From 2f05ce4f9386373cea512982a173d0370aeb596a Mon Sep 17 00:00:00 2001
From: Barry O'Donovan <barry@opensolutions.ie>
Date: Wed, 9 Jan 2019 21:14:02 +0000
Subject: [PATCH] Remove CSRF from API POST functions

---
 app/Http/Kernel.php | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index b2dd8d125..893322970 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -82,20 +82,26 @@ class Kernel extends HttpKernel {
             Middleware\ControllerEnabled::class,
         ],
 
-        'public/api/v4' => [
-            'web',
+        'apibase' => [
+            Middleware\EncryptCookies::class,
+            AddQueuedCookiesToResponse::class,
+            StartSession::class,
+            ShareErrorsFromSession::class,
+            SubstituteBindings::class,
+            Middleware\ControllerEnabled::class,
             'throttle:60,1',
             'bindings',
-            'apimaybeauth',
             Middleware\ControllerEnabled::class,
         ],
 
+        'public/api/v4' => [
+            'apibase',
+            'apimaybeauth',
+        ],
+
         'api/v4' => [
-            'web',
-            'throttle:60,1',
-            'bindings',
+            'apibase',
             'apiauth',
-            Middleware\ControllerEnabled::class,
         ],
 
         'd2frontend' => [