: boolean }>('/auth/password', {
diff --git a/web/src/components/ActionBar.vue b/web/src/components/ActionBar.vue
index d600f52b..8aa0e268 100644
--- a/web/src/components/ActionBar.vue
+++ b/web/src/components/ActionBar.vue
@@ -52,14 +52,13 @@ const overflowMenuOpen = ref(false)
 const hidBackend = computed(() => (systemStore.hid?.backend ?? '').toLowerCase())
 const isCh9329Backend = computed(() => hidBackend.value.includes('ch9329'))
 const showMsd = computed(() => {
-  return props.isAdmin && !isCh9329Backend.value
+  return !!systemStore.msd?.available && !isCh9329Backend.value
 })
 
 const props = defineProps<{
   mouseMode?: 'absolute' | 'relative'
   videoMode?: VideoMode
   ttydRunning?: boolean
-  isAdmin?: boolean
 }>()
 
 const emit = defineEmits<{
@@ -93,18 +92,16 @@ const extensionOpen = ref(false)
         <VideoConfigPopover
           v-model:open="videoPopoverOpen"
           :video-mode="props.videoMode || 'mjpeg'"
-          :is-admin="props.isAdmin"
           @update:video-mode="emit('update:videoMode', $event)"
         />
 
         <!-- Audio Config - Always visible -->
-        <AudioConfigPopover v-model:open="audioPopoverOpen" :is-admin="props.isAdmin" />
+        <AudioConfigPopover v-model:open="audioPopoverOpen" />
 
         <!-- HID Config - Always visible -->
         <HidConfigPopover
           v-model:open="hidPopoverOpen"
           :mouse-mode="mouseMode"
-          :is-admin="props.isAdmin"
           @update:mouse-mode="emit('toggleMouseMode')"
         />
 
@@ -125,7 +122,7 @@ const extensionOpen = ref(false)
         </TooltipProvider>
 
         <!-- ATX Power Control - Hidden on small screens -->
-        <Popover v-if="props.isAdmin" v-model:open="atxOpen" class="hidden sm:block">
+        <Popover v-model:open="atxOpen" class="hidden sm:block">
           <PopoverTrigger as-child>
             <Button variant="ghost" size="sm" class="h-8 gap-1.5 text-xs">
               <Power class="h-4 w-4" />
@@ -159,8 +156,8 @@ const extensionOpen = ref(false)
 
       <!-- Right side buttons -->
       <div class="flex items-center gap-1.5 shrink-0">
-        <!-- Extension Menu - Admin only, hidden on small screens -->
-        <Popover v-if="props.isAdmin" v-model:open="extensionOpen" class="hidden lg:block">
+        <!-- Extension Menu - Hidden on small screens -->
+        <Popover v-model:open="extensionOpen" class="hidden lg:block">
           <PopoverTrigger as-child>
             <Button variant="ghost" size="sm" class="h-8 gap-1.5 text-xs">
               <Cable class="h-4 w-4" />
@@ -183,8 +180,8 @@ const extensionOpen = ref(false)
           </PopoverContent>
         </Popover>
 
-        <!-- Settings - Admin only, hidden on small screens -->
-        <TooltipProvider v-if="props.isAdmin" class="hidden lg:block">
+        <!-- Settings - Hidden on small screens -->
+        <TooltipProvider class="hidden lg:block">
           <Tooltip>
             <TooltipTrigger as-child>
               <Button variant="ghost" size="sm" class="h-8 gap-1.5 text-xs" @click="router.push('/settings')">
@@ -270,7 +267,7 @@ const extensionOpen = ref(false)
             </DropdownMenuItem>
 
             <!-- ATX - Mobile only -->
-            <DropdownMenuItem v-if="props.isAdmin" class="sm:hidden" @click="atxOpen = true; overflowMenuOpen = false">
+            <DropdownMenuItem class="sm:hidden" @click="atxOpen = true; overflowMenuOpen = false">
               <Power class="h-4 w-4 mr-2" />
               {{ t('actionbar.power') }}
             </DropdownMenuItem>
@@ -291,7 +288,6 @@ const extensionOpen = ref(false)
 
             <!-- Extension - Tablet and below -->
             <DropdownMenuItem
-              v-if="props.isAdmin"
               class="lg:hidden"
               :disabled="!props.ttydRunning"
               @click="emit('openTerminal'); overflowMenuOpen = false"
@@ -301,7 +297,7 @@ const extensionOpen = ref(false)
             </DropdownMenuItem>
 
             <!-- Settings - Tablet and below -->
-            <DropdownMenuItem v-if="props.isAdmin" class="lg:hidden" @click="router.push('/settings'); overflowMenuOpen = false">
+            <DropdownMenuItem class="lg:hidden" @click="router.push('/settings'); overflowMenuOpen = false">
               <Settings class="h-4 w-4 mr-2" />
               {{ t('actionbar.settings') }}
             </DropdownMenuItem>
diff --git a/web/src/components/AudioConfigPopover.vue b/web/src/components/AudioConfigPopover.vue
index 2b1aabf7..7d1590e6 100644
--- a/web/src/components/AudioConfigPopover.vue
+++ b/web/src/components/AudioConfigPopover.vue
@@ -30,7 +30,6 @@ interface AudioDevice {
 
 const props = defineProps<{
   open: boolean
-  isAdmin?: boolean
 }>()
 
 const emit = defineEmits<{
@@ -203,11 +202,10 @@ watch(() => props.open, (isOpen) => {
           </div>
         </div>
 
-        <!-- Device Settings (requires apply) - Admin only -->
-        <template v-if="props.isAdmin">
-          <Separator />
+        <!-- Device Settings (requires apply) -->
+        <Separator />
 
-          <div class="space-y-3">
+        <div class="space-y-3">
             <div class="flex items-center justify-between">
               <h5 class="text-xs font-medium text-muted-foreground">
                 {{ t('actionbar.audioDeviceSettings') }}
@@ -311,7 +309,6 @@ watch(() => props.open, (isOpen) => {
               <span>{{ applying ? t('actionbar.applying') : t('common.apply') }}</span>
             </Button>
           </div>
-        </template>
       </div>
     </PopoverContent>
   </Popover>
diff --git a/web/src/components/HidConfigPopover.vue b/web/src/components/HidConfigPopover.vue
index a2fd02a9..9f640692 100644
--- a/web/src/components/HidConfigPopover.vue
+++ b/web/src/components/HidConfigPopover.vue
@@ -27,7 +27,6 @@ import { useSystemStore } from '@/stores/system'
 const props = defineProps<{
   open: boolean
   mouseMode?: 'absolute' | 'relative'
-  isAdmin?: boolean
 }>()
 
 const emit = defineEmits<{
@@ -304,11 +303,10 @@ watch(() => props.open, (isOpen) => {
           </div>
         </div>
 
-        <!-- HID Device Settings (Requires Apply) - Admin only -->
-        <template v-if="props.isAdmin">
-          <Separator />
+        <!-- HID Device Settings (Requires Apply) -->
+        <Separator />
 
-          <div class="space-y-3">
+        <div class="space-y-3">
           <div class="flex items-center justify-between">
             <h5 class="text-xs font-medium text-muted-foreground">{{ t('actionbar.hidDeviceSettings') }}</h5>
             <Button
@@ -393,8 +391,7 @@ watch(() => props.open, (isOpen) => {
             <Loader2 v-if="applying" class="h-3.5 w-3.5 mr-1.5 animate-spin" />
             <span>{{ applying ? t('actionbar.applying') : t('common.apply') }}</span>
           </Button>
-        </div>
-        </template>
+          </div>
       </div>
     </PopoverContent>
   </Popover>
diff --git a/web/src/components/VideoConfigPopover.vue b/web/src/components/VideoConfigPopover.vue
index d5d08b53..6ceb9321 100644
--- a/web/src/components/VideoConfigPopover.vue
+++ b/web/src/components/VideoConfigPopover.vue
@@ -43,7 +43,6 @@ interface VideoDevice {
 const props = defineProps<{
   open: boolean
   videoMode: VideoMode
-  isAdmin?: boolean
 }>()
 
 const emit = defineEmits<{
@@ -619,9 +618,7 @@ watch(currentConfig, () => {
             </div>
           </div>
 
-          <!-- Settings Link - Admin only -->
           <Button
-            v-if="props.isAdmin"
             variant="ghost"
             size="sm"
             class="w-full h-7 text-xs text-muted-foreground hover:text-foreground justify-start px-0"
@@ -632,11 +629,10 @@ watch(currentConfig, () => {
           </Button>
         </div>
 
-        <!-- Device Settings Section - Admin only -->
-        <template v-if="props.isAdmin">
-          <Separator />
+        <!-- Device Settings Section -->
+        <Separator />
 
-          <div class="space-y-3">
+        <div class="space-y-3">
           <div class="flex items-center justify-between">
             <h5 class="text-xs font-medium text-muted-foreground">{{ t('actionbar.deviceSettings') }}</h5>
             <Button
@@ -784,8 +780,7 @@ watch(currentConfig, () => {
             <Loader2 v-if="applying" class="h-3.5 w-3.5 mr-1.5 animate-spin" />
             <span>{{ applying ? t('actionbar.applying') : t('common.apply') }}</span>
           </Button>
-        </div>
-        </template>
+          </div>
       </div>
     </PopoverContent>
   </Popover>
diff --git a/web/src/stores/auth.ts b/web/src/stores/auth.ts
index 08bdd3f8..5c5817f8 100644
--- a/web/src/stores/auth.ts
+++ b/web/src/stores/auth.ts
@@ -4,7 +4,6 @@ import { authApi, systemApi } from '@/api'
 
 export const useAuthStore = defineStore('auth', () => {
   const user = ref<string | null>(null)
-  const isAdmin = ref(false)
   const isAuthenticated = ref(false)
   const initialized = ref(false)
   const needsSetup = ref(false)
@@ -30,12 +29,10 @@ export const useAuthStore = defineStore('auth', () => {
       const result = await authApi.check()
       isAuthenticated.value = result.authenticated
       user.value = result.user || null
-      isAdmin.value = result.is_admin ?? false
       return result
     } catch (e) {
       isAuthenticated.value = false
       user.value = null
-      isAdmin.value = false
       error.value = e instanceof Error ? e.message : 'Not authenticated'
       if (e instanceof Error) {
         throw e
@@ -53,13 +50,6 @@ export const useAuthStore = defineStore('auth', () => {
       if (result.success) {
         isAuthenticated.value = true
         user.value = username
-        // After login, fetch admin status
-        try {
-          const authResult = await authApi.check()
-          isAdmin.value = authResult.is_admin ?? false
-        } catch {
-          isAdmin.value = false
-        }
         return true
       } else {
         error.value = result.message || 'Login failed'
@@ -79,7 +69,6 @@ export const useAuthStore = defineStore('auth', () => {
     } finally {
       isAuthenticated.value = false
       user.value = null
-      isAdmin.value = false
     }
   }
 
@@ -124,7 +113,6 @@ export const useAuthStore = defineStore('auth', () => {
 
   return {
     user,
-    isAdmin,
     isAuthenticated,
     initialized,
     needsSetup,
diff --git a/web/src/views/ConsoleView.vue b/web/src/views/ConsoleView.vue
index 8bac35db..51b3acfd 100644
--- a/web/src/views/ConsoleView.vue
+++ b/web/src/views/ConsoleView.vue
@@ -1923,9 +1923,9 @@ onUnmounted(() => {
             :details="hidDetails"
           />
 
-          <!-- MSD Status - Admin only, hidden when CH9329 backend (no USB gadget support) -->
+          <!-- MSD Status - Hidden when CH9329 backend (no USB gadget support) -->
           <StatusCard
-            v-if="authStore.isAdmin && systemStore.msd?.available && systemStore.hid?.backend !== 'ch9329'"
+            v-if="systemStore.msd?.available && systemStore.hid?.backend !== 'ch9329'"
             :title="t('statusCard.msd')"
             type="msd"
             :status="msdStatus"
@@ -1988,7 +1988,6 @@ onUnmounted(() => {
       :mouse-mode="mouseMode"
       :video-mode="videoMode"
       :ttyd-running="ttydStatus?.running"
-      :is-admin="authStore.isAdmin"
       @toggle-fullscreen="toggleFullscreen"
       @toggle-stats="statsSheetOpen = true"
       @toggle-virtual-keyboard="handleToggleVirtualKeyboard"