1

Hello I am using Laravel Framework 6.18.23 and when ever my Vue app connects to the API it deducts more than what I expected.

Here is the sample screenshot below

enter image description here

As you can see I tried to login in my app 3 consecutively but laravel deducts more than 3 on a x-ratelimit-remaining. Additionally the x-ratelimit-remaining not resetting after 1 minute.

Any idea what might be the reason?

I tried php artisan cache:clear but still the issue exists

This issue only exist in production environment not in nonprod or preprod but I don't know where to start investigating

Lloyd
  • 144
  • 1
  • 1
  • 11
  • What are the differences between the production and preproduction. / Did it was working fine before? If yes, did you make some changes? / Do you have access log enabled ? Since it's production you can't exclude the possibility a bot is trying to brute-force the password. / Does all the accounts are affected or only yours? – Clément Baconnier Sep 24 '20 at 08:39
  • The main difference i see in preprod and prod is the production is available in the internet while our preprod is only available in our intranet. Yes I have access log enabled. And everyone accessing site is affected even if they are not logged in. Thanks for pointing access_log upon checking 429 response is very common when users access our site since we deployed. I think we will just disabled the throttle request I'm just actually curious why x-ratelimit-remaining deducts a big number on every api request – Lloyd Sep 24 '20 at 09:21
  • 1
    My bad. I mixed request throttle (which is per IP) and auth throttle (which is per email). Are users accessing the website share the same IP? In that case, I believe you can use a custom Throttle to choose different source like the session. – Clément Baconnier Sep 24 '20 at 09:32
  • Ohhhhhh. Do you think because we are using the same VPN in our comapny it resulted to us having the same IP address? – Lloyd Sep 24 '20 at 09:40
  • Yes, exactly that! – Clément Baconnier Sep 24 '20 at 09:42
  • 1
    Thanks man! I think that's my problem, I'll update you when I confirmed it. – Lloyd Sep 24 '20 at 09:53

1 Answers1

0

Thanks to Clément Baconnier comments for pointing me in the right direction. It turns out that our laravel was hosted in a proxy server so everyone who access our site has the same ip address so everyone share the 60 request per minute limitation on laravel ThrottleRequests.php

enter image description here

Lloyd
  • 144
  • 1
  • 1
  • 11