From b985b8e63cbd4a13d746a4030049aff510d42b0d Mon Sep 17 00:00:00 2001
From: Peter Ivanov <peter@microweber.com>
Date: Wed, 29 Jun 2022 18:18:49 +0300
Subject: [PATCH] update

---
 src/MicroweberPackages/User/routes/api.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/MicroweberPackages/User/routes/api.php b/src/MicroweberPackages/User/routes/api.php
index 25cb069ad77..baadf979fe2 100644
--- a/src/MicroweberPackages/User/routes/api.php
+++ b/src/MicroweberPackages/User/routes/api.php
@@ -99,7 +99,9 @@
     ->group(function () {
 
     Route::post('login', 'UserLoginController@login')->name('login')->middleware(['allowed_ips','throttle:60,1']);
-    Route::any('logout', 'UserLoginController@logout')->name('logout');
+    Route::any('logout', 'UserLoginController@logout')->name('logout')->excludedMiddleware(
+        \MicroweberPackages\App\Http\Middleware\XSS::class
+    );
     Route::post('register', 'UserRegisterController@register')->name('register')->middleware(['allowed_ips']);
 
     Route::post('/forgot-password', 'UserForgotPasswordController@send')
@@ -121,7 +123,14 @@
     ->namespace('\MicroweberPackages\User\Http\Controllers\Api')
     ->group(function () {
 
-        Route::get('/logout', '\MicroweberPackages\User\Http\Controllers\UserLogoutController@index')->name('api.logout');
+        Route::get('/logout', '\MicroweberPackages\User\Http\Controllers\UserLogoutController@index')->name('api.logout')
+            ->middleware([
+                \MicroweberPackages\App\Http\Middleware\VerifyCsrfToken::class,
+                \MicroweberPackages\App\Http\Middleware\SameSiteRefererMiddleware::class
+            ])
+            ->excludedMiddleware(
+           'api'
+        );;
 
         Route::apiResource('user', 'UserApiController');
     });