diff --git a/.env.example b/.env.example index 4dac001202..bd65c1935f 100644 --- a/.env.example +++ b/.env.example @@ -152,7 +152,7 @@ LOGIN_LOCKOUT_DURATION=60 # -------------------------------------------- RESET_PASSWORD_LINK_EXPIRES=15 PASSWORD_CONFIRM_TIMEOUT=10800 -PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN=30 +PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN=50 # -------------------------------------------- # OPTIONAL: MISC diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php index 447f1bc300..90520738d0 100644 --- a/app/Providers/RouteServiceProvider.php +++ b/app/Providers/RouteServiceProvider.php @@ -75,12 +75,22 @@ class RouteServiceProvider extends ServiceProvider /** * Configure the rate limiters for the application. * + * https://laravel.com/docs/8.x/routing#rate-limiting + * * @return void */ protected function configureRateLimiting() { + + // Rate limiter for API calls RateLimiter::for('api', function (Request $request) { - return Limit::perMinute(60)->by(optional($request->user())->id ?: $request->ip()); + return Limit::perMinute(config('app.api_throttle_per_minute'))->by(optional($request->user())->id ?: $request->ip()); }); + + // Rate limiter for forgotten password requests + RateLimiter::for('forgotten_password', function (Request $request) { + return Limit::perMinute(config('auth.password_reset.max_attempts_per_min'))->by(optional($request->user())->id ?: $request->ip()); + }); + } } diff --git a/config/auth.php b/config/auth.php index 2bdcdb3e5b..7f580d68b1 100644 --- a/config/auth.php +++ b/config/auth.php @@ -114,10 +114,7 @@ return [ | */ 'password_reset' => [ - 'throttle' => [ - 'max_attempts' => env('PASSWORD_MAX_ATTEMPTS', 30), - 'lockout_duration' => env('PASSWORD_LOCKOUT_DURATION', 60), - ], + 'max_attempts_per_min' => env('PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN', 50), ], @@ -133,6 +130,6 @@ return [ | */ - 'password_timeout' => 10800, + 'password_timeout' => env('PASSWORD_CONFIRM_TIMEOUT', 10800), ]; diff --git a/routes/web.php b/routes/web.php index fbe02db911..7a6d8caa01 100644 --- a/routes/web.php +++ b/routes/web.php @@ -426,25 +426,25 @@ Route::group(['middleware' => 'web'], function () { Route::post( 'two-factor', [LoginController::class, 'postTwoFactorAuth'] - )->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration')); + ); Route::post( 'password/email', [ForgotPasswordController::class, 'sendResetLinkEmail'] - )->name('password.email')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration')); + )->name('password.email')->middleware('throttle:forgotten_password'); Route::get( 'password/reset', [ForgotPasswordController::class, 'showLinkRequestForm'] - )->name('password.request')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration')); + )->name('password.request')->middleware('throttle:forgotten_password'); Route::post( 'password/reset', [ResetPasswordController::class, 'reset'] - )->name('password.update')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration')); + )->name('password.update')->middleware('throttle:forgotten_password'); Route::get( 'password/reset/{token}', @@ -455,7 +455,7 @@ Route::group(['middleware' => 'web'], function () { Route::post( 'password/email', [ForgotPasswordController::class, 'sendResetLinkEmail'] - )->name('password.email')->middleware('throttle:'.config('auth.password_reset.throttle.max_attempts').','.config('auth.password_reset.throttle.lockout_duration')); + )->name('password.email')->middleware('throttle:forgotten_password');