Only authenticate on search endpoint when necessary

I believe we previously had to do authentication at the start of the
endpoint because the database connection was obtained early and there
are lifetime issues around using the `req` value while holding a
database connection.

This avoids authenticating the user (and possibly updating last_used_at
for API tokens) unless the search query requires it.

Author: jtgeibel

src/controllers/krate/search.rs

@@ -5,7 +5,6 @@ use diesel_full_text_search::*;
 
 use crate::controllers::cargo_prelude::*;
 use crate::controllers::helpers::Paginate;
-use crate::controllers::util::AuthenticatedUser;
 use crate::models::{
     Crate, CrateBadge, CrateOwner, CrateVersions, OwnerKind, TopVersions, Version,
 };
@@ -40,9 +39,6 @@ use crate::models::krate::{canon_crate_name, ALL_COLUMNS};
 pub fn search(req: &mut dyn RequestExt) -> EndpointResult {
     use diesel::sql_types::{Bool, Text};
 
-    // Don't require that authentication succeed, because it's only necessary
-    // if the "following" param is set.
-    let authenticated_user: AppResult<AuthenticatedUser> = req.authenticate();
     let params = req.query();
     let sort = params.get("sort").map(|s| &**s);
     let include_yanked = params
@@ -160,7 +156,7 @@ pub fn search(req: &mut dyn RequestExt) -> EndpointResult {
             ),
         );
     } else if params.get("following").is_some() {
-        let user_id = authenticated_user?.user_id();
+        let user_id = req.authenticate()?.user_id();
         query = query.filter(
             crates::id.eq_any(
                 follows::table

src/tests/token.rs

@@ -282,7 +282,7 @@ fn using_token_updates_last_used_at() {
     assert_none!(token.as_model().last_used_at);
 
     // Use the token once
-    token.search("");
+    token.search("following=1");
 
     let token: ApiToken =
         app.db(|conn| assert_ok!(ApiToken::belonging_to(user.as_model()).first(conn)));