refactor(bootstrap): build RequireAuth once and reuse across route groups

appleboy · claude · appleboy · commit 4fc3d90e8eee · 2026-06-06T10:35:39.000+08:00
Cleanup follow-up. setupAllRoutes already constructs optionalAuth and
injectPending once and reuses them; the auth-middleware threading added a fresh
middleware.RequireAuth(h.userService, prometheusMetrics) at each of the 6 route
groups. Build it once into a local and reuse, matching the surrounding pattern
and collapsing the duplicated multi-line .Use() blocks. No behavior change.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/bootstrap/router.go b/internal/bootstrap/router.go
@@ -193,8 +193,10 @@ func setupAllRoutes(
 		c.Redirect(http.StatusFound, "/account/sessions")
 	})
 
-	// Documentation routes (public, optional auth for navbar)
+	// Auth middlewares are stateless per request, so build each once and reuse
+	// across route groups (mirrors optionalAuth / injectPending below).
 	optionalAuth := middleware.OptionalAuth(h.userService, prometheusMetrics)
+	requireAuth := middleware.RequireAuth(h.userService, prometheusMetrics)
 	r.GET("/docs", optionalAuth, h.docs.ShowDocsIndex)
 	// :lang is either a supported locale code (new canonical form) or, for
 	// backwards-compatibility, a legacy slug; ShowDocsEntry disambiguates.
@@ -268,10 +270,7 @@ func setupAllRoutes(
 
 	// OAuth Authorization Code Flow (browser, requires login + CSRF)
 	oauthProtected := r.Group("/oauth")
-	oauthProtected.Use(
-		middleware.RequireAuth(h.userService, prometheusMetrics),
-		middleware.CSRFMiddleware(),
-	)
+	oauthProtected.Use(requireAuth, middleware.CSRFMiddleware())
 	{
 		oauthProtected.GET("/authorize", h.authorization.ShowAuthorizePage)
 		oauthProtected.POST("/authorize", h.authorization.HandleAuthorize)
@@ -283,23 +282,15 @@ func setupAllRoutes(
 
 	// Protected routes (require login)
 	protected := r.Group("")
-	protected.Use(
-		middleware.RequireAuth(h.userService, prometheusMetrics),
-		middleware.CSRFMiddleware(),
-		injectPending,
-	)
+	protected.Use(requireAuth, middleware.CSRFMiddleware(), injectPending)
 	{
 		protected.GET("/device", h.device.DevicePage)
 		protected.POST("/device/verify", rateLimiters.deviceVerify, h.device.DeviceVerify)
 	}
 
 	// Account routes (require login)
 	account := r.Group("/account")
-	account.Use(
-		middleware.RequireAuth(h.userService, prometheusMetrics),
-		middleware.CSRFMiddleware(),
-		injectPending,
-	)
+	account.Use(requireAuth, middleware.CSRFMiddleware(), injectPending)
 	{
 		account.GET("/sessions", h.session.ListSessions)
 		account.POST("/sessions/:id/revoke", h.session.RevokeSession)
@@ -313,11 +304,7 @@ func setupAllRoutes(
 
 	// User apps area (all authenticated users, not admin-only)
 	apps := r.Group("/apps")
-	apps.Use(
-		middleware.RequireAuth(h.userService, prometheusMetrics),
-		middleware.CSRFMiddleware(),
-		injectPending,
-	)
+	apps.Use(requireAuth, middleware.CSRFMiddleware(), injectPending)
 	{
 		apps.GET("", h.userClient.ShowMyAppsPage)
 		apps.GET("/new", h.userClient.ShowCreateAppPage)
@@ -333,7 +320,7 @@ func setupAllRoutes(
 	// Admin routes (require admin role)
 	admin := r.Group("/admin")
 	admin.Use(
-		middleware.RequireAuth(h.userService, prometheusMetrics),
+		requireAuth,
 		middleware.RequireAdmin(),
 		middleware.CSRFMiddleware(),
 		injectPending,
