3

I just installed Laravel 9 and Laravel Fortify. However, the rate limit for the login function is incorrect.

FortifyServiceProvider.php

public function boot()
{
    Fortify::createUsersUsing(CreateNewUser::class);
    Fortify::updateUserProfileInformationUsing(UpdateUserProfileInformation::class);
    Fortify::updateUserPasswordsUsing(UpdateUserPassword::class);
    Fortify::resetUserPasswordsUsing(ResetUserPassword::class);

    RateLimiter::for('login', function (Request $request) {
        $email = (string) $request->email;

        return Limit::perMinute(5)->by($email.$request->ip());
    });

    RateLimiter::for('two-factor', function (Request $request) {
        return Limit::perMinute(5)->by($request->session()->get('login.id'));
    });
}

As you can see, it shows five requests per minute. However, whenever I tried to log in incorrectly after the first request, it kept giving me an error 429: Too Many Requests. This is because it only allows me to log in one time.

I tried on both PHP versions, 8.0 and 8.1.2.

Update:

I also tried Laravel v8.

Dev environment: Laragon also tried with Laradock (docker) but still the same issue.

Karl Hill
  • 12,937
  • 5
  • 58
  • 95
user3569641
  • 892
  • 1
  • 17
  • 50

1 Answers1

0

I got this exact same issue and fixed it.

In my situation, I changed the default route names. /login became /sign-up and /two-factor became /account-two-factor.

So I changed the Rate Limiter names in the FortifyServiceProvider.php file.

RateLimiter::for('sign-in', function (Request $request) {
    $email = (string) $request->email;
    error_log($email.$request->ip());
    return Limit::perMinute(50)->by($email.$request->ip());
});

RateLimiter::for('account-two-factor', function (Request $request) {
    return Limit::perMinute(50)->by($request->session()->get('login.id'));
});

I needed to change the config/fortify.php limiters array from

'limiters' => [
        'login' => 'login',
        'two-factor' => 'two-factor',

    ],

to

'limiters' => [
        'sign-in' => 'sign-in',
        'account-two-factor' => 'account-two-factor',

    ],

and also change my custom route names which I have in routes/fortify.php from

$limiter = config('fortify.limiters.login');
$twoFactorLimiter = config('fortify.limiters.two-factor');

to

$limiter = config('fortify.limiters.sign-in');
$twoFactorLimiter = config('fortify.limiters.account-two-factor');

My take-away are that the defaults should work out of the box and my mistake was that I renamed the RateLimiter::for(...) part and broke the keys from the config.

KrzysztofPrugar
  • 519
  • 4
  • 7