diff --git a/gateway/handlers/auth.go b/gateway/handlers/auth.go
index 075b521..85688b5 100644
--- a/gateway/handlers/auth.go
+++ b/gateway/handlers/auth.go
@@ -2,7 +2,6 @@ package handlers
 
 import (
 	"net/http"
-	"net/url"
 	"strconv"
 	"strings"
 
@@ -58,13 +57,7 @@ func PostLogin(db *gorm.DB) gin.HandlerFunc {
 		}
 
 		if returnURL != "" {
-			decodedURL, err := url.QueryUnescape(returnURL)
-			if err != nil {
-				utils.Logger.Errorf("URL解码失败: %v", err)
-				c.Redirect(http.StatusSeeOther, "/")
-				return
-			}
-			c.Redirect(http.StatusSeeOther, decodedURL)
+			c.Redirect(http.StatusSeeOther, returnURL)
 			return
 		}
 
diff --git a/gateway/middleware/static_auth.go b/gateway/middleware/static_auth.go
index ac8240a..499194c 100644
--- a/gateway/middleware/static_auth.go
+++ b/gateway/middleware/static_auth.go
@@ -38,8 +38,13 @@ func StaticAuthMiddleware() gin.HandlerFunc {
 				needAuth = true
 			} else {
 				// 检查是否在受保护列表中
+				decodedPath, err := url.QueryUnescape(requestPath)
+				if err != nil {
+					c.AbortWithStatus(400)
+					return
+				}
 				for _, protectedURL := range protectedURLs {
-					if requestPath == protectedURL {
+					if decodedPath == protectedURL {
 						needAuth = true
 						break
 					}