auth: Refactor how authentication methods are passed to server/auth library.

milo/appengine/common/middleware.go

Index: milo/appengine/common/middleware.go
diff --git a/milo/appengine/common/middleware.go b/milo/appengine/common/middleware.go
index daef78d87690eb9cab334f9cff9f673c2a3beeb2..1a71768fc6196e545de59d5155774379d5377f52 100644
--- a/milo/appengine/common/middleware.go
+++ b/milo/appengine/common/middleware.go
@@ -56,15 +56,11 @@ func GetTemplateBundle() *templates.Bundle {
 
 // Base returns the basic LUCI appengine middlewares.
 func Base() router.MiddlewareChain {
-	methods := auth.Authenticator{
-		&server.OAuth2Method{Scopes: []string{server.EmailScope}},
-		server.CookieAuth,
-		&server.InboundAppIDAuthMethod{},
-	}
-	m := gaemiddleware.BaseProd().Extend(auth.Use(methods), auth.Authenticate)
-	m = m.Extend(withRequestMiddleware)
-	m = m.Extend(templates.WithTemplates(GetTemplateBundle()))
-	return m
+	return gaemiddleware.BaseProd().Extend(
+		auth.Authenticate(server.CookieAuth),

[Vadim Sh., 2017/04/19 02:40:12]

I think this should be fine:
1. I removed OAuth2Method. It means Milo HTML pages can't be accessed with
OAuth2 access token anymore. But this fine, because no one should be using
OAuth2 to fetch HTML pages. Note that pRPC server uses its own authentication
(which is always OAuth2, see gaeauth/server/prpc.go).
2. I removed InboundAppIDAuthMethod. It used for GAE<->GAE communication. We
should be using OAuth2 in this case (it will work even when we switch to Flex).

[hinoka, 2017/04/19 18:37:10]

Acknowledged.  That sounds right.

+		withRequestMiddleware,
+		templates.WithTemplates(GetTemplateBundle()),
+	)
 }
 
 // The context key, so that we can embed the http.Request object into