Refactor context flash msg and global variables (#33375)

1. add `GetSiteCookieFlashMessage` to help to parse flash message 2. clarify `handleRepoHomeFeed` logic 3. remove unnecessary global variables, use `sync.OnceValue` instead 4. add some tests for `IsUsableUsername` and `IsUsableRepoName`
2025-02-24 21:14:11 +08:00 · 2025-01-25 22:36:47 +08:00 · 2025-01-25 22:36:47 +08:00 · 2c1ff8701a
commit 2c1ff8701a
parent 6a516a0d14
30 changed files with 737 additions and 676 deletions
--- a/models/db/name.go
+++ b/models/db/name.go
@ -11,8 +11,6 @@ import (
 	"code.gitea.io/gitea/modules/util"
 )
 var ErrNameEmpty = util.SilentWrap{Message: "name is empty", Err: util.ErrInvalidArgument}
 // ErrNameReserved represents a "reserved name" error.
 type ErrNameReserved struct {
 	Name string
@ -79,7 +77,7 @@ func (err ErrNameCharsNotAllowed) Unwrap() error {
 func IsUsableName(reservedNames, reservedPatterns []string, name string) error {
 	name = strings.TrimSpace(strings.ToLower(name))
 	if utf8.RuneCountInString(name) == 0 {
-		return ErrNameEmpty
+		return util.SilentWrap{Message: "name is empty", Err: util.ErrInvalidArgument}
 	}
 	for i := range reservedNames {
--- a/models/repo/repo.go
+++ b/models/repo/repo.go
@ -14,6 +14,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
 	"sync"
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unit"
@ -61,20 +62,30 @@ func (err ErrRepoIsArchived) Error() string {
 	return fmt.Sprintf("%s is archived", err.Repo.LogString())
 }
-var (
+type globalVarsStruct struct {
-	validRepoNamePattern   = regexp.MustCompile(`[-.\w]+`)
+	validRepoNamePattern   *regexp.Regexp
-	invalidRepoNamePattern = regexp.MustCompile(`[.]{2,}`)
+	invalidRepoNamePattern *regexp.Regexp
-	reservedRepoNames      = []string{".", "..", "-"}
+	reservedRepoNames      []string
-	reservedRepoPatterns   = []string{"*.git", "*.wiki", "*.rss", "*.atom"}
+	reservedRepoPatterns   []string
-)
+}
 var globalVars = sync.OnceValue(func() *globalVarsStruct {
 	return &globalVarsStruct{
 		validRepoNamePattern:   regexp.MustCompile(`[-.\w]+`),
 		invalidRepoNamePattern: regexp.MustCompile(`[.]{2,}`),
 		reservedRepoNames:      []string{".", "..", "-"},
 		reservedRepoPatterns:   []string{"*.git", "*.wiki", "*.rss", "*.atom"},
 	}
 })
 // IsUsableRepoName returns true when name is usable
 func IsUsableRepoName(name string) error {
-	if !validRepoNamePattern.MatchString(name) || invalidRepoNamePattern.MatchString(name) {
+	vars := globalVars()
 	if !vars.validRepoNamePattern.MatchString(name) || vars.invalidRepoNamePattern.MatchString(name) {
 		// Note: usually this error is normally caught up earlier in the UI
 		return db.ErrNameCharsNotAllowed{Name: name}
 	}
-	return db.IsUsableName(reservedRepoNames, reservedRepoPatterns, name)
+	return db.IsUsableName(vars.reservedRepoNames, vars.reservedRepoPatterns, name)
 }
 // TrustModelType defines the types of trust model for this repository
--- a/models/repo/repo_test.go
+++ b/models/repo/repo_test.go
@ -219,4 +219,5 @@ func TestIsUsableRepoName(t *testing.T) {
 	assert.Error(t, IsUsableRepoName("the..repo"))
 	assert.Error(t, IsUsableRepoName("foo.wiki"))
 	assert.Error(t, IsUsableRepoName("foo.git"))
 	assert.Error(t, IsUsableRepoName("foo.RSS"))
 }
--- a/models/user/user.go
+++ b/models/user/user.go
@ -502,10 +502,10 @@ func (u *User) IsMailable() bool {
 	return u.IsActive
 }
-// IsUserExist checks if given user name exist,
+// IsUserExist checks if given username exist,
-// the user name should be noncased unique.
+// the username should be non-cased unique.
 // If uid is presented, then check will rule out that one,
-// it is used when update a user name in settings page.
+// it is used when update a username in settings page.
 func IsUserExist(ctx context.Context, uid int64, name string) (bool, error) {
 	if len(name) == 0 {
 		return false, nil
@ -515,7 +515,7 @@ func IsUserExist(ctx context.Context, uid int64, name string) (bool, error) {
 		Get(&User{LowerName: strings.ToLower(name)})
 }
-// Note: As of the beginning of 2022, it is recommended to use at least
+// SaltByteLength as of the beginning of 2022, it is recommended to use at least
 // 64 bits of salt, but NIST is already recommending to use to 128 bits.
 // (16 bytes = 16 * 8 = 128 bits)
 const SaltByteLength = 16
--- a/models/user/user_test.go
+++ b/models/user/user_test.go
@ -25,6 +25,21 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 func TestIsUsableUsername(t *testing.T) {
 	assert.NoError(t, user_model.IsUsableUsername("a"))
 	assert.NoError(t, user_model.IsUsableUsername("foo.wiki"))
 	assert.NoError(t, user_model.IsUsableUsername("foo.git"))
 	assert.Error(t, user_model.IsUsableUsername("a--b"))
 	assert.Error(t, user_model.IsUsableUsername("-1_."))
 	assert.Error(t, user_model.IsUsableUsername(".profile"))
 	assert.Error(t, user_model.IsUsableUsername("-"))
 	assert.Error(t, user_model.IsUsableUsername("🌞"))
 	assert.Error(t, user_model.IsUsableUsername("the..repo"))
 	assert.Error(t, user_model.IsUsableUsername("foo.RSS"))
 	assert.Error(t, user_model.IsUsableUsername("foo.PnG"))
 }
 func TestOAuth2Application_LoadUser(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 	app := unittest.AssertExistsAndLoadBean(t, &auth.OAuth2Application{ID: 1})
--- a/modules/validation/glob_pattern_test.go
+++ b/modules/validation/glob_pattern_test.go
@ -19,7 +19,10 @@ func getGlobPatternErrorString(pattern string) string {
 	return ""
 }
-var globValidationTestCases = []validationTestCase{
+func Test_GlobPatternValidation(t *testing.T) {
 	AddBindingRules()
 	globValidationTestCases := []validationTestCase{
 		{
 			description: "Empty glob pattern",
 			data: TestForm{
@ -48,10 +51,7 @@ var globValidationTestCases = []validationTestCase{
 				},
 			},
 		},
-}
+	}
 func Test_GlobPatternValidation(t *testing.T) {
 	AddBindingRules()
 	for _, testCase := range globValidationTestCases {
 		t.Run(testCase.description, func(t *testing.T) {
--- a/modules/validation/helpers.go
+++ b/modules/validation/helpers.go
@ -8,13 +8,26 @@ import (
 	"net/url"
 	"regexp"
 	"strings"
 	"sync"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/gobwas/glob"
 )
-var externalTrackerRegex = regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`)
+type globalVarsStruct struct {
 	externalTrackerRegex   *regexp.Regexp
 	validUsernamePattern   *regexp.Regexp
 	invalidUsernamePattern *regexp.Regexp
 }
 var globalVars = sync.OnceValue(func() *globalVarsStruct {
 	return &globalVarsStruct{
 		externalTrackerRegex:   regexp.MustCompile(`({?)(?:user|repo|index)+?(}?)`),
 		validUsernamePattern:   regexp.MustCompile(`^[\da-zA-Z][-.\w]*$`),
 		invalidUsernamePattern: regexp.MustCompile(`[-._]{2,}|[-._]$`), // No consecutive or trailing non-alphanumeric chars
 	}
 })
 func isLoopbackIP(ip string) bool {
 	return net.ParseIP(ip).IsLoopback()
@ -105,9 +118,9 @@ func IsValidExternalTrackerURLFormat(uri string) bool {
 	if !IsValidExternalURL(uri) {
 		return false
 	}
-
+	vars := globalVars()
 	// check for typoed variables like /{index/ or /[repo}
-	for _, match := range externalTrackerRegex.FindAllStringSubmatch(uri, -1) {
+	for _, match := range vars.externalTrackerRegex.FindAllStringSubmatch(uri, -1) {
 		if (match[1] == "{" || match[2] == "}") && (match[1] != "{" || match[2] != "}") {
 			return false
 		}
@ -116,14 +129,10 @@ func IsValidExternalTrackerURLFormat(uri string) bool {
 	return true
 }
 var (
 	validUsernamePattern   = regexp.MustCompile(`^[\da-zA-Z][-.\w]*$`)
 	invalidUsernamePattern = regexp.MustCompile(`[-._]{2,}|[-._]$`) // No consecutive or trailing non-alphanumeric chars
 )
 // IsValidUsername checks if username is valid
 func IsValidUsername(name string) bool {
 	// It is difficult to find a single pattern that is both readable and effective,
 	// but it's easier to use positive and negative checks.
-	return validUsernamePattern.MatchString(name) && !invalidUsernamePattern.MatchString(name)
+	vars := globalVars()
 	return vars.validUsernamePattern.MatchString(name) && !vars.invalidUsernamePattern.MatchString(name)
 }
--- a/modules/validation/refname_test.go
+++ b/modules/validation/refname_test.go
@ -9,7 +9,9 @@ import (
 	"gitea.com/go-chi/binding"
 )
-var gitRefNameValidationTestCases = []validationTestCase{
+func Test_GitRefNameValidation(t *testing.T) {
 	AddBindingRules()
 	gitRefNameValidationTestCases := []validationTestCase{
 		{
 			description: "Reference name contains only characters",
 			data: TestForm{
@ -252,10 +254,7 @@ var gitRefNameValidationTestCases = []validationTestCase{
 				},
 			},
 		},
-}
+	}
 func Test_GitRefNameValidation(t *testing.T) {
 	AddBindingRules()
 	for _, testCase := range gitRefNameValidationTestCases {
 		t.Run(testCase.description, func(t *testing.T) {
--- a/modules/validation/regex_pattern_test.go
+++ b/modules/validation/regex_pattern_test.go
@ -17,7 +17,10 @@ func getRegexPatternErrorString(pattern string) string {
 	return ""
 }
-var regexValidationTestCases = []validationTestCase{
+func Test_RegexPatternValidation(t *testing.T) {
 	AddBindingRules()
 	regexValidationTestCases := []validationTestCase{
 		{
 			description: "Empty regex pattern",
 			data: TestForm{
@ -46,10 +49,7 @@ var regexValidationTestCases = []validationTestCase{
 				},
 			},
 		},
-}
+	}
 func Test_RegexPatternValidation(t *testing.T) {
 	AddBindingRules()
 	for _, testCase := range regexValidationTestCases {
 		t.Run(testCase.description, func(t *testing.T) {
--- a/modules/validation/validurl_test.go
+++ b/modules/validation/validurl_test.go
@ -9,7 +9,10 @@ import (
 	"gitea.com/go-chi/binding"
 )
-var urlValidationTestCases = []validationTestCase{
+func Test_ValidURLValidation(t *testing.T) {
 	AddBindingRules()
 	urlValidationTestCases := []validationTestCase{
 		{
 			description: "Empty URL",
 			data: TestForm{
@ -97,10 +100,7 @@ var urlValidationTestCases = []validationTestCase{
 				},
 			},
 		},
-}
+	}
 func Test_ValidURLValidation(t *testing.T) {
 	AddBindingRules()
 	for _, testCase := range urlValidationTestCases {
 		t.Run(testCase.description, func(t *testing.T) {
--- a/modules/validation/validurllist_test.go
+++ b/modules/validation/validurllist_test.go
@ -9,9 +9,12 @@ import (
 	"gitea.com/go-chi/binding"
 )
-// This is a copy of all the URL tests cases, plus additional ones to
+func Test_ValidURLListValidation(t *testing.T) {
-// account for multiple URLs
+	AddBindingRules()
-var urlListValidationTestCases = []validationTestCase{
+
 	// This is a copy of all the URL tests cases, plus additional ones to
 	// account for multiple URLs
 	urlListValidationTestCases := []validationTestCase{
 		{
 			description: "Empty URL",
 			data: TestForm{
@ -144,10 +147,7 @@ var urlListValidationTestCases = []validationTestCase{
 				},
 			},
 		},
-}
+	}
 func Test_ValidURLListValidation(t *testing.T) {
 	AddBindingRules()
 	for _, testCase := range urlListValidationTestCases {
 		t.Run(testCase.description, func(t *testing.T) {
--- a/modules/web/middleware/flash.go
+++ b/modules/web/middleware/flash.go
@ -6,6 +6,7 @@ package middleware
 import (
 	"fmt"
 	"html/template"
 	"net/http"
 	"net/url"
 	"code.gitea.io/gitea/modules/reqctx"
@ -65,3 +66,27 @@ func (f *Flash) Success(msg any, current ...bool) {
 	f.SuccessMsg = flashMsgStringOrHTML(msg)
 	f.set("success", f.SuccessMsg, current...)
 }
 func ParseCookieFlashMessage(val string) *Flash {
 	if vals, _ := url.ParseQuery(val); len(vals) > 0 {
 		return &Flash{
 			Values:     vals,
 			ErrorMsg:   vals.Get("error"),
 			SuccessMsg: vals.Get("success"),
 			InfoMsg:    vals.Get("info"),
 			WarningMsg: vals.Get("warning"),
 		}
 	}
 	return nil
 }
 func GetSiteCookieFlashMessage(dataStore reqctx.RequestDataStore, req *http.Request, cookieName string) (string, *Flash) {
 	// Get the last flash message from cookie
 	lastFlashCookie := GetSiteCookie(req, cookieName)
 	lastFlashMsg := ParseCookieFlashMessage(lastFlashCookie)
 	if lastFlashMsg != nil {
 		lastFlashMsg.DataStore = dataStore
 		return lastFlashCookie, lastFlashMsg
 	}
 	return lastFlashCookie, nil
 }
--- a/modules/web/middleware/request.go
+++ b/modules/web/middleware/request.go
@ -1,14 +0,0 @@
 // Copyright 2020 The Gitea Authors. All rights reserved.
 // SPDX-License-Identifier: MIT
 package middleware
 import (
 	"net/http"
 	"strings"
 )
 // IsAPIPath returns true if the specified URL is an API path
 func IsAPIPath(req *http.Request) bool {
 	return strings.HasPrefix(req.URL.Path, "/api/")
 }
--- a/routers/web/feed/convert.go
+++ b/routers/web/feed/convert.go
@ -258,18 +258,18 @@ func feedActionsToFeedItems(ctx *context.Context, actions activities_model.Actio
 }
 // GetFeedType return if it is a feed request and altered name and feed type.
-func GetFeedType(name string, req *http.Request) (bool, string, string) {
+func GetFeedType(name string, req *http.Request) (showFeed bool, feedType string) {
 	if strings.HasSuffix(name, ".rss") ||
 		strings.Contains(req.Header.Get("Accept"), "application/rss+xml") {
-		return true, strings.TrimSuffix(name, ".rss"), "rss"
+		return true, "rss"
 	}
 	if strings.HasSuffix(name, ".atom") ||
 		strings.Contains(req.Header.Get("Accept"), "application/atom+xml") {
-		return true, strings.TrimSuffix(name, ".atom"), "atom"
+		return true, "atom"
 	}
-	return false, name, ""
+	return false, ""
 }
 // feedActionsToFeedItems convert gitea's Repo's Releases to feeds Item
--- a/routers/web/feed/render.go
+++ b/routers/web/feed/render.go
@ -9,7 +9,7 @@ import (
 // RenderBranchFeed render format for branch or file
 func RenderBranchFeed(ctx *context.Context) {
-	_, _, showFeedType := GetFeedType(ctx.PathParam("reponame"), ctx.Req)
+	_, showFeedType := GetFeedType(ctx.PathParam("reponame"), ctx.Req)
 	if ctx.Repo.TreePath == "" {
 		ShowBranchFeed(ctx, ctx.Repo.Repository, showFeedType)
 	} else {
--- a/routers/web/repo/view_home.go
+++ b/routers/web/repo/view_home.go
@ -311,21 +311,21 @@ func prepareToRenderDirOrFile(entry *git.TreeEntry) func(ctx *context.Context) {
 }
 func handleRepoHomeFeed(ctx *context.Context) bool {
-	if setting.Other.EnableFeed {
+	if !setting.Other.EnableFeed {
-		isFeed, _, showFeedType := feed.GetFeedType(ctx.PathParam("reponame"), ctx.Req)
+		return false
-		if isFeed {
+	}
-			switch {
+	isFeed, showFeedType := feed.GetFeedType(ctx.PathParam("reponame"), ctx.Req)
-			case ctx.Link == fmt.Sprintf("%s.%s", ctx.Repo.RepoLink, showFeedType):
+	if !isFeed {
 		return false
 	}
 	if ctx.Link == fmt.Sprintf("%s.%s", ctx.Repo.RepoLink, showFeedType) {
 		feed.ShowRepoFeed(ctx, ctx.Repo.Repository, showFeedType)
-			case ctx.Repo.TreePath == "":
+	} else if ctx.Repo.TreePath == "" {
 		feed.ShowBranchFeed(ctx, ctx.Repo.Repository, showFeedType)
-			case ctx.Repo.TreePath != "":
+	} else {
 		feed.ShowFileFeed(ctx, ctx.Repo.Repository, showFeedType)
 	}
 	return true
 		}
 	}
 	return false
 }
 // Home render repository home page
--- a/routers/web/web.go
+++ b/routers/web/web.go
@ -1152,7 +1152,7 @@ func registerRoutes(m *web.Router) {
 	)
 	// end "/{username}/{reponame}/settings"
-	// user/org home, including rss feeds
+	// user/org home, including rss feeds like "/{username}/{reponame}.rss"
 	m.Get("/{username}/{reponame}", optSignIn, context.RepoAssignment, context.RepoRefByType(git.RefTypeBranch), repo.SetEditorconfigIfExists, repo.Home)
 	m.Post("/{username}/{reponame}/markup", optSignIn, context.RepoAssignment, reqUnitsWithMarkdown, web.Bind(structs.MarkupOption{}), misc.Markup)
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@ -9,6 +9,7 @@ import (
 	"net/http"
 	"regexp"
 	"strings"
 	"sync"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/auth/webauthn"
@ -21,44 +22,74 @@ import (
 	user_service "code.gitea.io/gitea/services/user"
 )
 type globalVarsStruct struct {
 	gitRawOrAttachPathRe *regexp.Regexp
 	lfsPathRe            *regexp.Regexp
 	archivePathRe        *regexp.Regexp
 }
 var globalVars = sync.OnceValue(func() *globalVarsStruct {
 	return &globalVarsStruct{
 		gitRawOrAttachPathRe: regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/)|(?:attachments/))`),
 		lfsPathRe:            regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`),
 		archivePathRe:        regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/archive/`),
 	}
 })
 // Init should be called exactly once when the application starts to allow plugins
 // to allocate necessary resources
 func Init() {
 	webauthn.Init()
 }
 type authPathDetector struct {
 	req  *http.Request
 	vars *globalVarsStruct
 }
 func newAuthPathDetector(req *http.Request) *authPathDetector {
 	return &authPathDetector{req: req, vars: globalVars()}
 }
 // isAPIPath returns true if the specified URL is an API path
 func (a *authPathDetector) isAPIPath() bool {
 	return strings.HasPrefix(a.req.URL.Path, "/api/")
 }
 // isAttachmentDownload check if request is a file download (GET) with URL to an attachment
-func isAttachmentDownload(req *http.Request) bool {
+func (a *authPathDetector) isAttachmentDownload() bool {
-	return strings.HasPrefix(req.URL.Path, "/attachments/") && req.Method == "GET"
+	return strings.HasPrefix(a.req.URL.Path, "/attachments/") && a.req.Method == "GET"
 }
 // isContainerPath checks if the request targets the container endpoint
-func isContainerPath(req *http.Request) bool {
+func (a *authPathDetector) isContainerPath() bool {
-	return strings.HasPrefix(req.URL.Path, "/v2/")
+	return strings.HasPrefix(a.req.URL.Path, "/v2/")
 }
-var (
+func (a *authPathDetector) isGitRawOrAttachPath() bool {
-	gitRawOrAttachPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/)|(?:attachments/))`)
+	return a.vars.gitRawOrAttachPathRe.MatchString(a.req.URL.Path)
 	lfsPathRe            = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
 	archivePathRe        = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/archive/`)
 )
 func isGitRawOrAttachPath(req *http.Request) bool {
 	return gitRawOrAttachPathRe.MatchString(req.URL.Path)
 }
-func isGitRawOrAttachOrLFSPath(req *http.Request) bool {
+func (a *authPathDetector) isGitRawOrAttachOrLFSPath() bool {
-	if isGitRawOrAttachPath(req) {
+	if a.isGitRawOrAttachPath() {
 		return true
 	}
 	if setting.LFS.StartServer {
-		return lfsPathRe.MatchString(req.URL.Path)
+		return a.vars.lfsPathRe.MatchString(a.req.URL.Path)
 	}
 	return false
 }
-func isArchivePath(req *http.Request) bool {
+func (a *authPathDetector) isArchivePath() bool {
-	return archivePathRe.MatchString(req.URL.Path)
+	return a.vars.archivePathRe.MatchString(a.req.URL.Path)
 }
 func (a *authPathDetector) isAuthenticatedTokenRequest() bool {
 	switch a.req.URL.Path {
 	case "/login/oauth/userinfo", "/login/oauth/introspect":
 		return true
 	}
 	return false
 }
 // handleSignIn clears existing session variables and stores new ones for the specified user object
--- a/services/auth/auth_test.go
+++ b/services/auth/auth_test.go
@ -110,21 +110,21 @@ func Test_isGitRawOrLFSPath(t *testing.T) {
 		t.Run(tt.path, func(t *testing.T) {
 			req, _ := http.NewRequest("POST", "http://localhost"+tt.path, nil)
 			setting.LFS.StartServer = false
-			assert.Equal(t, tt.want, isGitRawOrAttachOrLFSPath(req))
+			assert.Equal(t, tt.want, newAuthPathDetector(req).isGitRawOrAttachOrLFSPath())
 			setting.LFS.StartServer = true
-			assert.Equal(t, tt.want, isGitRawOrAttachOrLFSPath(req))
+			assert.Equal(t, tt.want, newAuthPathDetector(req).isGitRawOrAttachOrLFSPath())
 		})
 	}
 	for _, tt := range lfsTests {
 		t.Run(tt, func(t *testing.T) {
 			req, _ := http.NewRequest("POST", tt, nil)
 			setting.LFS.StartServer = false
-			got := isGitRawOrAttachOrLFSPath(req)
+			got := newAuthPathDetector(req).isGitRawOrAttachOrLFSPath()
-			assert.Equalf(t, setting.LFS.StartServer, got, "isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, gitRawOrAttachPathRe.MatchString(tt))
+			assert.Equalf(t, setting.LFS.StartServer, got, "isGitOrLFSPath(%q) = %v, want %v, %v", tt, got, setting.LFS.StartServer, globalVars().gitRawOrAttachPathRe.MatchString(tt))
 			setting.LFS.StartServer = true
-			got = isGitRawOrAttachOrLFSPath(req)
+			got = newAuthPathDetector(req).isGitRawOrAttachOrLFSPath()
 			assert.Equalf(t, setting.LFS.StartServer, got, "isGitOrLFSPath(%q) = %v, want %v", tt, got, setting.LFS.StartServer)
 		})
 	}
--- a/services/auth/basic.go
+++ b/services/auth/basic.go
@ -17,7 +17,6 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 )
 // Ensure the struct implements the interface.
@ -49,7 +48,8 @@ func (b *Basic) Name() string {
 // Returns nil if header is empty or validation fails.
 func (b *Basic) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
 	// Basic authentication should only fire on API, Download or on Git or LFSPaths
-	if !middleware.IsAPIPath(req) && !isContainerPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
+	detector := newAuthPathDetector(req)
 	if !detector.isAPIPath() && !detector.isContainerPath() && !detector.isAttachmentDownload() && !detector.isGitRawOrAttachOrLFSPath() {
 		return nil, nil
 	}
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@ -16,7 +16,6 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/actions"
 	"code.gitea.io/gitea/services/oauth2_provider"
 )
@ -162,8 +161,9 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat
 // Returns nil if verification fails.
 func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
 	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
-	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
+	detector := newAuthPathDetector(req)
-		!isGitRawOrAttachPath(req) && !isArchivePath(req) {
+	if !detector.isAPIPath() && !detector.isAttachmentDownload() && !detector.isAuthenticatedTokenRequest() &&
 		!detector.isGitRawOrAttachPath() && !detector.isArchivePath() {
 		return nil, nil
 	}
@ -190,13 +190,3 @@ func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStor
 	log.Trace("OAuth2 Authorization: Logged in user %-v", user)
 	return user, nil
 }
 func isAuthenticatedTokenRequest(req *http.Request) bool {
 	switch req.URL.Path {
 	case "/login/oauth/userinfo":
 		fallthrough
 	case "/login/oauth/introspect":
 		return true
 	}
 	return false
 }
--- a/services/auth/reverseproxy.go
+++ b/services/auth/reverseproxy.go
@ -12,7 +12,6 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/web/middleware"
 	gouuid "github.com/google/uuid"
 )
@ -117,7 +116,8 @@ func (r *ReverseProxy) Verify(req *http.Request, w http.ResponseWriter, store Da
 	}
 	// Make sure requests to API paths, attachment downloads, git and LFS do not create a new session
-	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isGitRawOrAttachOrLFSPath(req) {
+	detector := newAuthPathDetector(req)
 	if !detector.isAPIPath() && !detector.isAttachmentDownload() && !detector.isGitRawOrAttachOrLFSPath() {
 		if sess != nil && (sess.Get("uid") == nil || sess.Get("uid").(int64) != user.ID) {
 			handleSignIn(w, req, sess, user)
 		}
--- a/services/auth/sspi.go
+++ b/services/auth/sspi.go
@ -17,7 +17,6 @@ import (
 	"code.gitea.io/gitea/modules/optional"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/auth/source/sspi"
 	gitea_context "code.gitea.io/gitea/services/context"
@ -120,7 +119,8 @@ func (s *SSPI) Verify(req *http.Request, w http.ResponseWriter, store DataStore,
 	}
 	// Make sure requests to API paths and PWA resources do not create a new session
-	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) {
+	detector := newAuthPathDetector(req)
 	if !detector.isAPIPath() && !detector.isAttachmentDownload() {
 		handleSignIn(w, req, sess, user)
 	}
@ -155,8 +155,9 @@ func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) {
 		} else if req.FormValue("auth_with_sspi") == "1" {
 			shouldAuth = true
 		}
-	} else if middleware.IsAPIPath(req) || isAttachmentDownload(req) {
+	} else {
-		shouldAuth = true
+		detector := newAuthPathDetector(req)
 		shouldAuth = detector.isAPIPath() || detector.isAttachmentDownload()
 	}
 	return shouldAuth
 }
--- a/services/context/context.go
+++ b/services/context/context.go
@ -165,18 +165,10 @@ func Contexter() func(next http.Handler) http.Handler {
 			ctx.Base.SetContextValue(WebContextKey, ctx)
 			ctx.Csrf = NewCSRFProtector(csrfOpts)
-			// Get the last flash message from cookie
+			// get the last flash message from cookie
-			lastFlashCookie := middleware.GetSiteCookie(ctx.Req, CookieNameFlash)
+			lastFlashCookie, lastFlashMsg := middleware.GetSiteCookieFlashMessage(ctx, ctx.Req, CookieNameFlash)
 			if vals, _ := url.ParseQuery(lastFlashCookie); len(vals) > 0 {
-				// store last Flash message into the template data, to render it
+				ctx.Data["Flash"] = lastFlashMsg // store last Flash message into the template data, to render it
 				ctx.Data["Flash"] = &middleware.Flash{
 					DataStore:  ctx,
 					Values:     vals,
 					ErrorMsg:   vals.Get("error"),
 					SuccessMsg: vals.Get("success"),
 					InfoMsg:    vals.Get("info"),
 					WarningMsg: vals.Get("warning"),
 				}
 			}
 			// if there are new messages in the ctx.Flash, write them into cookie
--- a/tests/integration/editor_test.go
+++ b/tests/integration/editor_test.go
@ -12,7 +12,6 @@ import (
 	"testing"
 	"code.gitea.io/gitea/modules/json"
 	gitea_context "code.gitea.io/gitea/services/context"
 	"github.com/stretchr/testify/assert"
 )
@ -58,9 +57,8 @@ func TestCreateFileOnProtectedBranch(t *testing.T) {
 		})
 		session.MakeRequest(t, req, http.StatusSeeOther)
 		// Check if master branch has been locked successfully
-		flashCookie := session.GetCookie(gitea_context.CookieNameFlash)
+		flashMsg := session.GetCookieFlashMessage()
-		assert.NotNil(t, flashCookie)
+		assert.EqualValues(t, `Branch protection for rule "master" has been updated.`, flashMsg.SuccessMsg)
 		assert.EqualValues(t, "success%3DBranch%2Bprotection%2Bfor%2Brule%2B%2522master%2522%2Bhas%2Bbeen%2Bupdated.", flashCookie.Value)
 		// Request editor page
 		req = NewRequest(t, "GET", "/user2/repo1/_new/master/")
@ -98,9 +96,8 @@ func TestCreateFileOnProtectedBranch(t *testing.T) {
 		assert.EqualValues(t, "/user2/repo1/settings/branches", res["redirect"])
 		// Check if master branch has been locked successfully
-		flashCookie = session.GetCookie(gitea_context.CookieNameFlash)
+		flashMsg = session.GetCookieFlashMessage()
-		assert.NotNil(t, flashCookie)
+		assert.EqualValues(t, `Removing branch protection rule "1" failed.`, flashMsg.ErrorMsg)
 		assert.EqualValues(t, "error%3DRemoving%2Bbranch%2Bprotection%2Brule%2B%25221%2522%2Bfailed.", flashCookie.Value)
 	})
 }
--- a/tests/integration/git_general_test.go
+++ b/tests/integration/git_general_test.go
@ -28,7 +28,6 @@ import (
 	"code.gitea.io/gitea/modules/lfs"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	gitea_context "code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/tests"
 	"github.com/stretchr/testify/assert"
@ -464,9 +463,8 @@ func doProtectBranch(ctx APITestContext, branch, userToWhitelistPush, userToWhit
 		ctx.Session.MakeRequest(t, req, http.StatusSeeOther)
 		// Check if master branch has been locked successfully
-		flashCookie := ctx.Session.GetCookie(gitea_context.CookieNameFlash)
+		flashMsg := ctx.Session.GetCookieFlashMessage()
-		assert.NotNil(t, flashCookie)
+		assert.EqualValues(t, `Branch protection for rule "`+branch+`" has been updated.`, flashMsg.SuccessMsg)
 		assert.EqualValues(t, "success%3DBranch%2Bprotection%2Bfor%2Brule%2B%2522"+url.QueryEscape(branch)+"%2522%2Bhas%2Bbeen%2Bupdated.", flashCookie.Value)
 	}
 }
--- a/tests/integration/integration_test.go
+++ b/tests/integration/integration_test.go
@ -29,6 +29,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/routers"
 	gitea_context "code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/tests"
@ -118,12 +119,11 @@ type TestSession struct {
 	jar http.CookieJar
 }
-func (s *TestSession) GetCookie(name string) *http.Cookie {
+func (s *TestSession) GetRawCookie(name string) *http.Cookie {
 	baseURL, err := url.Parse(setting.AppURL)
 	if err != nil {
 		return nil
 	}
 	for _, c := range s.jar.Cookies(baseURL) {
 		if c.Name == name {
 			return c
@ -132,6 +132,20 @@ func (s *TestSession) GetCookie(name string) *http.Cookie {
 	return nil
 }
 func (s *TestSession) GetSiteCookie(name string) string {
 	c := s.GetRawCookie(name)
 	if c != nil {
 		v, _ := url.QueryUnescape(c.Value)
 		return v
 	}
 	return ""
 }
 func (s *TestSession) GetCookieFlashMessage() *middleware.Flash {
 	cookie := s.GetSiteCookie(gitea_context.CookieNameFlash)
 	return middleware.ParseCookieFlashMessage(cookie)
 }
 func (s *TestSession) MakeRequest(t testing.TB, rw *RequestWrapper, expectedStatus int) *httptest.ResponseRecorder {
 	t.Helper()
 	req := rw.Request
@ -458,9 +472,9 @@ func VerifyJSONSchema(t testing.TB, resp *httptest.ResponseRecorder, schemaFile
 // GetUserCSRFToken returns CSRF token for current user
 func GetUserCSRFToken(t testing.TB, session *TestSession) string {
 	t.Helper()
-	cookie := session.GetCookie("_csrf")
+	cookie := session.GetSiteCookie("_csrf")
 	require.NotEmpty(t, cookie)
-	return cookie.Value
+	return cookie
 }
 // GetUserCSRFToken returns CSRF token for anonymous user (not logged in)
--- a/tests/integration/mirror_push_test.go
+++ b/tests/integration/mirror_push_test.go
@ -9,7 +9,6 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 	"testing"
 	"time"
@ -20,7 +19,6 @@ import (
 	"code.gitea.io/gitea/modules/git"
 	"code.gitea.io/gitea/modules/gitrepo"
 	"code.gitea.io/gitea/modules/setting"
 	gitea_context "code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/services/migrations"
 	mirror_service "code.gitea.io/gitea/services/mirror"
 	repo_service "code.gitea.io/gitea/services/repository"
@ -92,9 +90,8 @@ func testCreatePushMirror(t *testing.T, session *TestSession, owner, repo, addre
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
-	flashCookie := session.GetCookie(gitea_context.CookieNameFlash)
+	flashMsg := session.GetCookieFlashMessage()
-	assert.NotNil(t, flashCookie)
+	assert.NotEmpty(t, flashMsg.SuccessMsg)
 	assert.Contains(t, flashCookie.Value, "success")
 }
 func doRemovePushMirror(t *testing.T, session *TestSession, owner, repo string, pushMirrorID int64) bool {
@ -104,8 +101,8 @@ func doRemovePushMirror(t *testing.T, session *TestSession, owner, repo string,
 		"push_mirror_id": strconv.FormatInt(pushMirrorID, 10),
 	})
 	resp := session.MakeRequest(t, req, NoExpectedStatus)
-	flashCookie := session.GetCookie(gitea_context.CookieNameFlash)
+	flashMsg := session.GetCookieFlashMessage()
-	return resp.Code == http.StatusSeeOther && flashCookie != nil && strings.Contains(flashCookie.Value, "success")
+	return resp.Code == http.StatusSeeOther && assert.NotEmpty(t, flashMsg.SuccessMsg)
 }
 func doUpdatePushMirror(t *testing.T, session *TestSession, owner, repo string, pushMirrorID int64, interval string) bool {
--- a/tests/integration/rename_branch_test.go
+++ b/tests/integration/rename_branch_test.go
@ -11,7 +11,6 @@ import (
 	git_model "code.gitea.io/gitea/models/git"
 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
 	gitea_context "code.gitea.io/gitea/services/context"
 	"code.gitea.io/gitea/tests"
 	"github.com/stretchr/testify/assert"
@ -82,9 +81,8 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 		"to":    "branch1",
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
-	flashCookie := session.GetCookie(gitea_context.CookieNameFlash)
+	flashMsg := session.GetCookieFlashMessage()
-	assert.NotNil(t, flashCookie)
+	assert.NotEmpty(t, flashMsg.ErrorMsg)
 	assert.Contains(t, flashCookie.Value, "error")
 	branch2 = unittest.AssertExistsAndLoadBean(t, &git_model.Branch{RepoID: repo1.ID, Name: "branch2"})
 	assert.Equal(t, "branch2", branch2.Name)
@ -110,9 +108,8 @@ func testRenameBranch(t *testing.T, u *url.URL) {
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
-	flashCookie = session.GetCookie(gitea_context.CookieNameFlash)
+	flashMsg = session.GetCookieFlashMessage()
-	assert.NotNil(t, flashCookie)
+	assert.NotEmpty(t, flashMsg.SuccessMsg)
 	assert.Contains(t, flashCookie.Value, "success")
 	unittest.AssertNotExistsBean(t, &git_model.Branch{RepoID: repo1.ID, Name: "branch2"})
 	branch1 = unittest.AssertExistsAndLoadBean(t, &git_model.Branch{RepoID: repo1.ID, Name: "branch1"})
--- a/tests/integration/signin_test.go
+++ b/tests/integration/signin_test.go
@ -79,7 +79,7 @@ func TestSigninWithRememberMe(t *testing.T) {
 	})
 	session.MakeRequest(t, req, http.StatusSeeOther)
-	c := session.GetCookie(setting.CookieRememberName)
+	c := session.GetRawCookie(setting.CookieRememberName)
 	assert.NotNil(t, c)
 	session = emptyTestSession(t)