You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've created a simple JWT login procedure with Passport, everything works fine.
I have a login route, as extracted from 'php artisan route:list'
POST | api/v1/login | api.user.login | Modules\Core\Http\Controllers\Api\V1\Auth\RestAuthController@login | api,throttle:10,1
configured with throttling of 10 attempts in 1 minute.
In my Kernel.php there is:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
In a feature login test, i was trying to reproduce the throttling exception with a simple index from 0 to 9. According to logic, at the 9th loop, the exception must change into TooManyRequestsException.
But starting the test, the exception is thrown at the 5th loop:
Seems like that the attempts of login route are added up to the "throttle:60,1" defined in Kernel so each time I try to login the real attempts become halved (=5) because each login is cached as 2 attempts.
The correct logic expected is:
the throttle of 60,1 must be valid for all routes
if there are more tight rules ( like 10,1), for that route the rule must override the largest one
Steps To Reproduce:
The text was updated successfully, but these errors were encountered:
mirkopeloso
changed the title
Login routing throttle attempts incorrect when using passport for API request
Login routing throttle attempts incorrect if middleware already declared
Feb 19, 2020
Can you first please try one of the support channels below? If you can actually identify this as a bug, feel free to report back and I'll gladly help you out and re-open this issue.
Description:
I've created a simple JWT login procedure with Passport, everything works fine.
I have a login route, as extracted from 'php artisan route:list'
POST | api/v1/login | api.user.login | Modules\Core\Http\Controllers\Api\V1\Auth\RestAuthController@login | api,throttle:10,1
configured with throttling of 10 attempts in 1 minute.
In my Kernel.php there is:
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
In a feature login test, i was trying to reproduce the throttling exception with a simple index from 0 to 9. According to logic, at the 9th loop, the exception must change into TooManyRequestsException.
But starting the test, the exception is thrown at the 5th loop:
[2020-02-19 14:33:34] local.INFO: Trying bad password login to throttle for retry attempt # 5
[2020-02-19 14:33:34] local.ERROR: ----------------------------------------------> Exception : Illuminate\Http\Exceptions\ThrottleRequestsException: Too Many Attempts. in /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php:125
Stack trace:
#0 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(54): Illuminate\Routing\Middleware\ThrottleRequests->buildException('5c785c036466ade...', 10)
#1 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Routing\Middleware\ThrottleRequests->handle(Object(Illuminate\Http\Request), Object(Closure), 10, '1')
#2 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Middleware/ThrottleRequests.php(59): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#3 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Routing\Middleware\ThrottleRequests->handle(Object(Illuminate\Http\Request), Object(Closure), 60, '1')
#4 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(105): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#5 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(683): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#6 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(658): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(Illuminate\Http\Request))
#7 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(624): Illuminate\Routing\Router->runRoute(Object(Illuminate\Http\Request), Object(Illuminate\Routing\Route))
#8 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Routing/Router.php(613): Illuminate\Routing\Router->dispatchToRoute(Object(Illuminate\Http\Request))
#9 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(170): Illuminate\Routing\Router->dispatch(Object(Illuminate\Http\Request))
#10 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(130): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http{closure}(Object(Illuminate\Http\Request))
#11 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#12 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle(Object(Illuminate\Http\Request), Object(Closure))
#13 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#14 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle(Object(Illuminate\Http\Request), Object(Closure))
#15 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#16 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle(Object(Illuminate\Http\Request), Object(Closure))
#17 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/CheckForMaintenanceMode.php(63): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#18 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode->handle(Object(Illuminate\Http\Request), Object(Closure))
#19 /data/drive/develop/php/laravel-WSMOD/vendor/fideloper/proxy/src/TrustProxies.php(57): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#20 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(171): Fideloper\Proxy\TrustProxies->handle(Object(Illuminate\Http\Request), Object(Closure))
#21 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(105): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline{closure}(Object(Illuminate\Http\Request))
#22 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(145): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#23 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(110): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(Illuminate\Http\Request))
#24 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Testing/Concerns/MakesHttpRequests.php(468): Illuminate\Foundation\Http\Kernel->handle(Object(Illuminate\Http\Request))
#25 /data/drive/develop/php/laravel-WSMOD/vendor/laravel/framework/src/Illuminate/Foundation/Testing/Concerns/MakesHttpRequests.php(440): Illuminate\Foundation\Testing\TestCase->call('POST', '/api/v1/login', Array, Array, Array, Array, '{"email":"dio@c...')
#26 /data/drive/develop/php/laravel-WSMOD/Modules/Core/Tests/Feature/Http/Controllers/Api/V1/Auth/ApiAuthTest.php(159): Illuminate\Foundation\Testing\TestCase->json('POST', '/api/v1/login', Array, Array)
#27 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestCase.php(1408): Modules\Core\Tests\Feature\Http\Controllers\Api\V1\Auth\ApiAuthTest->testThrottledUserTest()
#28 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestCase.php(1028): PHPUnit\Framework\TestCase->runTest()
#29 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestResult.php(691): PHPUnit\Framework\TestCase->runBare()
#30 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestCase.php(756): PHPUnit\Framework\TestResult->run(Object(Modules\Core\Tests\Feature\Http\Controllers\Api\V1\Auth\ApiAuthTest))
#31 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/Framework/TestSuite.php(597): PHPUnit\Framework\TestCase->run(Object(PHPUnit\Framework\TestResult))
#32 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/TextUI/TestRunner.php(621): PHPUnit\Framework\TestSuite->run(Object(PHPUnit\Framework\TestResult))
#33 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/TextUI/Command.php(200): PHPUnit\TextUI\TestRunner->doRun(Object(PHPUnit\Framework\TestSuite), Array, true)
#34 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/src/TextUI/Command.php(159): PHPUnit\TextUI\Command->run(Array, true)
#35 /data/drive/develop/php/laravel-WSMOD/vendor/phpunit/phpunit/phpunit(61): PHPUnit\TextUI\Command::main()
#36 {main}
Seems like that the attempts of login route are added up to the "throttle:60,1" defined in Kernel so each time I try to login the real attempts become halved (=5) because each login is cached as 2 attempts.
The correct logic expected is:
Steps To Reproduce:
The text was updated successfully, but these errors were encountered: