Also whitelist the setup routes when enforcing auth

app/Foundation/Providers/RouteServiceProvider.php

@@ -16,6 +16,8 @@ use CachetHQ\Cachet\Http\Middleware\Acceptable;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
 use CachetHQ\Cachet\Http\Middleware\Timezone;
 use CachetHQ\Cachet\Http\Routes\AuthRoutes;
+use CachetHQ\Cachet\Http\Routes\Setup\ApiRoutes;
+use CachetHQ\Cachet\Http\Routes\SetupRoutes;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Illuminate\Cookie\Middleware\EncryptCookies;
 use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
@@ -43,6 +45,15 @@ class RouteServiceProvider extends ServiceProvider
      */
     protected $namespace = 'CachetHQ\Cachet\Http\Controllers';
 
+    /**
+     * These are the route files that should always be available anonymously.
+     *
+     * When applying the always_authenticate feature, these routes will be skipped.
+     *
+     * @var string[]
+     */
+    protected $whitelistedAuthRoutes = [AuthRoutes::class, SetupRoutes::class, ApiRoutes::class];
+
     /**
      * Define the route model bindings, pattern filters, etc.
      *
@@ -129,7 +140,8 @@ class RouteServiceProvider extends ServiceProvider
             SubstituteBindings::class,
         ];
 
-        if ($this->app['config']->get('setting.always_authenticate', false) && !$routes instanceof AuthRoutes) {
+        $applyAlwaysAuthenticate = $this->app['config']->get('setting.always_authenticate', false);
+        if ($applyAlwaysAuthenticate && !$this->isWhiteListedAuthRoute($routes)) {
             $middleware[] = Authenticate::class;
         }
 
@@ -159,4 +171,14 @@ class RouteServiceProvider extends ServiceProvider
             $routes->map($router);
         });
     }
+
+    private function isWhiteListedAuthRoute($route)
+    {
+        foreach ($this->whitelistedAuthRoutes as $whitelistedRoute) {
+            if(is_a($route, $whitelistedRoute)) {
+                return true;
+            }
+        }
+        return false;
+    }
 }