If I have two routes:
Route::get('/setup', 'SetupController@index')
Route::post('/setup' 'SetupController@store')
In the SetupController@index I do some checks, for example I check if the user is authentificated. But there are some more rules there that I check.
Should I perform the same checks on the post route too?
Is there any way someone could hit that post route without hitting the get route first? (for example posting in url http://domain/setup?password=1234)
So I guess what I am asking is :
Do I need to wrap the two routes in a middleware and do checks on each of them or is enough to check on the get route?
yes you need to wrap both routes in the middleware.
someone can open anypage (login for example) and edit the html to make a form that point to /setup and put whatever he wants in it.
sure, that someone need to know the architecture of the form to do this, but it's a risk nonetheless.