From b866ffea4e9750308322fd994f077c5f9567a663 Mon Sep 17 00:00:00 2001
From: Nico Stapelbroek <nstapelbroek@gmail.com>
Date: Sat, 27 Jan 2018 22:22:31 +0100
Subject: [PATCH] Also whitelist the setup routes when enforcing auth

---
 .../Providers/RouteServiceProvider.php        | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/app/Foundation/Providers/RouteServiceProvider.php b/app/Foundation/Providers/RouteServiceProvider.php
index e1a65a28..19ef0aa2 100644
--- a/app/Foundation/Providers/RouteServiceProvider.php
+++ b/app/Foundation/Providers/RouteServiceProvider.php
@@ -16,6 +16,8 @@ use CachetHQ\Cachet\Http\Middleware\Acceptable;
 use CachetHQ\Cachet\Http\Middleware\Authenticate;
 use CachetHQ\Cachet\Http\Middleware\Timezone;
 use CachetHQ\Cachet\Http\Routes\AuthRoutes;
+use CachetHQ\Cachet\Http\Routes\Setup\ApiRoutes;
+use CachetHQ\Cachet\Http\Routes\SetupRoutes;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Illuminate\Cookie\Middleware\EncryptCookies;
 use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
@@ -43,6 +45,15 @@ class RouteServiceProvider extends ServiceProvider
      */
     protected $namespace = 'CachetHQ\Cachet\Http\Controllers';
 
+    /**
+     * These are the route files that should always be available anonymously.
+     *
+     * When applying the always_authenticate feature, these routes will be skipped.
+     *
+     * @var string[]
+     */
+    protected $whitelistedAuthRoutes = [AuthRoutes::class, SetupRoutes::class, ApiRoutes::class];
+
     /**
      * Define the route model bindings, pattern filters, etc.
      *
@@ -129,7 +140,8 @@ class RouteServiceProvider extends ServiceProvider
             SubstituteBindings::class,
         ];
 
-        if ($this->app['config']->get('setting.always_authenticate', false) && !$routes instanceof AuthRoutes) {
+        $applyAlwaysAuthenticate = $this->app['config']->get('setting.always_authenticate', false);
+        if ($applyAlwaysAuthenticate && !$this->isWhiteListedAuthRoute($routes)) {
             $middleware[] = Authenticate::class;
         }
 
@@ -159,4 +171,14 @@ class RouteServiceProvider extends ServiceProvider
             $routes->map($router);
         });
     }
+
+    private function isWhiteListedAuthRoute($route)
+    {
+        foreach ($this->whitelistedAuthRoutes as $whitelistedRoute) {
+            if(is_a($route, $whitelistedRoute)) {
+                return true;
+            }
+        }
+        return false;
+    }
 }