Passport: endpoint throttle not respect global settings
Hi,
since #184 /oauth/token endpoint has throttle middleware. the problem is, it not respecting global settings set for api middleware group, although it create under api prefix (i.e. full path is /api/oauth/token) and fall back to default '60,1'
How to reproduce:
- configure middleware to something like 'throttle:1000:1' in the app/Http/Kernel.php
- issue token by calling to oath/tokens
- make a hundred requests (counter says we still have about 900)
- make another call to /oauth/token (for example with another user. it will be rejected with error code 429 and total allowed requests of 60 (default)
proposed solution
pass middleware as an option in Passport::routes(); call instead of hardcoding it or at least allow configuration option for that.
danikp
All 5 comments
+1
yl
on 18 Dec 2017
See #217 for a solution
simonhamp
on 9 May 2018
this is such a wonderful 'undocumented feature' ... 🤦♂️
TimOgilvy
on 12 Jun 2018
For anyone on this rollercoaster, #217 is nifty, but I needed to make mine take more hits only when in testing mode. This was my solution:
(a variation on this solution)
Created an environment variable in .env:
OAUTH_TOKEN_MAX_ATTEMPTS='60,1'
Then added the following to App\Providers\RouteServiceProvider:
/**
* Define the routes for the application.
*
* @return void
*/
public function map()
{
$this->mapApiRoutes();
$this->mapWebRoutes();
$oauthMaxAttemtps = env('OAUTH_TOKEN_MAX_ATTEMPTS', '60,1');
Route::post('/oauth/token', [
'uses' => '\Laravel\Passport\Http\Controllers\AccessTokenController@issueToken',
'middleware' => "throttle:$oauthMaxAttemtps",
]);
}
and in .circlci/cofig.yml:
jobs:
build:
docker:
- image: weengsteam/php7.1-mysql-5.7
working_directory: ~/laravel
environment:
APP_NAME: API
APP_ENV: testing
APP_KEY: base64:pLeAsEdOnTcOmEaNdStEaLmYdAtA?=
APP_DEBUG: true
DB_CONNECTION: mysql
DB_HOST: 127.0.0.1
DB_PORT: 3306
DB_DATABASE: testing
DB_USERNAME: laravel
DB_PASSWORD: not-a-secret
OAUTH_TOKEN_MAX_ATTEMPTS: 600,1
I kind of agree that it's a bit of a burden that it can't be configured but like you said @TimOgilvy, it might be best to point this out in the docs. I'll try to send something in to the docs at a later point.
driesvints
on 18 Oct 2018
Related issues
huiyonghkw
·
3Comments
raksrivastava
·
3Comments
seriousjelly
·
3Comments
aluferraz
·
3Comments
andcl
·
3Comments
Most helpful comment
For anyone on this rollercoaster, #217 is nifty, but I needed to make mine take more hits only when in testing mode. This was my solution:
(a variation on this solution)
Created an environment variable in
.env:Then added the following to
App\Providers\RouteServiceProvider:and in .circlci/cofig.yml: