9

In laravel 6 the password broker now has the following to throttle password reset (https://github.com/laravel/framework/blob/6.x/src/Illuminate/Auth/Passwords/PasswordBroker.php#L58)

public function sendResetLink(array $credentials)
{
    // First we will check to see if we found a user at the given credentials and
    // if we did not we will redirect back to this current URI with a piece of
    // "flash" data in the session to indicate to the developers the errors.
    $user = $this->getUser($credentials);

    if (is_null($user)) {
        return static::INVALID_USER;
    }

    if (method_exists($this->tokens, 'recentlyCreatedToken') &&
        $this->tokens->recentlyCreatedToken($user)) {
        return static::RESET_THROTTLED;
    }

    // Once we have the reset token, we are ready to send the message out to this
    // user with a link to reset their password. We will then redirect back to
    // the current URI having nothing set in the session to indicate errors.
    $user->sendPasswordResetNotification(
        $this->tokens->create($user)
    );

    return static::RESET_LINK_SENT;
}

However when I repeatedly submit a password reset why isn't the password reset being throttled - I'm still getting the reset notifications coming through?

I've noticed the recentlyCreatedToken method does not exist in TokenRepositoryInterface in version 6.x https://github.com/laravel/framework/blob/6.x/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php

But has been added in version 7.x

https://github.com/laravel/framework/blob/master/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php

Is this only a feature of v7.x or is there something I need to do that I'm missing?

adam78
  • 9,668
  • 24
  • 96
  • 207

1 Answers1

18

Password reset throttling works in Laravel 6.x, but for some reason you need to manually set the throttle parameter in the config file config/auth.php:

    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => 'password_resets',
            'expire' => 60,
            'throttle' => 60, // Allows a user to request 1 token per 60 seconds
        ],
    ],

DatabaseTokenRepository defines the default value for the throttle time to 60 seconds. But when DatabaseTokenRepository is initialized in PasswordBrokerManager it checks the config file and if no value was found sets the throttle time to 0 (means disabling the throttle).

Also you need to add the message string to resources/lang/en/passwords.php to show the user an understandable error message:

'throttled' => 'You have requested password reset recently, please check your email.',

P. S. Don't forget to flush config cache after editing a config file with php artisan config:clear.

Snaker
  • 278
  • 1
  • 7
  • Password reset throttling only works in Laravel 7.x. This feature is unavailable in 6.x see https://github.com/laravel/framework/issues/31513 – adam78 Feb 24 '20 at 08:38
  • @adam78, it's not actually true. It works in Laravel 6.x. Few days ago I implemented password reset throttling in my project with Laravel v6.15.1. And only after that I wrote my answer here. So you can try the above solution and see it by yourself. Also I attached links to Laravel source code, where it's implemented, but your show me a link to a discussion with suppositions. :-/ – Snaker Feb 24 '20 at 10:20
  • please refer to https://github.com/laravel/framework/pull/30373 – adam78 Feb 24 '20 at 12:50
  • Excuse me, what do you want I see there? In the first comment there is a mention of PR #30340 which added password reset throttling to Laravel 6.x - https://github.com/laravel/framework/pull/30340 – Snaker Feb 24 '20 at 19:10