2

I'm trying to disable rate limiting for Passport's built-in oauth/token endpoint in Laravel 5.8, and I figured just removing the throttle middleware from api would do it:

'api' => [
    // 'throttle:60,1',
    'bindings',
],

But although this effectively disables rate limiting for every endpoint I've defined in my api routes file, it doesn't do it for /oauth/token, as if Passport has a default throttling setting. So I just added the throttle middleware for that route in AppServiceProvider with an absurd number:

\Route::group(['middleware' => ['custom_provider', 'throttle:999999999,1']], function () {
    Passport::routes();
});

But when I test this I'm still getting 429 errors after a few requests for some reason:

429 Too Many Requests

X-RateLimit-Limit →9999999999
X-RateLimit-Remaining →9999999935
x-ratelimit-reset →1567108098

So I'd prefer to just disable this entirely. Any ideas how to disable it for Passport routes specifically?

Ryan Bobrowski
  • 2,641
  • 3
  • 31
  • 52

1 Answers1

5

That's because passport doesn't use api middleware, but throttle one directly on that route.
You can see that in the source code:

// This is how passport register that route
$this->router->post('/token', [
    'uses' => 'AccessTokenController@issueToken',
    'as' => 'passport.token',
    'middleware' => 'throttle',
]);

You can override that route be defining it yourself before passport register his route. To do that I think the most convenient way is to hook up into the Passport::routes() method:

Passport::routes(function ($router) {
    $router->forAuthorization();

    Route::post('/token', [
        'uses' => 'AccessTokenController@issueToken',
        'as' => 'passport.token',
    ]);
    // This function would trigger the internal /token route registration
    $router->forAccessTokens();

    $router->forTransientTokens();
    $router->forClients();
    $router->forPersonalAccessTokens();
});

Note that you might as well do this instead if you need all of the passport routes:

Passport::routes(function ($router) {
    Route::post('/token', [
        'uses' => 'AccessTokenController@issueToken',
        'as' => 'passport.token',
    ]);
    $router->all();
});

You can check if the route has been registered correctly by doing php artisan route:list in a console windows from the root of your project

mdexp
  • 3,492
  • 2
  • 9
  • 20
  • 2
    Thanks this works, but $router->forAccessTokens(); or $router->all(); should go before Route::post('/token'.. to override the route. My laravel is v6.13.1. – user570605 Mar 16 '20 at 17:41