From 6b2032c68733707d538c6693e2eb833d7a413753 Mon Sep 17 00:00:00 2001
From: Claude <developers@lethean.io>
Date: Sat, 4 Apr 2026 09:26:54 +0100
Subject: [PATCH] fix: exclude API routes from CSRF validation

POST endpoints on /v1/* were returning 419 CSRF mismatch because
$event->routes() wraps routes in the web middleware group which
includes ValidateCsrfToken. External clients (Blesta, curl) can't
send CSRF tokens. withoutMiddleware() on /v1/* prefixes fixes this.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/Mod/Explorer/Boot.php | 5 ++++-
 app/Mod/Gateway/Boot.php  | 5 ++++-
 app/Mod/Names/Boot.php    | 5 ++++-
 app/Mod/Pool/Boot.php     | 5 ++++-
 app/Mod/Proxy/Boot.php    | 5 ++++-
 app/Mod/Trade/Boot.php    | 5 ++++-
 6 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/app/Mod/Explorer/Boot.php b/app/Mod/Explorer/Boot.php
index f054a79..8e9b84a 100644
--- a/app/Mod/Explorer/Boot.php
+++ b/app/Mod/Explorer/Boot.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace Mod\Explorer;
 
 use Core\Events\WebRoutesRegistering;
+use Illuminate\Foundation\Http\Middleware\ValidateCsrfToken;
 use Illuminate\Support\Facades\Route;
 
 class Boot
@@ -18,7 +19,9 @@ class Boot
         $event->views('explorer', __DIR__ . '/Views');
         $event->routes(function () {
             Route::prefix('explorer')->group(__DIR__ . '/Routes/web.php');
-            Route::prefix('v1/explorer')->group(__DIR__ . '/Routes/api.php');
+            Route::prefix('v1/explorer')
+                ->withoutMiddleware(ValidateCsrfToken::class)
+                ->group(__DIR__ . '/Routes/api.php');
         });
     }
 }
diff --git a/app/Mod/Gateway/Boot.php b/app/Mod/Gateway/Boot.php
index a12be4b..79ee3b7 100644
--- a/app/Mod/Gateway/Boot.php
+++ b/app/Mod/Gateway/Boot.php
@@ -6,6 +6,7 @@ namespace Mod\Gateway;
 
 use Core\Events\FrameworkBooted;
 use Core\Events\WebRoutesRegistering;
+use Illuminate\Foundation\Http\Middleware\ValidateCsrfToken;
 use Illuminate\Support\Facades\Route;
 use Mod\Gateway\Services\GatewayRegistry;
 
@@ -18,7 +19,9 @@ class Boot
 
     public function onWebRoutes(WebRoutesRegistering $event): void
     {
-        $event->routes(fn () => Route::prefix('v1/gateway')->group(__DIR__ . '/Routes/api.php'));
+        $event->routes(fn () => Route::prefix('v1/gateway')
+            ->withoutMiddleware(ValidateCsrfToken::class)
+            ->group(__DIR__ . '/Routes/api.php'));
     }
 
     public function onFrameworkBooted(FrameworkBooted $event): void
diff --git a/app/Mod/Names/Boot.php b/app/Mod/Names/Boot.php
index 9c12959..a6a9cd1 100644
--- a/app/Mod/Names/Boot.php
+++ b/app/Mod/Names/Boot.php
@@ -6,6 +6,7 @@ namespace Mod\Names;
 
 use Core\Events\ConsoleBooting;
 use Core\Events\WebRoutesRegistering;
+use Illuminate\Foundation\Http\Middleware\ValidateCsrfToken;
 use Illuminate\Support\Facades\Route;
 use Mod\Names\Commands\RetryDnsTickets;
 
@@ -21,7 +22,9 @@ class Boot
         $event->views('names', __DIR__ . '/Views');
         $event->routes(function () {
             Route::prefix('names')->group(__DIR__ . '/Routes/web.php');
-            Route::prefix('v1/names')->group(__DIR__ . '/Routes/api.php');
+            Route::prefix('v1/names')
+                ->withoutMiddleware(ValidateCsrfToken::class)
+                ->group(__DIR__ . '/Routes/api.php');
         });
     }
 
diff --git a/app/Mod/Pool/Boot.php b/app/Mod/Pool/Boot.php
index 846df99..057508b 100644
--- a/app/Mod/Pool/Boot.php
+++ b/app/Mod/Pool/Boot.php
@@ -6,6 +6,7 @@ namespace Mod\Pool;
 
 use Core\Events\FrameworkBooted;
 use Core\Events\WebRoutesRegistering;
+use Illuminate\Foundation\Http\Middleware\ValidateCsrfToken;
 use Illuminate\Support\Facades\Route;
 use Mod\Pool\Services\PoolClient;
 
@@ -20,7 +21,9 @@ class Boot
     {
         $event->routes(function () {
             Route::prefix('pool')->group(__DIR__ . '/Routes/web.php');
-            Route::prefix('v1/pool')->group(__DIR__ . '/Routes/api.php');
+            Route::prefix('v1/pool')
+                ->withoutMiddleware(ValidateCsrfToken::class)
+                ->group(__DIR__ . '/Routes/api.php');
         });
     }
 
diff --git a/app/Mod/Proxy/Boot.php b/app/Mod/Proxy/Boot.php
index eba5a10..435b278 100644
--- a/app/Mod/Proxy/Boot.php
+++ b/app/Mod/Proxy/Boot.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace Mod\Proxy;
 
 use Core\Events\WebRoutesRegistering;
+use Illuminate\Foundation\Http\Middleware\ValidateCsrfToken;
 use Illuminate\Support\Facades\Route;
 
 class Boot
@@ -15,6 +16,8 @@ class Boot
 
     public function onWebRoutes(WebRoutesRegistering $event): void
     {
-        $event->routes(fn () => Route::prefix('v1/proxy')->group(__DIR__ . '/Routes/api.php'));
+        $event->routes(fn () => Route::prefix('v1/proxy')
+            ->withoutMiddleware(ValidateCsrfToken::class)
+            ->group(__DIR__ . '/Routes/api.php'));
     }
 }
diff --git a/app/Mod/Trade/Boot.php b/app/Mod/Trade/Boot.php
index a4f92ec..945e3d3 100644
--- a/app/Mod/Trade/Boot.php
+++ b/app/Mod/Trade/Boot.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace Mod\Trade;
 
 use Core\Events\WebRoutesRegistering;
+use Illuminate\Foundation\Http\Middleware\ValidateCsrfToken;
 use Illuminate\Support\Facades\Route;
 
 class Boot
@@ -17,7 +18,9 @@ class Boot
     {
         $event->routes(function () {
             Route::prefix('trade')->group(__DIR__ . '/Routes/web.php');
-            Route::prefix('v1/trade')->group(__DIR__ . '/Routes/api.php');
+            Route::prefix('v1/trade')
+                ->withoutMiddleware(ValidateCsrfToken::class)
+                ->group(__DIR__ . '/Routes/api.php');
         });
     }
 }