diff --git a/routes/upload.js b/routes/upload.js
index 96ab68e..344f5bf 100644
--- a/routes/upload.js
+++ b/routes/upload.js
@@ -2,7 +2,7 @@ const Router = require('koa-router')
 const multer = require('@koa/multer')
 const path = require('path')
 const fs = require('fs')
-const { requireStaffAuth } = require('../middleware/auth')
+const { requireAuth, requireStaffAuth } = require('../middleware/auth')
 
 const router = new Router()
 
@@ -11,6 +11,9 @@ const ALLOWED_EXTS = ['.jpg', '.jpeg', '.png', '.gif', '.webp']
 const MAX_SIZE = 5 * 1024 * 1024
 const ALLOWED_BUCKETS = ['goods', 'points', 'avatar', 'category']
 
+// 普通用户可上传的目录
+const USER_ALLOWED_BUCKETS = ['avatar']
+
 const uploadDir = path.join(__dirname, '..', 'public', 'uploads')
 
 const storage = multer.diskStorage({
@@ -44,6 +47,23 @@ const upload = multer({
   }
 })
 
+// 头像上传 - 所有已登录用户可用
+router.post('/avatar', requireAuth(), upload.single('file'), async (ctx) => {
+  if (!ctx.file) {
+    ctx.status = 400
+    ctx.body = { code: 400, message: '没有上传文件' }
+    return
+  }
+
+  const fileUrl = `/uploads/avatar/${ctx.file.filename}`
+  ctx.body = {
+    code: 200,
+    message: '上传成功',
+    url: fileUrl
+  }
+})
+
+// 通用上传 - staff/admin 可用
 router.post('/', requireStaffAuth(), upload.single('file'), async (ctx) => {
   if (!ctx.file) {
     ctx.status = 400