Reputation: 2730
Laravel rate limit throttle for /oauth/token Passport endpoint
I'm trying to disable rate limiting for Passport's built-in oauth/token endpoint in Laravel 5.8, and I figured just removing the throttle middleware from api would do it:
'api' => [
// 'throttle:60,1',
'bindings',
],
But although this effectively disables rate limiting for every endpoint I've defined in my api routes file, it doesn't do it for /oauth/token, as if Passport has a default throttling setting. So I just added the throttle middleware for that route in AppServiceProvider with an absurd number:
\Route::group(['middleware' => ['custom_provider', 'throttle:999999999,1']], function () {
Passport::routes();
});
But when I test this I'm still getting 429 errors after a few requests for some reason:
429 Too Many Requests
X-RateLimit-Limit →9999999999
X-RateLimit-Remaining →9999999935
x-ratelimit-reset →1567108098
So I'd prefer to just disable this entirely. Any ideas how to disable it for Passport routes specifically?
Upvotes: 2
Views: 4215
Answers (1)
Reputation: 3567
That's because passport doesn't use api middleware, but throttle one directly on that route.
You can see that in the source code:
// This is how passport register that route
$this->router->post('/token', [
'uses' => 'AccessTokenController@issueToken',
'as' => 'passport.token',
'middleware' => 'throttle',
]);
You can override that route be defining it yourself before passport register his route. To do that I think the most convenient way is to hook up into the Passport::routes() method:
Passport::routes(function ($router) {
$router->forAuthorization();
Route::post('/token', [
'uses' => 'AccessTokenController@issueToken',
'as' => 'passport.token',
]);
// This function would trigger the internal /token route registration
$router->forAccessTokens();
$router->forTransientTokens();
$router->forClients();
$router->forPersonalAccessTokens();
});
Note that you might as well do this instead if you need all of the passport routes:
Passport::routes(function ($router) {
Route::post('/token', [
'uses' => 'AccessTokenController@issueToken',
'as' => 'passport.token',
]);
$router->all();
});
You can check if the route has been registered correctly by doing php artisan route:list in a console windows from the root of your project
Upvotes: 5
Related Questions
- Laravel throttle rate limiter limites access too early
- Laravel RateLimiter/throttle increasing decay minutes
- Laravel: Remove Request Throttling For Authenticated Users
- ThrottleRequestMiddleware for api route in laravel 5.6
- How to configure Laravel Passport's '/oauth/token' rate limit?
- Throttle issue with server accessing a Laravel API
- Throttling in Laravel
- Laravel: different api rate limits for different paths
- Throttling Requests in Laravel using Graham Campbell’s Laravel Throttle
- API Throttle in Laravel 5.2