user()?->id; $ip = $request->ip(); $phoneHash = ''; if ($request->has('phone_number')) { $phoneHash = hash_phone($request->input('phone_number')); } $key = 'throttle:' . $action . ':' . ($userId ?: ($phoneHash ?: $ip)); if (RateLimiter::tooManyAttempts($key, $maxAttempts)) { $seconds = RateLimiter::availableIn($key); return response()->json([ 'error' => 'Too Many Requests', 'message' => "Too many attempts for {$action}. Please retry in {$seconds} seconds.", 'retry_after' => $seconds, ], Response::HTTP_TOO_MANY_REQUESTS); } RateLimiter::hit($key, $decayMinutes * 60); $response = $next($request); // Optional: clear the rate limit on successful authentication for login if ($action === 'login' && $response->getStatusCode() === Response::HTTP_OK) { RateLimiter::clear($key); } return $response; } }