Rate limiting on different methods

@SmokeTM - rate limiting is by user rather than route j think

https://laravel.com/docs/5.7/routing#rate-limiting

Looking at the framework code the rate limiting cache key is generated based on this function

protected function resolveRequestSignature($request)
    {
        if ($user = $request->user()) {
            return sha1($user->getAuthIdentifier());
        }
        if ($route = $request->route()) {
            return sha1($route->getDomain().'|'.$request->ip());
        }
        throw new RuntimeException('Unable to generate the request signature. Route unavailable.');
    }

This explains your 429 as both routes will return return sha1($user->getAuthIdentifier());

Ok thanks for that!! You know a way to prevent spam on methods? Lets say you dont want a user to post 20 comments in a minute or something like that? Is there a common way to do it with laravel or I have to create something on my own?

Best

Looking back at the logic in the function I posted it does look like the route and ip are used if your using a stateless api. Therefore it depends on whether you have an authenticated user or not.

If you need per route limiting for you web routes you are going to need to write your own middleware. Not tested but this might work

<?php 

namespace App\Http\Middleware;

use RuntimeException;
use Illuminate\Routing\Middleware\ThrottleRequests;

class ThrottleRequestsByRoute extends ThrottleRequests

    protected function resolveRequestSignature($request)
    {
        if ($route = $request->route()) {
            return sha1($route->getDomain().'|'.$request->ip());
        }
        throw new RuntimeException('Unable to generate the request signature. Route unavailable.');
    }
}

You can then add to your routes. Not 100% on this working but worth a try. It might also mess with the existing middleware so YMMV

Thanks for you code implemented it but how to limit the route requests now? How to achieve that it works like the throttle middleware $this->middleware('routeThrottle:2,10')->only('store');?

You need to register the middleware in app/Http/Kernel.php

protected $routeMiddleware = [
        'auth' => \App\Http\Middleware\Authenticate::class,
        'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
        'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class,
        'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
        'can' => \Illuminate\Auth\Middleware\Authorize::class,
        'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
        'signed' => \Illuminate\Routing\Middleware\ValidateSignature::class,
        'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
        'routeThrottle' => \Illuminate\Routing\Middleware\ThrottleRequestsByRoute::class, // add this
        'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
    ];

Then your $this->middleware('routeThrottle:2,10')->only('store'); should work

Registered it already in the kernel.php but did not know that it works already like $this->middleware('routeThrottle:2,10')->only('store'); that. Thanks !