some improvements

Author: lunny

routers/api/v1/api.go

@@ -569,8 +569,8 @@ func bind(obj interface{}) http.HandlerFunc {
 func buildAuthGroup() *auth.Group {
 	group := auth.NewGroup(
 		&auth.OAuth2{},
-		&auth.Basic{},
-		auth.SharedSession,
+		&auth.Basic{},      // FIXME: this should be removed once we don't allow basic auth in API
+		auth.SharedSession, // FIXME: this should be removed once all UI don't reference API/v1, see https://github.com/go-gitea/gitea/pull/16052
 	)
 	if setting.Service.EnableReverseProxyAuth {
 		group.Add(&auth.ReverseProxy{})
@@ -600,8 +600,13 @@ func Routes(sessioner func(http.Handler) http.Handler) *web.Route {
 	}
 	m.Use(context.APIContexter())
 
+	group := buildAuthGroup()
+	if err := group.Init(); err != nil {
+		log.Error("Could not initialize '%s' auth method, error: %s", group.Name(), err)
+	}
+
 	// Get user from session if logged in.
-	m.Use(context.APIAuth(buildAuthGroup()))
+	m.Use(context.APIAuth(group))
 
 	m.Use(context.ToggleAPI(&context.ToggleOptions{
 		SignInRequired: setting.Service.RequireSignInView,

routers/web/web.go

@@ -79,8 +79,8 @@ func CorsHandler() func(next http.Handler) http.Handler {
 // for users that have already signed in.
 func buildAuthGroup() *auth_service.Group {
 	group := auth_service.NewGroup(
-		&auth_service.OAuth2{},
-		&auth_service.Basic{},
+		&auth_service.OAuth2{}, // FIXME: this should be removed and only applied in download and oauth realted routers
+		&auth_service.Basic{},  // FIXME: this should be removed and only applied in download and git/lfs routers
 		auth_service.SharedSession,
 	)
 	if setting.Service.EnableReverseProxyAuth {

services/auth/auth.go

@@ -26,7 +26,7 @@ var (
 	_ = handleSignIn
 
 	// SharedSession the session auth should only be used by web, but now both web and API/v1
-	// will use it. We can remvoe this after Web removed dependent API/v1
+	// will use it. We can remove this after Web removed dependent API/v1
 	SharedSession = &Session{}
 )