Setup Wizard middleware implemented

routes/setup.php

@@ -1,5 +1,6 @@
 <?php
 
+use Domain\SetupWizard\Controllers\CreateAdminAccountController;
 use Domain\SetupWizard\Controllers\StorePlansController;
 use Domain\SetupWizard\Controllers\StoreBillingsController;
 use Domain\SetupWizard\Controllers\StoreAppSettingsController;
@@ -8,11 +9,15 @@ use Domain\SetupWizard\Controllers\StoreDatabaseCredentialsController;
 use Domain\SetupWizard\Controllers\StoreEnvironmentSettingsController;
 use Domain\SetupWizard\Controllers\StoreSubscriptionServiceCredentialsController;
 
-// TODO: create middleware for setup wizard protection after successful installation
-Route::post('/stripe-credentials', StoreSubscriptionServiceCredentialsController::class);
-Route::post('/environment-setup', StoreEnvironmentSettingsController::class);
-Route::post('/database', StoreDatabaseCredentialsController::class);
-Route::post('/purchase-code', VerifyPurchaseCodeController::class);
-Route::post('/stripe-billings', StoreBillingsController::class);
-Route::post('/app-setup', StoreAppSettingsController::class);
-Route::post('/stripe-plans', StorePlansController::class);
+Route::group(['prefix' => 'api/setup'], function () {
+    Route::post('/stripe-credentials', StoreSubscriptionServiceCredentialsController::class);
+    Route::post('/environment-setup', StoreEnvironmentSettingsController::class);
+    Route::post('/database', StoreDatabaseCredentialsController::class);
+    Route::post('/purchase-code', VerifyPurchaseCodeController::class);
+    Route::post('/stripe-billings', StoreBillingsController::class);
+    Route::post('/app-setup', StoreAppSettingsController::class);
+    Route::post('/stripe-plans', StorePlansController::class);
+});
+
+Route::post('/admin-setup', CreateAdminAccountController::class)
+    ->middleware('web');

routes/web.php

@@ -5,12 +5,8 @@ use Domain\Invoices\Controllers\AdminInvoiceController;
 use Domain\Sharing\Controllers\SharePublicIndexController;
 use Domain\Sharing\Controllers\WebCrawlerOpenGraphController;
 use Domain\Subscriptions\Controllers\StripeWebhookController;
-use Domain\SetupWizard\Controllers\CreateAdminAccountController;
 use Domain\Localization\Controllers\CurrentLocalizationController;
 
-// Setup Wizard
-Route::post('/admin-setup', CreateAdminAccountController::class);
-
 // Subscription Services
 Route::post('/stripe/webhook', [StripeWebhookController::class, 'handleWebhook']);
 Route::get('/invoice/{customer}/{token}', [AdminInvoiceController::class, 'show'])->middleware(['auth:sanctum']);

src/App/Http/Kernel.php

@@ -1,7 +1,9 @@
 <?php
+
 namespace App\Http;
 
 use Fruitcake\Cors\HandleCors;
+use Support\Middleware\ProtectSetupWizardRoutes;
 use Support\Middleware\TrimStrings;
 use Support\Middleware\TrustProxies;
 use Support\Middleware\EncryptCookies;
@@ -73,5 +75,6 @@ class Kernel extends HttpKernel
         'signed'           => \Illuminate\Routing\Middleware\ValidateSignature::class,
         'throttle'         => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified'         => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
+        'setup-wizard'     => ProtectSetupWizardRoutes::class,
     ];
 }

src/App/Providers/RouteServiceProvider.php

@@ -108,8 +108,7 @@ class RouteServiceProvider extends ServiceProvider
 
     protected function mapSetupWizardApiRoutes()
     {
-        Route::prefix('api/setup')
-            ->middleware('api')
+        Route::middleware(['setup-wizard'])
             ->group(base_path('routes/setup.php'));
     }
 }

src/Support/Middleware/ProtectSetupWizardRoutes.php

@@ -0,0 +1,33 @@
+<?php
+
+namespace Support\Middleware;
+
+use Closure;
+use Doctrine\DBAL\Driver\PDOException;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+use Schema;
+
+class ProtectSetupWizardRoutes
+{
+    /**
+     * Prevent access for setup wizard controllers after initial app installation.
+     */
+    public function handle(Request $request, Closure $next): mixed
+    {
+        try {
+            // Check database connections
+            DB::getPdo();
+
+            // Get setup_wizard status
+            if (Schema::hasTable('settings') && get_setting('setup_wizard_success')) {
+                return response('Gone', 410);
+            }
+
+            return $next($request);
+
+        } catch (PDOException $e) {
+            return $next($request);
+        }
+    }
+}

tests/Domain/SetupWizard/SetupWizardTest.php

@@ -207,7 +207,7 @@ class SetupWizardTest extends TestCase
      */
     public function it_create_admin_account()
     {
-        $this->postJson('/admin-setup', [
+        $this->post('/admin-setup', [
             'email'                 => 'john@doe.com',
             'password'              => 'VerySecretPassword',
             'password_confirmation' => 'VerySecretPassword',
@@ -280,10 +280,10 @@ class SetupWizardTest extends TestCase
      */
     public function it_try_to_create_admin_account_after_setup_wizard_success()
     {
-        Setting::forceCreate([
-            'name'  => 'setup_wizard_success',
-            'value' => '1',
-        ]);
+        Setting::updateOrCreate(
+            ['name' => 'setup_wizard_success'],
+            ['value' => '1']
+        );
 
         $this->postJson('/admin-setup', [
             'email'                 => 'john@doe.com',