From f2aff4303899825d0d40900665541ee614cb018a Mon Sep 17 00:00:00 2001
From: Phan An <me@phanan.net>
Date: Thu, 24 Aug 2023 00:10:36 +0200
Subject: [PATCH] fix: protect invitations route

---
 routes/api.base.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/routes/api.base.php b/routes/api.base.php
index 1936a47d..9c501b0c 100644
--- a/routes/api.base.php
+++ b/routes/api.base.php
@@ -52,12 +52,9 @@ Route::prefix('api')->middleware('api')->group(static function (): void {
     Route::get('ping', static fn () => null);
 
     Route::get('invitations', [UserInvitationController::class, 'get']);
-    Route::post('invitations', [UserInvitationController::class, 'invite']);
     Route::post('invitations/accept', [UserInvitationController::class, 'accept']);
 
     Route::middleware('auth')->group(static function (): void {
-        Route::delete('invitations', [UserInvitationController::class, 'revoke']);
-
         Route::post('broadcasting/auth', static function (Request $request) {
             $pusher = new Pusher(
                 config('broadcasting.connections.pusher.key'),
@@ -149,6 +146,9 @@ Route::prefix('api')->middleware('api')->group(static function (): void {
 
         Route::get('search', ExcerptSearchController::class);
         Route::get('search/songs', SongSearchController::class);
+
+        Route::post('invitations', [UserInvitationController::class, 'invite']);
+        Route::delete('invitations', [UserInvitationController::class, 'revoke']);
     });
 
     // Object-storage (S3) routes