change of approach to specify throttle rate limiters

Author: ryanmitchell

routes/web.php

@@ -34,24 +34,24 @@
 
 Route::name('statamic.')->group(function () {
     Route::group(['prefix' => config('statamic.routes.action')], function () {
-        Route::post('forms/{form}', [FormController::class, 'submit'])->middleware([HandlePrecognitiveRequests::class])->name('forms.submit');
+        Route::post('forms/{form}', [FormController::class, 'submit'])->middleware([HandlePrecognitiveRequests::class, 'throttle:statamic.forms'])->name('forms.submit');
 
         Route::get('protect/password', [PasswordProtectController::class, 'show'])->name('protect.password.show')->middleware([HandleInertiaRequests::class]);
         Route::post('protect/password', [PasswordProtectController::class, 'store'])->name('protect.password.store');
 
         Route::group(['prefix' => 'auth', 'middleware' => [AuthGuard::class]], function () {
             Route::get('logout', [LoginController::class, 'logout'])->name('logout');
 
-            Route::group(['middleware' => [HandlePrecognitiveRequests::class]], function () {
+            Route::group(['middleware' => [HandlePrecognitiveRequests::class, 'throttle:statamic.auth']], function () {
                 Route::post('login', [LoginController::class, 'login'])->name('login');
                 Route::post('register', RegisterController::class)->name('register');
                 Route::post('profile', ProfileController::class)->name('profile');
                 Route::post('password', PasswordController::class)->name('password');
             });
 
-            Route::post('password/email', [ForgotPasswordController::class, 'sendResetLinkEmail'])->name('password.email');
+            Route::post('password/email', [ForgotPasswordController::class, 'sendResetLinkEmail'])->middleware('throttle:statamic.auth')->name('password.email');
             Route::get('password/reset/{token}', [ResetPasswordController::class, 'showResetForm'])->name('password.reset');
-            Route::post('password/reset', [ResetPasswordController::class, 'reset'])->name('password.reset.action');
+            Route::post('password/reset', [ResetPasswordController::class, 'reset'])->middleware('throttle:statamic.auth')->name('password.reset.action');
 
             Route::group(['prefix' => 'passkeys'], function () {
                 Route::middleware(ThrottleRequests::class.':30,1')->group(function () {

src/Providers/AuthServiceProvider.php

@@ -171,6 +171,14 @@ public function boot()
                 : $broker;
         });
 
+        RateLimiter::for('statamic.auth', function (Request $request) {
+            return Limit::perMinute(4)->by($request->ip());
+        });
+
+        RateLimiter::for('statamic.forms', function (Request $request) {
+            return Limit::perMinute(10)->by($request->ip());
+        });
+
         RateLimiter::for('two-factor', function (Request $request) {
             return Limit::perMinute(5)->by($request->session()->get('login.id'));
         });

tests/Feature/RateLimitingTest.php

@@ -0,0 +1,80 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Cache\RateLimiting\Limit;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\RateLimiter;
+use PHPUnit\Framework\Attributes\Test;
+use Tests\TestCase;
+
+class RateLimitingTest extends TestCase
+{
+    protected function setUp(): void
+    {
+        parent::setUp();
+        Cache::flush();
+    }
+
+    private function assertNotRateLimited($response): void
+    {
+        $this->assertNotEquals(429, $response->getStatusCode(), 'Request was unexpectedly rate limited.');
+    }
+
+    #[Test]
+    public function login_endpoint_is_rate_limited()
+    {
+        collect(range(1, 4))->each(fn () => $this->assertNotRateLimited($this->post('/!/auth/login')));
+        $this->post('/!/auth/login')->assertStatus(429);
+    }
+
+    #[Test]
+    public function register_endpoint_is_rate_limited()
+    {
+        collect(range(1, 4))->each(fn () => $this->assertNotRateLimited($this->post('/!/auth/register')));
+        $this->post('/!/auth/register')->assertStatus(429);
+    }
+
+    #[Test]
+    public function password_email_endpoint_is_rate_limited()
+    {
+        collect(range(1, 4))->each(fn () => $this->assertNotRateLimited($this->post('/!/auth/password/email')));
+        $this->post('/!/auth/password/email')->assertStatus(429);
+    }
+
+    #[Test]
+    public function password_reset_endpoint_is_rate_limited()
+    {
+        collect(range(1, 4))->each(fn () => $this->assertNotRateLimited($this->post('/!/auth/password/reset')));
+        $this->post('/!/auth/password/reset')->assertStatus(429);
+    }
+
+    #[Test]
+    public function forms_endpoint_is_rate_limited()
+    {
+        collect(range(1, 10))->each(fn () => $this->assertNotRateLimited($this->post('/!/forms/contact')));
+        $this->post('/!/forms/contact')->assertStatus(429);
+    }
+
+    #[Test]
+    public function auth_rate_limiter_can_be_overridden()
+    {
+        // Simulate a developer overriding the default 4/min limit to 2/min
+        RateLimiter::for('statamic.auth', fn ($request) => Limit::perMinute(2)->by($request->ip()));
+
+        $this->assertNotRateLimited($this->post('/!/auth/login'));
+        $this->assertNotRateLimited($this->post('/!/auth/login'));
+        $this->post('/!/auth/login')->assertStatus(429);
+    }
+
+    #[Test]
+    public function forms_rate_limiter_can_be_overridden()
+    {
+        // Simulate a developer overriding the default 10/min limit to 2/min
+        RateLimiter::for('statamic.forms', fn ($request) => Limit::perMinute(2)->by($request->ip()));
+
+        $this->assertNotRateLimited($this->post('/!/forms/contact'));
+        $this->assertNotRateLimited($this->post('/!/forms/contact'));
+        $this->post('/!/forms/contact')->assertStatus(429);
+    }
+}