Move our /api routes into /ajax under web.php. The /api routes werent authenticated and may not have been using the logged in users details

app/Http/Controllers/AjaxController.php

@@ -10,7 +10,7 @@ use Illuminate\Support\Collection;
 
 use App\Classes\LDAP\Server;
 
-class APIController extends Controller
+class AjaxController extends Controller
 {
 	/**
 	 * Get the LDAP server BASE DNs

app/Http/Middleware/AllowAnonymous.php

@@ -17,7 +17,9 @@ class AllowAnonymous
 	 */
 	public function handle(Request $request,Closure $next): mixed
 	{
-		if (((! Cookie::has('username_encrypt')) || (! Cookie::has('password_encrypt'))) && (! config('pla.allow_guest',FALSE)))
+		if ((! config('pla.allow_guest',FALSE))
+			&& ($request->path() !== 'login')
+			&& ((! Cookie::has('username_encrypt')) || (! Cookie::has('password_encrypt'))))
 			return redirect()
 				->to('/login');