rate limit elevated session endpoints

jasonvarga · claude · jasonvarga · commit 4d18c1e9544f · 2026-04-20T14:38:58.000-04:00
Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/routes/cp.php b/routes/cp.php
@@ -445,8 +445,8 @@
 
     Route::get('auth/confirm-password', [ElevatedSessionController::class, 'showForm'])->name('confirm-password');
     Route::get('elevated-session', [ElevatedSessionController::class, 'status'])->name('elevated-session.status');
-    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options');
-    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm');
+    Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.cp.passkeys');
+    Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.cp.auth');
     Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
 
     Route::get('playground', PlaygroundController::class)->name('playground');
diff --git a/routes/web.php b/routes/web.php
@@ -56,8 +56,8 @@
 
             Route::middleware('auth')->group(function () {
                 Route::get('confirm-password', [ElevatedSessionController::class, 'showForm'])->name('elevated-session')->middleware([HandleInertiaRequests::class]);
-                Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm');
-                Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options');
+                Route::post('elevated-session', [ElevatedSessionController::class, 'confirm'])->name('elevated-session.confirm')->middleware('throttle:statamic.auth');
+                Route::get('elevated-session/passkey-options', [ElevatedSessionController::class, 'options'])->name('elevated-session.passkey-options')->middleware('throttle:statamic.passkeys');
                 Route::get('elevated-session/resend-code', [ElevatedSessionController::class, 'resendCode'])->name('elevated-session.resend-code')->middleware('throttle:send-elevated-session-code');
             });
 
diff --git a/tests/Feature/RateLimitingTest.php b/tests/Feature/RateLimitingTest.php
@@ -6,6 +6,7 @@
 use Illuminate\Support\Facades\Cache;
 use Illuminate\Support\Facades\RateLimiter;
 use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\User;
 use Tests\PreventSavingStacheItemsToDisk;
 use Tests\TestCase;
 
@@ -143,6 +144,42 @@ public function cp_passkey_endpoint_is_rate_limited()
         $this->post('/cp/auth/passkeys')->assertRateLimited();
     }
 
+    #[Test]
+    public function elevated_session_confirm_endpoint_is_rate_limited()
+    {
+        $this->actingAs(tap(User::make()->email('foo@bar.com'))->save());
+
+        collect(range(1, 4))->each(fn () => $this->post('/!/auth/elevated-session')->assertNotRateLimited());
+        $this->post('/!/auth/elevated-session')->assertRateLimited();
+    }
+
+    #[Test]
+    public function cp_elevated_session_confirm_endpoint_is_rate_limited()
+    {
+        $this->actingAs(tap(User::make()->email('foo@bar.com')->makeSuper())->save());
+
+        collect(range(1, 4))->each(fn () => $this->post('/cp/elevated-session')->assertNotRateLimited());
+        $this->post('/cp/elevated-session')->assertRateLimited();
+    }
+
+    #[Test]
+    public function elevated_session_passkey_options_endpoint_is_rate_limited()
+    {
+        $this->actingAs(tap(User::make()->email('foo@bar.com'))->save());
+
+        collect(range(1, 30))->each(fn () => $this->get('/!/auth/elevated-session/passkey-options')->assertNotRateLimited());
+        $this->get('/!/auth/elevated-session/passkey-options')->assertRateLimited();
+    }
+
+    #[Test]
+    public function cp_elevated_session_passkey_options_endpoint_is_rate_limited()
+    {
+        $this->actingAs(tap(User::make()->email('foo@bar.com')->makeSuper())->save());
+
+        collect(range(1, 30))->each(fn () => $this->get('/cp/elevated-session/passkey-options')->assertNotRateLimited());
+        $this->get('/cp/elevated-session/passkey-options')->assertRateLimited();
+    }
+
     #[Test]
     public function cp_and_frontend_passkeys_have_independent_buckets()
     {
