route: no session for routes without UI (#6066)

Not all routes need session, register session and CSRF middleware as global is a waste of resource, and creating a lot one-time off yet never used session records.

2 files changed, 11 insertions, 9 deletions

diff --git a/internal/app/api.go b/internal/app/api.go
index c64e946e..94c2bbc0 100644
--- a/internal/app/api.go
+++ b/internal/app/api.go
@@ -9,8 +9,6 @@ import (
 
 	"github.com/microcosm-cc/bluemonday"
 	"gopkg.in/macaron.v1"
-
-	"gogs.io/gogs/internal/context"
 )
 
 func ipynbSanitizer() *bluemonday.Policy {
@@ -24,13 +22,13 @@ func ipynbSanitizer() *bluemonday.Policy {
 func SanitizeIpynb() macaron.Handler {
 	p := ipynbSanitizer()
 
-	return func(c *context.Context) {
+	return func(c *macaron.Context) {
 		html, err := c.Req.Body().String()
 		if err != nil {
-			c.Error(err, "read body")
+			c.Error(http.StatusInternalServerError, "read body")
 			return
 		}
 
-		c.PlainText(http.StatusOK, p.Sanitize(html))
+		c.PlainText(http.StatusOK, []byte(p.Sanitize(html)))
 	}
 }
diff --git a/internal/app/metrics.go b/internal/app/metrics.go
index 80ff32f6..45a9b74e 100644
--- a/internal/app/metrics.go
+++ b/internal/app/metrics.go
@@ -9,14 +9,14 @@ import (
 
 	"gopkg.in/macaron.v1"
 
+	"gogs.io/gogs/internal/authutil"
 	"gogs.io/gogs/internal/conf"
-	"gogs.io/gogs/internal/context"
 )
 
 func MetricsFilter() macaron.Handler {
-	return func(c *context.Context) {
+	return func(w http.ResponseWriter, r *http.Request) {
 		if !conf.Prometheus.Enabled {
-			c.Status(http.StatusNotFound)
+			w.WriteHeader(http.StatusNotFound)
 			return
 		}
 
@@ -24,6 +24,10 @@ func MetricsFilter() macaron.Handler {
 			return
 		}
 
-		c.RequireBasicAuth(conf.Prometheus.BasicAuthUsername, conf.Prometheus.BasicAuthPassword)
+		username, password := authutil.DecodeBasic(r.Header)
+		if username != conf.Prometheus.BasicAuthUsername || password != conf.Prometheus.BasicAuthPassword {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
 	}
 }