-
Notifications
You must be signed in to change notification settings - Fork 10.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[11.x] Calling throttleApi()
as-is throws an exception for authenticated users
#50931
Comments
throttleApi()
as-is will throw an exceptionthrottleApi()
as-is throws an exception for authenticated users
Heya, thanks for reporting. We'll need more info and/or code to debug this further. Can you please create a repository with the command below, commit the code that reproduces the issue as one separate commit on the main/master branch and share the repository here? Please make sure that you have the latest version of the Laravel installer in order to run this command. Please also make sure you have both Git & the GitHub CLI tool properly set up. laravel new bug-report --github="--public" Please do not amend and create a separate commit with your custom changes. After you've posted the repository, we'll try to reproduce the issue. Thanks! |
@driesvints Here you go: https://github.com/Propaganistas/laravel-bugreport-50931 While composing the repository I realized that the combination of an undefined named limiter, an authenticated user and |
Thanks @Propaganistas. Do you know what the value of
|
its value is If If missing attributes are allowed, that line resolves to |
What's odd to me is that this feature just doesn't seem documented at all. What's extra odd is indeed the quirk that you mention that it defaults to zero when the result is I think one thing we absolutely need to fix is to check if the attribute exists on line 185 and if not, skip the if contents. But the |
Just FYI, this is how I think this method should look like: /**
* Resolve the number of attempts if the user is authenticated or not.
*
* @param \Illuminate\Http\Request $request
* @param int|string $maxAttempts
* @return int
*/
protected function resolveMaxAttempts($request, $maxAttempts)
{
if (str_contains($maxAttempts, '|')) {
$maxAttempts = explode('|', $maxAttempts, 2)[$request->user() ? 1 : 0];
}
if (! is_numeric($maxAttempts)) {
if ($request->user() && $request->user()->hasAttribute($maxAttempts)) {
$maxAttempts = $request->user()->{$maxAttempts};
}
new LogicException("The max attempts rate limiter key '$maxAttempts' is not defined on the user model.");
}
return (int) $maxAttempts;
} |
PR already open for this: #50908 |
Laravel Version
11
PHP Version
8.3.4
Description
Laravel 11 dropped the default
api
rate limiter.But when calling
throttleApi()
when configuring middleware inbootstrap/app.php
, the default limiter is set toapi
.framework/src/Illuminate/Foundation/Configuration/Middleware.php
Line 678 in 29acd21
If you didn't define the limiter yourself, the throttle middleware will try to wire up a limiter. If the route is accessed by an authenticated user, it'll encounter a string (
api
), so it thinks it's a user attribute and an exception gets thrown which is not pointing to throttling at all (has already been reported in #50818).framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php
Lines 185 to 187 in 29acd21
So in this fairly trivial use case the application blows up because of a default argument.
Shouldn't the max attempts resolver check for existence of a property/attribute on the user before trying to return it?
Or perhaps a more descriptive exception can be thrown?
Or re-add the default
api
limiter?Or make an explicit note in the docs about this?
Happy to create a PR if a direction gets chosen.
Steps To Reproduce
Spin up a new 11.x application, configure throttling without any arguments, and call an api route when authenticated.
The text was updated successfully, but these errors were encountered: