From 21a690c6dd0e1b236769b936a72d938395f523af Mon Sep 17 00:00:00 2001
From: Deon George <deon@dege.au>
Date: Sat, 26 Apr 2025 15:48:27 +1000
Subject: [PATCH] Move our /api routes into /ajax under web.php. The /api
 routes werent authenticated and may not have been using the logged in users
 details

---
 .../{APIController.php => AjaxController.php} |  2 +-
 app/Http/Middleware/AllowAnonymous.php        |  4 +++-
 bootstrap/app.php                             | 10 +-------
 public/js/custom.js                           |  4 ++--
 .../attribute/widget/options.blade.php        |  4 ++--
 resources/views/frames/schema.blade.php       |  2 +-
 routes/api.php                                | 23 -------------------
 routes/web.php                                | 13 +++++++++--
 8 files changed, 21 insertions(+), 41 deletions(-)
 rename app/Http/Controllers/{APIController.php => AjaxController.php} (98%)
 delete mode 100644 routes/api.php

diff --git a/app/Http/Controllers/APIController.php b/app/Http/Controllers/AjaxController.php
similarity index 98%
rename from app/Http/Controllers/APIController.php
rename to app/Http/Controllers/AjaxController.php
index a1ed3027..6d17eeb8 100644
--- a/app/Http/Controllers/APIController.php
+++ b/app/Http/Controllers/AjaxController.php
@@ -10,7 +10,7 @@ use Illuminate\Support\Collection;
 
 use App\Classes\LDAP\Server;
 
-class APIController extends Controller
+class AjaxController extends Controller
 {
 	/**
 	 * Get the LDAP server BASE DNs
diff --git a/app/Http/Middleware/AllowAnonymous.php b/app/Http/Middleware/AllowAnonymous.php
index cd94a106..8b0514ee 100644
--- a/app/Http/Middleware/AllowAnonymous.php
+++ b/app/Http/Middleware/AllowAnonymous.php
@@ -17,7 +17,9 @@ class AllowAnonymous
 	 */
 	public function handle(Request $request,Closure $next): mixed
 	{
-		if (((! Cookie::has('username_encrypt')) || (! Cookie::has('password_encrypt'))) && (! config('pla.allow_guest',FALSE)))
+		if ((! config('pla.allow_guest',FALSE))
+			&& ($request->path() !== 'login')
+			&& ((! Cookie::has('username_encrypt')) || (! Cookie::has('password_encrypt'))))
 			return redirect()
 				->to('/login');
 
diff --git a/bootstrap/app.php b/bootstrap/app.php
index ae392e66..3939d696 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -1,6 +1,5 @@
 <?php
 
-use Illuminate\Cookie\Middleware\EncryptCookies;
 use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
@@ -10,7 +9,6 @@ use App\Http\Middleware\{AllowAnonymous,ApplicationSession,CheckUpdate,SwapinAut
 return Application::configure(basePath: dirname(__DIR__))
 	->withRouting(
 		web: __DIR__.'/../routes/web.php',
-		api: __DIR__.'/../routes/api.php',
 		commands: __DIR__.'/../routes/console.php',
 		health: '/up',
 	)
@@ -18,19 +16,13 @@ return Application::configure(basePath: dirname(__DIR__))
 		$middleware->appendToGroup(
 			group: 'web',
 			middleware: [
+				AllowAnonymous::class,
 				ApplicationSession::class,
 				SwapinAuthUser::class,
 				ViewVariables::class,
 				CheckUpdate::class,
 			]);
 
-		$middleware->prependToGroup('api', [
-			EncryptCookies::class,
-			ApplicationSession::class,
-			SwapinAuthUser::class,
-			AllowAnonymous::class,
-		]);
-
 		$middleware->trustProxies(at: [
 			'10.0.0.0/8',
 			'127.0.0.0/8',
diff --git a/public/js/custom.js b/public/js/custom.js
index 75c1af3f..73187ac9 100644
--- a/public/js/custom.js
+++ b/public/js/custom.js
@@ -59,7 +59,7 @@ $(document).ready(function() {
 	if (typeof basedn !== 'undefined') {
 		sources = basedn;
 	} else {
-		sources = { url: 'api/bases' };
+		sources = { url: 'ajax/bases' };
 	}
 
 	// Attach the fancytree widget to an existing <div id="tree"> element
@@ -95,7 +95,7 @@ $(document).ready(function() {
 		source: sources,
 		lazyLoad: function(event,data) {
 			data.result = {
-				url: '/api/children',
+				url: '/ajax/children',
 				data: {key: data.node.data.item,depth: 1}
 			};
 
diff --git a/resources/views/components/attribute/widget/options.blade.php b/resources/views/components/attribute/widget/options.blade.php
index e3cde68a..d15fbc51 100644
--- a/resources/views/components/attribute/widget/options.blade.php
+++ b/resources/views/components/attribute/widget/options.blade.php
@@ -91,7 +91,7 @@
 									// Get a list of attributes already on the page, so we dont double up
 									$.ajax({
 										method: 'POST',
-										url: '{{ url('api/schema/objectclass/attrs') }}/'+item,
+										url: '{{ url('ajax/schema/objectclass/attrs') }}/'+item,
 										cache: false,
 										success: function(data) {
 											// Render any must attributes
@@ -156,7 +156,7 @@
 
 										$.ajax({
 											method: 'POST',
-											url: '{{ url('api/schema/objectclass/attrs') }}/'+item,
+											url: '{{ url('ajax/schema/objectclass/attrs') }}/'+item,
 											cache: false,
 											success: function(data) {
 												var attrs = [];
diff --git a/resources/views/frames/schema.blade.php b/resources/views/frames/schema.blade.php
index 68eeabbe..6f9fae5f 100644
--- a/resources/views/frames/schema.blade.php
+++ b/resources/views/frames/schema.blade.php
@@ -58,7 +58,7 @@
 					return false;
 
 				$.ajax({
-					url: '{{ url('api/schema/view') }}',
+					url: '{{ url('ajax/schema/view') }}',
 					method: 'POST',
 					data: { type: type },
 					dataType: 'html',
diff --git a/routes/api.php b/routes/api.php
deleted file mode 100644
index 6af785b3..00000000
--- a/routes/api.php
+++ /dev/null
@@ -1,23 +0,0 @@
-<?php
-
-use Illuminate\Support\Facades\Route;
-
-use App\Http\Controllers\APIController;
-
-/*
-|--------------------------------------------------------------------------
-| API Routes
-|--------------------------------------------------------------------------
-|
-| Here is where you can register API routes for your application. These
-| routes are loaded by the RouteServiceProvider within a group which
-| is assigned the "api" middleware group. Enjoy building your API!
-|
-*/
-
-Route::controller(APIController::class)->group(function() {
-	Route::get('bases','bases');
-	Route::get('children','children');
-	Route::post('schema/view','schema_view');
-	Route::post('schema/objectclass/attrs/{id}','schema_objectclass_attrs');
-});
\ No newline at end of file
diff --git a/routes/web.php b/routes/web.php
index 02b66e68..09021292 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -2,7 +2,7 @@
 
 use Illuminate\Support\Facades\Route;
 
-use App\Http\Controllers\HomeController;
+use App\Http\Controllers\{AjaxController,HomeController};
 use App\Http\Controllers\Auth\LoginController;
 use App\Http\Middleware\AllowAnonymous;
 
@@ -57,4 +57,13 @@ Route::controller(HomeController::class)->group(function() {
 		Route::view('modal/export/{dn}','modals.entry-export');
 		Route::view('modal/userpassword-check/{dn}','modals.entry-userpassword-check');
 	});
-});
\ No newline at end of file
+});
+
+Route::controller(AjaxController::class)
+	->prefix('ajax')
+	->group(function() {
+		Route::get('bases','bases');
+		Route::get('children','children');
+		Route::post('schema/view','schema_view');
+		Route::post('schema/objectclass/attrs/{id}','schema_objectclass_attrs');
+	});
\ No newline at end of file