svc-admin01/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Throttle TOTP requests

Browse Source
This commit is contained in:
snipe
2026-05-26 13:04:26 +01:00
parent dd4117bd5b
commit 46d5234fd7
4 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.env.example
+1
View File
@@ -210,6 +210,7 @@ LOGIN_AUTOCOMPLETE=false
RESET_PASSWORD_LINK_EXPIRES=15
PASSWORD_CONFIRM_TIMEOUT=10800
PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN=50
TWO_FACTOR_MAX_ATTEMPTS_PER_MIN=5
INVITE_PASSWORD_LINK_EXPIRES=1500
# --------------------------------------------
app/Providers/RouteServiceProvider.php
+6
View File
@@ -103,5 +103,11 @@ class RouteServiceProvider extends ServiceProvider
return Limit::perMinute(config('auth.password_reset.max_attempts_per_min'))->by(optional($request->user())->id ?: $request->ip());
});
// Rate limiter for two-factor authentication — keyed on user ID since the user is already
// password-authenticated at this stage, preventing distributed brute force across IPs.
RateLimiter::for('two_factor', function (Request $request) {
return Limit::perMinute(config('auth.two_factor.max_attempts_per_min'))->by(optional($request->user())->id ?: $request->ip());
});
}
}
config/auth.php
+4
View File
@@ -122,6 +122,10 @@ return [
'max_attempts_per_min' => env('PASSWORD_RESET_MAX_ATTEMPTS_PER_MIN', 50),
],
'two_factor' => [
'max_attempts_per_min' => env('TWO_FACTOR_MAX_ATTEMPTS_PER_MIN', 5),
],
/*
|--------------------------------------------------------------------------
| Password Confirmation Timeout
routes/web.php
+1 -1
View File
@@ -655,7 +655,7 @@ Route::group(['middleware' => 'web'], function () {
Route::post(
'two-factor',
[LoginController::class, 'postTwoFactorAuth']
);
)->middleware('throttle:two_factor');
Route::post(
'password/email',