google · google-oss-robot · Sep 2, 2020 · Sep 2, 2020
@@ -130,26 +130,31 @@ func realMain(ctx context.Context) error {
 		return fmt.Errorf("failed to create renderer: %w", err)
 	}
 
-	r.Handle("/health", controller.HandleHealthz(ctx, &config.Database, h)).Methods("GET")
-
-	// Setup API auth
-	requireAPIKey := middleware.RequireAPIKey(ctx, cacher, db, h, []database.APIUserType{
-		database.APIUserTypeAdmin,
-	})
-
-	// Install the APIKey Auth Middleware
-	r.Use(requireAPIKey)
+	// Install the rate limiting first. In this case, we want to limit by key
+	// first to reduce the chance of a database lookup.
 	r.Use(rateLimit)
 
-	issueapiController, err := issueapi.New(ctx, config, db, h)
-	if err != nil {
-		return fmt.Errorf("issueapi.New: %w", err)
+	r.Handle("/health", controller.HandleHealthz(ctx, &config.Database, h)).Methods("GET")
+	{
+		sub := r.PathPrefix("/api").Subrouter()
+
+		// Setup API auth
+		requireAPIKey := middleware.RequireAPIKey(ctx, cacher, db, h, []database.APIUserType{
+			database.APIUserTypeDevice,
+		})
+		// Install the APIKey Auth Middleware
+		sub.Use(requireAPIKey)
+
+		issueapiController, err := issueapi.New(ctx, config, db, h)
+		if err != nil {
+			return fmt.Errorf("issueapi.New: %w", err)
+		}
+		sub.Handle("/issue", issueapiController.HandleIssue()).Methods("POST")
+
+		codeStatusController := codestatus.NewAPI(ctx, config, db, h)
+		sub.Handle("/checkcodestatus", codeStatusController.HandleCheckCodeStatus()).Methods("POST")
+		sub.Handle("/expirecode", codeStatusController.HandleExpireAPI()).Methods("POST")
 	}
-	r.Handle("/api/issue", issueapiController.HandleIssue()).Methods("POST")
-
-	codeStatusController := codestatus.NewAPI(ctx, config, db, h)
-	r.Handle("/api/checkcodestatus", codeStatusController.HandleCheckCodeStatus()).Methods("POST")
-	r.Handle("/api/expirecode", codeStatusController.HandleExpireAPI()).Methods("POST")
 
 	srv, err := server.New(config.Port)
 	if err != nil {

@@ -143,37 +143,40 @@ func realMain(ctx context.Context) error {
 		return fmt.Errorf("failed to create renderer: %w", err)
 	}
 
-	r.Handle("/health", controller.HandleHealthz(ctx, &config.Database, h)).Methods("GET")
-
-	// Setup API auth
-	requireAPIKey := middleware.RequireAPIKey(ctx, cacher, db, h, []database.APIUserType{
-		database.APIUserTypeDevice,
-	})
-
 	// Install the rate limiting first. In this case, we want to limit by key
 	// first to reduce the chance of a database lookup.
 	r.Use(rateLimit)
 
-	// Install the APIKey Auth Middleware
-	r.Use(requireAPIKey)
-
-	// POST /api/verify
-	verifyChaff := chaff.New()
-	defer verifyChaff.Close()
-	verifyapiController, err := verifyapi.New(ctx, config, db, h, tokenSigner)
-	if err != nil {
-		return fmt.Errorf("failed to create verify api controller: %w", err)
-	}
-	r.Handle("/api/verify", handleChaff(verifyChaff, verifyapiController.HandleVerify())).Methods("POST")
+	r.Handle("/health", controller.HandleHealthz(ctx, &config.Database, h)).Methods("GET")
 
-	// POST /api/certificate
-	certChaff := chaff.New()
-	defer certChaff.Close()
-	certapiController, err := certapi.New(ctx, config, db, h, certificateSigner)
-	if err != nil {
-		return fmt.Errorf("failed to create certapi controller: %w", err)
+	{
+		sub := r.PathPrefix("/api").Subrouter()
+
+		// Setup API auth
+		requireAPIKey := middleware.RequireAPIKey(ctx, cacher, db, h, []database.APIUserType{
+			database.APIUserTypeDevice,
+		})
+		// Install the APIKey Auth Middleware
+		sub.Use(requireAPIKey)
+
+		// POST /api/verify
+		verifyChaff := chaff.New()
+		defer verifyChaff.Close()
+		verifyapiController, err := verifyapi.New(ctx, config, db, h, tokenSigner)
+		if err != nil {
+			return fmt.Errorf("failed to create verify api controller: %w", err)
+		}
+		sub.Handle("/verify", handleChaff(verifyChaff, verifyapiController.HandleVerify())).Methods("POST")
+
+		// POST /api/certificate
+		certChaff := chaff.New()
+		defer certChaff.Close()
+		certapiController, err := certapi.New(ctx, config, db, h, certificateSigner)
+		if err != nil {
+			return fmt.Errorf("failed to create certapi controller: %w", err)
+		}
+		sub.Handle("/certificate", handleChaff(certChaff, certapiController.HandleCertificate())).Methods("POST")
 	}
-	r.Handle("/api/certificate", handleChaff(certChaff, certapiController.HandleCertificate())).Methods("POST")
 
 	srv, err := server.New(config.Port)
 	if err != nil {