diff --git a/routes/routes.php b/routes/routes.php index 524578f9..7750f18b 100644 --- a/routes/routes.php +++ b/routes/routes.php @@ -29,6 +29,7 @@ } $limiter = config('fortify.limiters.login'); + $twoFactorLimiter = config('fortify.limiters.two-factor'); Route::post('/login', [AuthenticatedSessionController::class, 'store']) ->middleware(array_filter([ @@ -126,7 +127,10 @@ } Route::post('/two-factor-challenge', [TwoFactorAuthenticatedSessionController::class, 'store']) - ->middleware(['guest']); + ->middleware(array_filter([ + 'guest', + $twoFactorLimiter ? 'throttle:'.$twoFactorLimiter : null, + ])); $twoFactorMiddleware = Features::optionEnabled(Features::twoFactorAuthentication(), 'confirmPassword') ? ['auth', 'password.confirm'] diff --git a/stubs/FortifyServiceProvider.php b/stubs/FortifyServiceProvider.php index 38c4055b..fb90494f 100644 --- a/stubs/FortifyServiceProvider.php +++ b/stubs/FortifyServiceProvider.php @@ -6,6 +6,8 @@ use App\Actions\Fortify\ResetUserPassword; use App\Actions\Fortify\UpdateUserPassword; use App\Actions\Fortify\UpdateUserProfileInformation; +use Illuminate\Cache\RateLimiting\Limit; +use Illuminate\Support\Facades\RateLimiter; use Illuminate\Support\ServiceProvider; use Laravel\Fortify\Fortify; @@ -32,5 +34,13 @@ public function boot() Fortify::updateUserProfileInformationUsing(UpdateUserProfileInformation::class); Fortify::updateUserPasswordsUsing(UpdateUserPassword::class); Fortify::resetUserPasswordsUsing(ResetUserPassword::class); + + RateLimiter::for('login', function (Request $request) { + return Limit::perMinute(5)->by($request->email.$request->ip()); + }); + + RateLimiter::for('two-factor', function (Request $request) { + return Limit::perMinute(5)->by($request->session()->get('login.id')); + }); } } diff --git a/stubs/fortify.php b/stubs/fortify.php index 6b5e3cc2..0226449c 100644 --- a/stubs/fortify.php +++ b/stubs/fortify.php @@ -103,7 +103,8 @@ */ 'limiters' => [ - 'login' => null, + 'login' => 'login', + 'two-factor' => 'two-factor', ], /*