Laravel 5.8 - Rate Limiting per IP

Question

I use Laravel 5.8 to serve a api with the standard throttling enabled:

        'api' => [
            'throttle:60,1',
            'bindings',
        ],

I recognized that this rate limit is not applied to a specific IP. Instead it acts like a "global"-throttling on public routes.

Is there anything I overlooked or is that the expected behaviour?

If it is expected - how can I enable a rate-limit "per IP" on my routes?

Answer 1

I recognized that this rate limit is not applied to a specific IP. Instead it acts like a "global"-throttling on public routes.

This is incorrect.

https://github.com/laravel/framework/blob/5.8/src/Illuminate/Routing/Middleware/ThrottleRequests.php#L94

protected function resolveRequestSignature($request)
{
    if ($user = $request->user()) {
        return sha1($user->getAuthIdentifier());
    }

    if ($route = $request->route()) {
        return sha1($route->getDomain().'|'.$request->ip());
    }

    throw new RuntimeException('Unable to generate the request signature. Route unavailable.');
}

Look closely at the two if statements. If a user is present, the throttle key is based off their user identifier. If a user is not present, the identifier includes $request->ip(). A request from a different IP address goes in a different limit bucket.