64 lines
1.9 KiB
PHP
64 lines
1.9 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use Closure;
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Facades\RateLimiter;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
class ThrottleSensitiveActions
|
|
{
|
|
/**
|
|
* Handle an incoming request.
|
|
*
|
|
* @param \Illuminate\Http\Request $request
|
|
* @param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response) $next
|
|
* @param string $action
|
|
* @return mixed
|
|
*/
|
|
public function handle(Request $request, Closure $next, string $action)
|
|
{
|
|
$config = config("wasl.throttle.{$action}");
|
|
|
|
if (!$config) {
|
|
return $next($request);
|
|
}
|
|
|
|
$maxAttempts = $config['max'] ?? 5;
|
|
$decayMinutes = $config['minutes'] ?? 1;
|
|
|
|
// Generate key based on action, user_id (if logged in) or phone hash / IP
|
|
$userId = $request->user()?->id;
|
|
$ip = $request->ip();
|
|
|
|
$phoneHash = '';
|
|
if ($request->has('phone_number')) {
|
|
$phoneHash = hash_phone($request->input('phone_number'));
|
|
}
|
|
|
|
$key = 'throttle:' . $action . ':' . ($userId ?: ($phoneHash ?: $ip));
|
|
|
|
if (RateLimiter::tooManyAttempts($key, $maxAttempts)) {
|
|
$seconds = RateLimiter::availableIn($key);
|
|
|
|
return response()->json([
|
|
'error' => 'Too Many Requests',
|
|
'message' => "Too many attempts for {$action}. Please retry in {$seconds} seconds.",
|
|
'retry_after' => $seconds,
|
|
], Response::HTTP_TOO_MANY_REQUESTS);
|
|
}
|
|
|
|
RateLimiter::hit($key, $decayMinutes * 60);
|
|
|
|
$response = $next($request);
|
|
|
|
// Optional: clear the rate limit on successful authentication for login
|
|
if ($action === 'login' && $response->getStatusCode() === Response::HTTP_OK) {
|
|
RateLimiter::clear($key);
|
|
}
|
|
|
|
return $response;
|
|
}
|
|
}
|