11 months ago

How to throttle specific routes without X-Ratelimit-Remaining used up from other routes

Posted 11 months ago by shadrix

In my api.php I have my main routes grouped within:

Route::middleware('throttle:60,1')->group(function() { //all my main api routes});

However, I have routes, that need custom times. For example, if the user needs to type his/her password again when he/she changes something in the settings.

//outside of the throttle:60,1
Route::post('/password/check', 'Api\[email protected]')
     ->middleware('throttle:3,1', 'auth:api');

My goal is that the user can only type his/her password 3 times, after that he/she needs to cool down.

However, I noticed that when I fetch URLs from the API the "X-Ratelimit-Remaining" is already used up. This leads to the problem that the user needs to cooldown when the password was typed in.

I wrote a PHPUnit test to prove that there is a bug:

/** @test */
public function throttle_works_correctly_even_when_other_api_url_are_called()


    $this->url(['currentPassword' => 'secret'])->assertStatus(200);

    $this->url(['currentPassword' => 'secret'])->assertStatus(200);

    $this->url(['currentPassword' => 'secret'])->assertStatus(200); <-- fails at this part

    $this->url(['currentPassword' => 'secret'])

How would you fix this?

Please sign in or create an account to participate in this conversation.