安全RCE之未授权访问分析(18)

接口实现位于internalapiapi.go:265，以下贴出删减后的关键代码：
func (api *API) PreAuthorizeHandler(next HandleFunc, suffix string) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { httpResponse, authResponse, err := api.PreAuthorize(suffix, r) //... next(w, r, authResponse) })}
其中使用了http.HandlerFunc将普通函数转换成了Handler类型，跟进api.PreAuthorize(suffix, r)，
func (api *API) PreAuthorize(suffix string, r *http.Request) (httpResponse *http.Response, authResponse *Response, outErr error) { //组装请求头 authReq, err := api.newRequest(r, suffix) ... //发起请求得到响应 httpResponse, err = api.doRequestWithoutRedirects(authReq) //解析httpResponse.Body到authResponse authResponse = &Response{} // The auth backend validated the client request and told us additional // request metadata. We must extract this information from the auth // response body. if err := json.NewDecoder(httpResponse.Body).Decode(authResponse); err != nil { return httpResponse, nil, fmt.Errorf("preAuthorizeHandler: decode authorization response: %v", err) } return httpResponse, authResponse, nil}