Apply rate limiters to Laravel Livewire actions.

Dan Harrin

Last update: Dec 30, 2022

Related tags

Laravel livewire-rate-limiting

Overview

This package allows you to apply rate limiters to Laravel Livewire actions. This is useful for throttling login attempts and other brute force attacks, reducing spam, and more.

Installation

You can use Composer to install this package into your application:

composer require danharrin/livewire-rate-limiting

This package requires at least Laravel v8.x, when rate limiting improvements were introduced.

Usage

Apply the DanHarrin\LivewireRateLimiting\WithRateLimiting trait to your Livewire component:

<?php

namespace App\Http\Livewire\Login;

use DanHarrin\LivewireRateLimiting\WithRateLimiting;
use Livewire\Component;

class Login extends Component
{
    use WithRateLimiting;
    
    // ...
}

In this example, we will set up rate limiting on the submit action.

The user will only be able to call this action 10 times every minute.

If this limit is exceeded, a TooManyRequestsException will be thrown. The user is presented with a validation error and instructed how long they have until the limit is lifted:

<?php

namespace App\Http\Livewire\Login;

use DanHarrin\LivewireRateLimiting\Exceptions\TooManyRequestsException;
use DanHarrin\LivewireRateLimiting\WithRateLimiting;
use Livewire\Component;

class Login extends Component
{
    use WithRateLimiting;
    
    public function submit()
    {
        try {
            $this->rateLimit(10);
        } catch (TooManyRequestsException $exception) {
            $this->addError('email', "Slow down! Please wait another $exception->secondsUntilAvailable seconds to log in.");
            
            return;
        }
        
        // ...
    }
}

API Reference

Component Methods

use DanHarrin\LivewireRateLimiting\WithRateLimiting;

/**
 * Rate limit a Livewire method, `$maxAttempts` times every `$decaySeconds` seconds.
 * 
 * @throws DanHarrin\LivewireRateLimiting\Exceptions\TooManyRequestsException
 */
$this->rateLimit(
    $maxAttempts, // The number of times that the rate limit can be hit in the given decay period.
    $decaySeconds = 60, // The length of the decay period in seconds. By default, this is a minute.
    $method, // The name of the method that is being rate limited. By default, this is set to the method that `$this->rateLimit()` is called from.
);

/**
 * Hit a method's rate limiter without consequence.
 */
$this->hitRateLimiter(
    $method, // The name of the method that is being rate limited. By default, this is set to the method that `$this->hitRateLimiter()` is called from.
    $decaySeconds = 60, // The length of the decay period in seconds. By default, this is a minute.
);

/**
 * Clear a method's rate limiter.
 */
$this->clearRateLimiter(
    $method, // The name of the method that is being rate limited. By default, this is set to the method that `$this->clearRateLimiter()` is called from.
);

Exceptions

use DanHarrin\LivewireRateLimiting\Exceptions\TooManyRequestsException;

try {
    $this->rateLimit(10);
} catch (TooManyRequestsException $exception) {
    $exception->component; // Class of the component that the rate limit was hit within.
    $exception->ip; // IP of the user that has hit the rate limit.
    $exception->method; // Name of the method that has hit the rate limit.
    $exception->minutesUntilAvailable; // Number of minutes until the rate limit is lifted, rounded up.
    $exception->secondsUntilAvailable; // Number of seconds until the rate limit is lifted.
}

Need Help?

🐞 If you spot a bug with this package, please submit a detailed issue, and wait for assistance.

🤔 If you have a question or feature request, please start a new discussion.

🔐 If you discover a vulnerability within the package, please review our security policy.

Laravel Livewire full page component routing.

Laravel Livewire Routes Laravel Livewire full page component routing. This package allows you to specify routes directly inside your full page Livewir

22 Oct 6, 2022

A laravel Livewire Dynamic Selects with multiple selects depending on each other values, with infinite levels and totally configurable.

Livewire Combobox: A dynamic selects for Laravel Livewire A Laravel Livewire multiple selects depending on each other values, with infinite levels of

25 Oct 30, 2022

Comments

refactor: use sha1 for rate limit key generation

This adjusts the rate limit key to be a sha1 hash of the values to avoid using user-identifiable data such as their IP, as discussed in https://github.com/danharrin/livewire-rate-limiting/discussions/12. This also brings it in line with Laravel's own approach to key generation for throttling, as can be seen here: https://github.com/laravel/framework/blob/9.x/src/Illuminate/Routing/Middleware/ThrottleRequests.php#L172

Chances of accidental collisions using this scheme are practically zero: https://crypto.stackexchange.com/questions/2583/is-it-fair-to-assume-that-sha1-collisions-wont-occur-on-a-set-of-100k-strings

If anything else is required, please let me know.
enhancement

opened by ItsANameToo 1
Add minutes to the Exception

Thank you for the package sir ! awesome. I like to add minutes to the exception, so i dont have to ceil every time i got the $secondsUntilAvailable. Thanks.
enhancement

opened by putera 1

Releases(v1.0.0)

v1.0.0(Jan 21, 2022)
What's Changed

Support for Laravel 9

Update README.md file by @nezaboravi in https://github.com/danharrin/livewire-rate-limiting/pull/9

New Contributors

@nezaboravi made their first contribution in https://github.com/danharrin/livewire-rate-limiting/pull/9

Full Changelog: https://github.com/danharrin/livewire-rate-limiting/compare/v0.3.0...v1.0.0
Source code(tar.gz)
Source code(zip)
v0.3.0(May 17, 2021)

Added $this->minutesUntilAvailable to the TooManyRequestsException. #5
Source code(tar.gz)
Source code(zip)
v0.1.0(Jan 17, 2021)

🥳
Source code(tar.gz)
Source code(zip)