refactor: 优化ApiKeyFilter的执行流程

backend/src/main/java/io/metersphere/security/ApiKeyFilter.java

@@ -15,7 +15,16 @@ public class ApiKeyFilter extends AnonymousFilter {
 
     @Override
     protected boolean onPreHandle(ServletRequest request, ServletResponse response, Object mappedValue) {
-        try {
+        // 不是apikey的通过
+        if (!ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
+            String id = (String) SecurityUtils.getSubject().getSession().getId();
+            // 防止调用时使用 ak 作为 cookie 跳过登入逻辑
+            if (id.length() < 20) {
+                SecurityUtils.getSubject().logout();
+            }
+            return true;
+        }
+        // apikey 验证
         if (!SecurityUtils.getSubject().isAuthenticated()) {
             String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
             if (StringUtils.isNotBlank(userId)) {
@@ -24,28 +33,11 @@ public class ApiKeyFilter extends AnonymousFilter {
                 }
                 SecurityUtils.getSubject().login(new MsUserToken(userId, ApiKeySessionHandler.random, "LOCAL"));
             }
-            } else {
-                if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
-                    String userId = ApiKeyHandler.getUser(WebUtils.toHttp(request));
-                    SecurityUtils.getSubject().login(new MsUserToken(userId, ApiKeySessionHandler.random, "LOCAL"));
-                } else {
-                    String id = (String) SecurityUtils.getSubject().getSession().getId();
-                    // 防止调用时使用 ak 作为 cookie 跳过登入逻辑
-                    if (id.length() < 20) {
-                        SecurityUtils.getSubject().logout();
         }
-                }
+        // 登录之后验证
-            }
-
         if (!SecurityUtils.getSubject().isAuthenticated()) {
             ((HttpServletResponse) response).setHeader(SessionConstants.AUTHENTICATION_STATUS, SessionConstants.AUTHENTICATION_INVALID);
         }
-        } catch (Exception e) {
-            if (ApiKeyHandler.isApiKeyCall(WebUtils.toHttp(request))) {
-                throw e;
-            }
-            LogUtil.getLogger().error("failed to handle single sign on..", e);
-        }
 
         return true;
     }