diff --git a/apps/authentication/middleware.py b/apps/authentication/middleware.py
index 4a6ba634a..148ee2f22 100644
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -35,7 +35,7 @@ class MFAMiddleware:
 
         # 这个是 mfa 登录页需要的请求, 也得放出来, 用户其实已经在 CAS/OIDC 中完成登录了
         white_urls = [
-            'login/mfa', 'mfa/select', 'face/context','jsi18n/', '/static/',
+            'login/mfa', 'mfa/select', 'face/context', 'jsi18n/', '/static/',
             '/profile/otp', '/logout/',
         ]
         for url in white_urls:
@@ -77,6 +77,7 @@ class ThirdPartyLoginMiddleware(mixins.AuthMixin):
         ip = get_request_ip(request)
         try:
             self.request = request
+            self.check_is_block()
             self._check_third_party_login_acl()
             self._check_login_acl(request.user, ip)
         except Exception as e:
diff --git a/apps/users/utils.py b/apps/users/utils.py
index 8f831e5a4..4f75656d5 100644
--- a/apps/users/utils.py
+++ b/apps/users/utils.py
@@ -161,7 +161,7 @@ class BlockUtilBase:
     BLOCK_KEY_TMPL: str
 
     def __init__(self, username, ip):
-        username = username.lower()
+        username = username.lower() if username else ''
         self.username = username
         self.ip = ip
         self.limit_key = self.LIMIT_KEY_TMPL.format(username, ip)