tweak how rate limiting is implemented

laravel · Dec 30, 2020 · 8609af2 · 8609af2
1 parent 0c7b533
commit 8609af2
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 2 deletions.
diff --git a/routes/routes.php b/routes/routes.php
@@ -29,6 +29,7 @@
     }
 
     $limiter = config('fortify.limiters.login');
+    $twoFactorLimiter = config('fortify.limiters.two-factor');
 
     Route::post('/login', [AuthenticatedSessionController::class, 'store'])
         ->middleware(array_filter([
@@ -126,7 +127,10 @@
         }
 
         Route::post('/two-factor-challenge', [TwoFactorAuthenticatedSessionController::class, 'store'])
-            ->middleware(['guest']);
+            ->middleware(array_filter([
+                'guest',
+                $twoFactorLimiter ? 'throttle:'.$twoFactorLimiter : null,
+            ]));
 
         $twoFactorMiddleware = Features::optionEnabled(Features::twoFactorAuthentication(), 'confirmPassword')
             ? ['auth', 'password.confirm']

diff --git a/stubs/FortifyServiceProvider.php b/stubs/FortifyServiceProvider.php
@@ -6,6 +6,8 @@
 use App\Actions\Fortify\ResetUserPassword;
 use App\Actions\Fortify\UpdateUserPassword;
 use App\Actions\Fortify\UpdateUserProfileInformation;
+use Illuminate\Cache\RateLimiting\Limit;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\ServiceProvider;
 use Laravel\Fortify\Fortify;
 
@@ -32,5 +34,13 @@ public function boot()
         Fortify::updateUserProfileInformationUsing(UpdateUserProfileInformation::class);
         Fortify::updateUserPasswordsUsing(UpdateUserPassword::class);
         Fortify::resetUserPasswordsUsing(ResetUserPassword::class);
+
+        RateLimiter::for('login', function (Request $request) {
+            return Limit::perMinute(5)->by($request->email.$request->ip());
+        });
+
+        RateLimiter::for('two-factor', function (Request $request) {
+            return Limit::perMinute(5)->by($request->session()->get('login.id'));
+        });
     }
 }
diff --git a/stubs/fortify.php b/stubs/fortify.php
@@ -103,7 +103,8 @@
     */
 
     'limiters' => [
-        'login' => null,
+        'login' => 'login',
+        'two-factor' => 'two-factor',
     ],
 
     /*