Simplify password attempts rate limiting

Signed-off-by: snipe <snipe@snipe.net>
2025-02-21 03:15:45 -08:00 · 2022-06-22 09:11:24 -07:00 · 2022-06-22 09:11:24 -07:00 · a7dc6162fa
parent 18778d3723
commit a7dc6162fa
4 changed files with 19 additions and 12 deletions
--- a/.env.example
+++ b/.env.example
@ -152,7 +152,7 @@ LOGIN_LOCKOUT_DURATION=60
 # --------------------------------------------
 RESET_PASSWORD_LINK_EXPIRES=15
 PASSWORD_CONFIRM_TIMEOUT=10800
-PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN=30
+PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN=50
 # --------------------------------------------
 # OPTIONAL: MISC
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@ -75,12 +75,22 @@ class RouteServiceProvider extends ServiceProvider
    /**
     * Configure the rate limiters for the application.
     *
     * https://laravel.com/docs/8.x/routing#rate-limiting
     *
     * @return void
     */
    protected function configureRateLimiting()
    {
        // Rate limiter for API calls
        RateLimiter::for('api', function (Request $request) {
-            return Limit::perMinute(60)->by(optional($request->user())->id ?: $request->ip());
+            return Limit::perMinute(config('app.api_throttle_per_minute'))->by(optional($request->user())->id ?: $request->ip());
        });
        // Rate limiter for forgotten password requests
        RateLimiter::for('forgotten_password', function (Request $request) {
            return Limit::perMinute(config('auth.password_reset.max_attempts_per_min'))->by(optional($request->user())->id ?: $request->ip());
        });
    }
 }
--- a/config/auth.php
+++ b/config/auth.php
@ -114,10 +114,7 @@ return [
    |
    */
    'password_reset' => [
-        'throttle' => [
+       'max_attempts_per_min' => env('PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN', 50),
            'max_attempts' => env('PASSWORD_MAX_ATTEMPTS', 30),
            'lockout_duration' => env('PASSWORD_LOCKOUT_DURATION', 60),
        ],
    ],
@ -133,6 +130,6 @@ return [
    |
    */
-    'password_timeout' => 10800,
+    'password_timeout' =>  env('PASSWORD_CONFIRM_TIMEOUT', 10800),
 ];
--- a/routes/web.php
+++ b/routes/web.php
@ -426,25 +426,25 @@ Route::group(['middleware' => 'web'], function () {
    Route::post(
        'two-factor',
        [LoginController::class, 'postTwoFactorAuth']
-    )->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration'));
+    );
    Route::post(
        'password/email',
        [ForgotPasswordController::class, 'sendResetLinkEmail']
-    )->name('password.email')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration'));
+    )->name('password.email')->middleware('throttle:forgotten_password');
    Route::get(
        'password/reset',
        [ForgotPasswordController::class, 'showLinkRequestForm']
-    )->name('password.request')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration'));
+    )->name('password.request')->middleware('throttle:forgotten_password');
    Route::post(
        'password/reset',
        [ResetPasswordController::class, 'reset']
-    )->name('password.update')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration'));
+    )->name('password.update')->middleware('throttle:forgotten_password');
    Route::get(
        'password/reset/{token}',
@ -455,7 +455,7 @@ Route::group(['middleware' => 'web'], function () {
    Route::post(
        'password/email',
        [ForgotPasswordController::class, 'sendResetLinkEmail']
-    )->name('password.email')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration'));
+    )->name('password.email')->middleware('throttle:forgotten_password');