From 5e50ed5ed06d87d3cf50b526bfeb6dbebe9fc26a Mon Sep 17 00:00:00 2001
From: dogukanoksuz <me@dogukan.dev>
Date: Wed, 21 Feb 2024 08:22:40 +0000
Subject: [PATCH] fix: Add rate limiting for login and forgot password routes

---
 app/Providers/RouteServiceProvider.php | 24 +++++++++---------------
 routes/api.php                         |  4 ++--
 2 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index 2594980e..5f1c91b4 100644
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -2,7 +2,9 @@
 
 namespace App\Providers;
 
+use Illuminate\Cache\RateLimiting\Limit;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\Facades\Route;
 
 /**
@@ -28,7 +30,13 @@ class RouteServiceProvider extends ServiceProvider
      */
     public function boot()
     {
-        //
+        RateLimiter::for('login', function ($request) {
+            return Limit::perMinute(3)->by($request->email.$request->ip());
+        });
+
+        RateLimiter::for('forgot-password', function ($request) {
+            return Limit::perMinutes(5, 2)->by($request->email.$request->ip());
+        });
 
         parent::boot();
     }
@@ -73,18 +81,4 @@ protected function mapWebRoutes()
             ->namespace($this->namespace)
             ->group(base_path('routes/web.php'));
     }
-
-    /**
-     * Map extension developer routes
-     *
-     * This function registers extra routes that is coming from extension developer mode
-     *
-     * @return void
-     */
-    protected function mapExtensionDeveloperRoutes()
-    {
-        Route::namespace($this->namespace)
-            ->middleware('web')
-            ->group(base_path('routes/extension_developer.php'));
-    }
 }
diff --git a/routes/api.php b/routes/api.php
index 83646de3..360b45c5 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -26,13 +26,13 @@
     'prefix' => 'auth'
 ], function () {
     Route::post('/login', [AuthController::class, 'login'])
-        ->middleware('throttle:5,2');
+        ->middleware('throttle:login');
     Route::post('/setup_mfa', [AuthController::class, 'setupTwoFactorAuthentication']);
     Route::post('/logout', [AuthController::class, 'logout']);
     Route::get('/user', [AuthController::class, 'userProfile']);
     Route::post('/change_password', [AuthController::class, 'forceChangePassword']);
     Route::post('/forgot_password', [AuthController::class, 'sendPasswordResetLink'])
-        ->middleware('throttle:5,15');
+        ->middleware('throttle:forgot-password');
     Route::post('/reset_password', [AuthController::class, 'resetPassword']);
 });