Laravel 6: Throttle Password Reset

Question

In laravel 6 the password broker now has the following to throttle password reset (https://github.com/laravel/framework/blob/6.x/src/Illuminate/Auth/Passwords/PasswordBroker.php#L58)

public function sendResetLink(array $credentials)
{
    // First we will check to see if we found a user at the given credentials and
    // if we did not we will redirect back to this current URI with a piece of
    // "flash" data in the session to indicate to the developers the errors.
    $user = $this->getUser($credentials);

    if (is_null($user)) {
        return static::INVALID_USER;
    }

    if (method_exists($this->tokens, 'recentlyCreatedToken') &&
        $this->tokens->recentlyCreatedToken($user)) {
        return static::RESET_THROTTLED;
    }

    // Once we have the reset token, we are ready to send the message out to this
    // user with a link to reset their password. We will then redirect back to
    // the current URI having nothing set in the session to indicate errors.
    $user->sendPasswordResetNotification(
        $this->tokens->create($user)
    );

    return static::RESET_LINK_SENT;
}

However when I repeatedly submit a password reset why isn't the password reset being throttled - I'm still getting the reset notifications coming through?

I've noticed the recentlyCreatedToken method does not exist in TokenRepositoryInterface in version 6.x https://github.com/laravel/framework/blob/6.x/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php

But has been added in version 7.x

https://github.com/laravel/framework/blob/master/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php

Is this only a feature of v7.x or is there something I need to do that I'm missing?

Answer 1

Password reset throttling works in Laravel 6.x, but for some reason you need to manually set the throttle parameter in the config file config/auth.php:

    'passwords' => [
        'users' => [
            'provider' => 'users',
            'table' => 'password_resets',
            'expire' => 60,
            'throttle' => 60, // Allows a user to request 1 token per 60 seconds
        ],
    ],

DatabaseTokenRepository defines the default value for the throttle time to 60 seconds. But when DatabaseTokenRepository is initialized in PasswordBrokerManager it checks the config file and if no value was found sets the throttle time to 0 (means disabling the throttle).

Also you need to add the message string to resources/lang/en/passwords.php to show the user an understandable error message:

'throttled' => 'You have requested password reset recently, please check your email.',

P. S. Don't forget to flush config cache after editing a config file with php artisan config:clear.