try middlewaring?

index.js

@@ -55,8 +55,22 @@ global.checkACL = function(req, perm) {
 	return false;
 };
 
-
-
+app.use((req, res, next) => {
+	const allowed = ["/", "/login", "/static/*", "/favicon.ico", "/robots.txt"];
+	const isAllowed = allowed.some(pattern => {
+		if (pattern.endsWith('*')) {
+			return req.path.startsWith(pattern.slice(0, -1));
+		}
+		return req.path === pattern;
+	});
+	if (isAllowed) {
+		return next();
+	}
+	if (!req.session.user) {
+		return res.redirect('/login?err=4');
+	}
+	res.redirect('/login')
+});
 app.use(cors());
 app.use(express.json());
 app.use(express.urlencoded({ extended: true }));